[ Обзор уязвимостей PHP-Nuke ]
 

[SQL-Injection]

PHP-Nuke <= 8.0 Final (HTTP Referers) Remote SQL Injection Exploit

PHP-Nuke <= 8.0 Final (INSERT) Remote SQL Injection Exploit

PHP-Nuke <= 8.0 Final (INSERT) Blind SQL Injection Exploit (mysql)

PHP-Nuke <= 7.9 (Encyclopedia) Remote SQL Injection Exploit

PHP-Nuke 7.5 - 7.8 (Search) Remote SQL Injection Exploit

PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit

PHP-Nuke 7.8 SQL Injection / Remote Command Execution Exploit

PHP-Nuke <= 7.8 (modules.php) SQL Injection Exploit


[Remote File Inclusion]

PHP-Nuke Platinum 7.6.b.5 Remote File Inclusion Vulnerability

PHP-Nuke <= 7.9 Final (phpbb_root_path) Remote File Inclusions


[XSS]

PHP-Nuke versions: 8.0 (by ettee)

Example:
PHP-Nuke versions: 7.8

Example:

[Modules Vulns]

PHP-Nuke NSN Script Depository 1.0.0 Remote Source Disclosure Vuln

PHP-Nuke addon Nuke Mobile Entartainment LFI Vulnerability

PHP-Nuke Module eBoard 1.0.7 GLOBALS[name] LFI Exploit

PHP-Nuke Module Eve-Nuke 0.1 (mysql.php) RFI Vulnerability

PHP-Nuke Module Addressbook 1.2 Local File Inclusion Exploit

PHP-Nuke Module htmltonuke 2.0alpha (htmltonuke.php) RFI Vuln

PHP-Nuke Module splattforum 4.0 RC1 Local File Inclusion Exploit

PHP-Nuke Module PostGuestbook 0.6.1 (tpl_pgb_moddir) RFI Vulnerability

PHP-Nuke Module Emporium <= 2.3.0 Remote SQL Injection Exploit

PHP-Nuke NukeAI Module 3b (util.php) Remote File Include Exploit



[DB Structure]

(cms)Hash = md5(pwd)

(forum)
Hash = md5(user_password)


[Default Paths]

Admin:
Config:

PHP-NUKE NukeSentinel Module
 

Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename.

[Local File Inclusion]

[Information Leakage]

С помощью локального инклюда можно обнаружить важную информацию на сервере. В частности в .htaccess можно узнать настройки сайта, в том числе полный путь (что будет full path disclosure), при использовании NukeSentinel на сайте. А также можно обнаружить путь к его конфигурации и получить логины и хэши админов.

[Full path disclosure]

На некоторых сайтах с данным скриптом, где не отключено выведение ошибок, при указании несуществующего файла выводится сообщение об ошибке с полным путём к скрипту.

(c) MustLive <mustlive_(at)_websecurity.com.ua>

XSS
Search Module(all versions)
<img src=http://www.microsoft.com/404.jpg style=display:none onerror=alert(document.cookie) <
<iframe src=http://www.google.com style=display:none onload=alert(document.cookie) <

Pool and News Module
SQL injection:
Full Path Disclosure
modules.php?name=Reviews&rop=preview_review&title= f001&text=f002&score=9&email=00@b.org&reviewer=oob &date=00b
/modules/Web_Links/voteinclude.php
/modules.php?name=Statistics&op=convert_month
/modules.php?name=Journal&file=add&filelist=oob
/modules.php?name=Journal&file=modify&filelist=oob
/db/db.php
index.php?inside_mod=1
/modules.php?name=Downloads&d_op=menu
/modules.php?name=Web_Links&l_op=menu
modules.php?name=Web_Links&l_op=viewlink&cid=1&sho w=oob
modules/NukeJokes/mainfunctions.php
modules.php?name=NukeJokes&func=JokeView&jokeid=oo b
modules.php?name=NukeJokes&func=CatView&cat=oob
modules.php?name=Downloads&d_op=viewdownload&cid=2 &show=oob
modules/Calendar/config.php
modules/Calendar/index.php
/modules/Calendar/submit.php
error.php?newlang=foobar
modules/coppermine/include/crop.inc.php
modules/coppermine/ecard.php
modules/coppermine/displayecard.php
modules/coppermine/db_input.php
modules/coppermine/config.php
modules/coppermine/addpic.php
modules/coppermine/phpinfo.php
modules/NukeJokes/mainfunctions.php
modules.php?name=NukeJokes&func=JokeView&jokeid=fo obar
modules.php?name=NukeJokes&func=CatView&cat=foobar
modules.php?name=Video_Gallery&l_op=viewcat&catid= darkbicho
modules.php?name=Video_Gallery&l_op=viewclip&clipi d=darkbicho&catid=1

dork:
"create the Super User" "now by clicking here"
inurl:"modules.php?name=" inurl:Web_Links|inurl:downloads|inurl:Your_Account
intext:"Thank you for trying PostNuke" intitle:"PostNuke Installation"
"Warning: setlocale()"
intitle:PHP-nuke.powered.site "create * Super User" "now * clicking here"
"Powered by PHP-Nuke"
Copyright © 2003 by PHP-Nuke
"allinurl:modules.php sgallery"
"powered by phphnuke 6.0"
intitle:"PHP-Nuke Powered Site"

PHP-Nuke <= 8.0 (sid) Remote SQL Injection
 

Remote SQL Injection

Vulnerable: PHP-Nuke <= 8.0

Exploit:

Remote SQL Injection

PHP-Nuke < 8.0

Exploit

PHP-Nuke Module books SQL (cid) Remote SQL Injection Vulnerability

example


EXPLOIT 1 :


EXPLOİT 2 :

(c)milw0rm.com

PHP-Nuke Module Sections (artid) Remote SQL Injection

SQL Injection

Для поиска сайтов с этим модулем:

(c)

PHP-NUKE Modules Okul v1.0 Remote SQL Injection

SQL Injection


PHP-Nuke Module Inhalt (cid) SQL Injection

SQL Injection

(c) biyofrm.com

PHP-Nuke Modules Manuales 0.1 (cid) SQL Injection

SQL Injection


PHP-Nuke Module Siir (id) Remote SQL Injection

SQL Injection

Для поиска

(c) s@bun

PHP-NUKE Modules NukeC Module's Version: 2.1 Remote SQL Injection

PoC: