Thursday, 20 March 2014

LFI with perl script :D

09:09    No comments

Source Download from here

Features

  • Signature-free
  • Session Splicing
  • User-Agent and Log injection
  • Arithmetic Test

Usage

 perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i page
This script will attempt to gain code execution on sites vulnerable to local file inclusion via an httpd error log or by modifying the user-agent and including a file containing environment variables. The php code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.
Notice: It is possible that this script will not work on your intended target but tests positive for php execution. In that case, changing your bash command execution function from system to one of many others is most likely to yield the desired results.
Protip: Make sure you've saved httpdlogs.conf to the same directory as lfi_autopwn.pl.


httpdlogs.conf

c3el4.png The httpdlogs.conf file dictates filenames for possible error log locations.
If you know any filenames that aren't listed here, feel free to add them to your local copy. Files are simply separated by newline.
  • ./err.log
  • ./error_log
  • ./error.log
  • /etc/httpd/conf/logs/error_log
  • /etc/httpd/logs/error_log
  • /home/php5/logs/error_log
  • ../log/error_log
  • ../log/error.log
  • ../logs/error_log
  • ../logs/error.log
  • /proc/self/fd/2
  • /usr/local/apache2/log/error_log
  • /usr/local/apache2/logs/error_log
  • /usr/local/apache2/logs/error.log
  • /usr/local/apache/error.log
  • /usr/local/apache/log/error_log
  • /usr/local/apache/logs/error_log
  • /usr/local/apachessl/logs/dummy-host.example.com-error_log
  • /usr/local/apachessl/logs/error_log
  • /usr/local/httpd/log/error_log
  • /usr/local/httpd/logs/error_log
  • /usr/local/php/log/error_log
  • /var/log/apache2/error_log
  • /var/log/apache2/error.log
  • /var/log/apache/error_log
  • /var/log/httpd-error.log
  • /var/log/httpd/error_log
  • /var/log/nginx/error.log
  • /var/log/php-fcgi/error_log
  • /var/log/php-fpm/err.log

Other Execution/Interesting PHP Functions

passthru, leak, link, shell_exec, exec, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo => php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)