hey guys
i wonder if anyone could explained some sort of XSS code that could be injected and what is the effect of injecting such a code

i don't have previous xss experince so any info is appreciated

Best Regards
migo

ok this maybe some help:

http://www.safecenter.net/UMBRELLAWEBV4/genxe/index.html

XSS Creator/info

awesome dude
thnx very much ))

good one thankx

phpnuke has been continuously having security problems :/ i would suggest not using it at all.

Yes, it have some really tuff problems. Even Muts from secureit.co.il stopped using it now...
And as for this exploit, it is not working very well. Haven't tryed many mashines, but still..

on a lot of nuke systems the old exploit still works, on the download page to view all the admin hashes

I never knew how to do injection nor i ever will....

really nice, works fine thx =)
phpnuke hast lots of unxifed holes ....

There are lots of dangerous SQL Injections in phpnuke, also several XSS flaws.

And I'm sure one of them will fit your victim

And it's a very bad idea to use PHPNuke every versionn have lots of security flaws.

Any way to find out what version it is? Like check if some module that exist in new version only???

i love checking up on the newest php flaws (sure are a lot)... they're pretty neat

yes yes
phpnuke is ful of bugs
for me i tried SQL injection in some sites and it works!!!!! even the authors and some other release patches one after one but this software is continuing to be Vulnerable!!!

till now i can' figure out how XSS exlpoit could be used
but i hope anyone who have more exerince in it to share this with us

Best Regards
migo

here is a site that contains a good info regarding XSS
http://www.cgisecurity.com/articles/xss-faq.shtml

i begin t get the big picture but still want a working example in phpnuke

Best Regards
migo

thanks for the info i'll try it

Any good working examples yet, of say "change my account to admin"?

my favourite thing to play with in phpnuke is the sql injection
in many sites even the following POC released since 2 february, but the sql injection bug is still existed among many popular nuke sites
this script is full of security flaws and i join anyone who says stop using PHPnuke
it's NOT SECURE at all.

simple exploits using sql injection is....

http://www.net-security.org/vuln.php?id=3226

u will find a copmerhensive details about the bugs in WebLink,Downloads,Sections and Reviews modules in phpnuke

u can use either of the exploit provided for getting all admin hashes and their login names too

simply after u get the md5 hash and the login name
example (login name= news) (md5 hash= 21232f297a57a5a743894a0e4a801fc3 )

u can use any sites that offer base64 encode-decode like

http://www.isecurelabs.com/outils/base64/

and then put the login name and md5 password to encode them

news:21232f297a57a5a743894a0e4a801fc3

the resulting base64 encryption for the above login and md5 will be :

bmV3czoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMw


now you can get this wonderful script to add the admin account of YOUR OWN!!!
just save the following link anything.pl

http://rst.void.ru/download/r57nuke.txt

use any perl interpreter to run this script,
the script will ask u about the website u wan to break to and enter ur nuick and ur password and last is to enter the base64 encoded string that u get in the the above explanation.

it's pretty easy and simple process and i'll appreciate any good example of making XSS exploits

hope that help

Best Regards
migo

to convert to base64

http://makcoder.sourceforge.net/demo/base64.php


[edit]sry didn't see that base64 convertor up ther..my fault..

i now know about xss, but still, can someone give an example how to use it in the feedback module? I try "><body onload=alert(document.cookie);> and get my own coockie, but how to get them from others