Php-Nuke 6.x-7.2 Admin Auth Bypass and SQL Injection Analysis

Vulnerability Details: - Title: Admin-level authentication bypass in phpnuke 6.x-7.2 - Author: Janek Vind "waraxe" - Date: 12 April 2004 - Location: Estonia, Tartu - Website: http://www.waraxe.us/index.php?modname=sa&id=18 Affected Software: - Description: Php-Nuke is a popular content management system written in PHP by Francisco Burzzi. It is used on many thousands of websites due to its free license, ease of installation, and broad feature set. Vulnerabilities: - Key Point: The base64decoded variable "admin" from cookie will be exploited to extract components - admin ID and password's MD5 hash. As always with base64 encode/decode operations, care must be taken with special characters, such as single quotes. Before using the base64decoded information, the addslashes() function must be applied. Exploit Details: - Insecure HTTP Headers: The variable $aWhen is used in an SQL query — a classic SQL injection case. - Exploit Steps: 1. SQL Injection: Use the $admin variable via GET request, as it is simpler than using cookies. 2. Initial Authentication Bypass: Construct a "cookie" in the format like this: "%20OR%20%27x%20OR%20%27y" 3. SQL Query Manipulation: The $admin variable is used without sanitization, enabling SQL injection. 4. Circumventing Filter: Use a filter to construct a "cookie" like this: "%20UNION%20SELECT%201%20%23" 5. Second Authentication Bypass: Successfully bypass the second authentication step by setting the variable $rdminsuper to have the value "1".

Goal Reached Thanks to every supporter — we hit 100%!

Php-Nuke 6.x-7.2 Admin Auth Bypass and SQL Injection Analysis