Waraxe IT Security Portal
Login or Register
October 12, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 87
Members: 0
Total: 87
Full disclosure
SEC Consult SA-20241009-0 :: Local Privilege Escalation via MSI installer in Palo Alto Networks GlobalProtect (CVE-2024-9473)
APPLE-SA-10-03-2024-1 iOS 18.0.1 and iPadOS 18.0.1
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpNuke -> [waraxe-2006-SA#046] - Critical sql injection in phpNuke
Post new topicReply to topic View previous topic :: View next topic
[waraxe-2006-SA#046] - Critical sql injection in phpNuke
PostPosted: Sun Feb 19, 2006 3:53 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




{================================================================================}
{ [waraxe-2006-SA#046] }
{================================================================================}
{ }
{ [ Critical sql injection in phpNuke 7.5-7.8 ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 19. February 2006
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-46.html


Target software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

phpNuke 7.5 - 7.8

Homepage: http://phpnuke.org/


What is phpNuke ?

PHP-Nuke is a news automated system specially designed to be used in Intranets and
Internet. The Administrator has total control of his web site, registered users, and
he will have in the hand a powerful assembly of tools to maintain an active and 100%
interactive web site using databases.


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This particular advisory will address critical sql injection case in "Search" module.
Versions 7.5 - 7.8 are affected, older versions contain different code implementation
and are not affected by bug. Newest version 7.9 is not vulnerable too.



Details
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's start by looking at "modules/Search/index.php" code in older nuke versions, in this
example, 7.1 :

----------------[ from source code ]------------------

$query = addslashes($query);

if ($type=="stories" OR !$type) {

if ($category > 0) {
$categ = "AND catid=$category ";
} elseif ($category == 0) {
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext,
s.bodytext, a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors
a where s.aid=a.aid $queryalang $categ";
if (isset($query)) $q .= "AND (s.title LIKE '%$query%' OR s.hometext LIKE
'%$query%' OR s.bodytext LIKE '%$query%' OR s.notes LIKE '%$query%') ";
if ($author != "") $q .= "AND s.aid='$author' ";

----------------[ /from source code ]-----------------

As we can see, "addslashes()" is used against "$query" variable, so sql injection is not
possible. Now let's peek at the same code fragment in newer phpnuke version, in this
specific case - 7.5 :


----------------[ from source code ]------------------

$query = stripslashes(check_html($query, "nohtml"));

if ($type=="stories" OR !$type) {

if ($category > 0) {
$categ = "AND catid='$category' ";
} else {
$categ = "";
}
$q = "select s.sid, s.aid, s.informant, s.title, s.time, s.hometext,
s.bodytext, a.url, s.comments, s.topic from ".$prefix."_stories s, ".$prefix."_authors
a where s.aid=a.aid $queryalang $categ";
if (isset($query)) $q .= "AND (s.title LIKE '%$query%' OR s.hometext LIKE
'%$query%' OR s.bodytext LIKE '%$query%' OR s.notes LIKE '%$query%') ";
if ($author != "") $q .= "AND s.aid='$author' ";
----------------[ /from source code ]-----------------

Any difference? Only the first line:

$query = stripslashes(check_html($query, "nohtml"));

Well, i really don't know, what was thinking the person, who changed this little code
snippet. But the truth is, that very big hole to phpnuke installation is opened and it exists
in versions 7.5, 7.6, 7.7 and 7.8 ;)

So - is this exploitable? Yes, if we have mysql version 4.x with UNION support, if we can avoid
potential anti-sql-injection filters/traps/ids/ips and if sql table name prefix is not changed.

Example proof of concept exploit? Here it is:

[------ real life exploit ------]

p0hh0nsee%') UNION ALL SELECT 1,2,aid,pwd,5,6,7,8,9,10 FROM nuke_authors/*

[----- /real life exploit ------]

For exploiting just enter this string to search field in "modules.php?name=Search" page:

http://www.waraxe.us/~kama/wsa-46-01.png

and if it works, you will see usernames and password hashes of ALL admins ;)

http://www.waraxe.us/~kama/wsa-46-02.png


See ya s00n and have a nice day ;)



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download 7.9 version. Or patch manually that flawed codeline.


Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greetz to LINUX, Heintz, y3dips, shai-tan, slimjim100, zer0-c00l and
all other active members from waraxe forum !

Raido Kerna - tervitused!


Additional resources:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DX expeditions database - http://www.dxdb.com/

HDD data recovery - http://www.hdd911.com/



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Last edited by waraxe on Fri Apr 13, 2007 4:21 pm; edited 1 time in total
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Feb 19, 2006 9:05 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




waraxe look : http://securityreason.com/achievement_securityalert/27

The adv was posted on : 15.11.2005
Exploit for this issue also was realised : http://securityreason.com/achievement_exploitalert/5

And the fix too : http://securityreason.com/patch/6
The fix was done witch chatserv form nukefixes.com

Please next time use google before post advisory
View user's profile Send private message
PostPosted: Sun Feb 19, 2006 9:31 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




sp3x wrote:
waraxe look : http://securityreason.com/achievement_securityalert/27

The adv was posted on : 15.11.2005
Exploit for this issue also was realised : http://securityreason.com/achievement_exploitalert/5

And the fix too : http://securityreason.com/patch/6
The fix was done witch chatserv form nukefixes.com

Please next time use google before post advisory


Huh Confused

Yep, my bad, sorry Smile

I was searching BID database and some other sources, but did not find your advisory. Well, it can happen to anyone.

Anyway - those phpnuke developers are very lazy - all the phpnuke downloads on phpnuke.org are UNPATCHED even now Very Happy
So it is very fu**ing confusing to do some sec audit Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Feb 19, 2006 9:58 pm Reply with quote
sp3x
Valuable expert
Valuable expert
Joined: Feb 15, 2005
Posts: 10




"So it is very fu**ing confusing to do some sec audit Rolling Eyes"

Yes i know... the is phpnuke Smile
Do you used phpnuke from nukefixes.com ??
They use recent phpnuke with all patches.

Here : http://secunia.com/advisories/17543/ Smile
The best way is to check the CVE database they have all issues.

But i can say Good find Smile
And there is no problem ... nobody is perfect Smile
View user's profile Send private message
PostPosted: Fri Feb 24, 2006 2:55 am Reply with quote
zer0-c00l
Advanced user
Advanced user
Joined: Jun 25, 2004
Posts: 72
Location: BRAZIL!




Don't worry Waraxe Very Happy
You're a cool guy and we like you Wink

btw, maybe phpBB have some simillar bug.. or not?

ps: sorry my bad english
View user's profile Send private message
PostPosted: Fri Feb 24, 2006 8:33 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Waraxe already released 2 more that can be used and they are linked all round the net now. Even 2 is bloody good after all the away time he has had.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
[waraxe-2006-SA#046] - Critical sql injection in phpNuke
www.waraxe.us Forum Index -> PhpNuke
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds