Home / exploits phpnuke-bypass-sql.txt
Posted on 17 April 2007
PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities ________________________ PROGRAM: PHP-Nuke HOMEPAGE: http://phpnuke.org/ VERSION: All version BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities AUTHOR: Aleksandar ________________________ Let's look at source code from mainfile.php line 435 __________________________________________ //Union Tap //Copyright Zhen-Xjell 2004 http://nukecops.com //Beta 3 Code to prevent UNION SQL Injections unset($matches); unset($loc); if(isset($_SERVER['QUERY_STRING'])) { if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) { die('Illegal Operation 1'); } } if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) { $queryString = $_SERVER['QUERY_STRING']; if (($_SERVER['PHP_SELF'] != "/index.php") OR !isset($url)) { if (stristr($queryString,'http://')) die('Illegal Operation 2'); } if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) { die('Illegal Operation 3'); } }__________________________________________ So we can se different filters. :) Let