exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nst-28.txt

nst-28.txt
Posted Oct 25, 2006
Authored by Paisterist | Site neosecurityteam.net

[N]eo [S]ecurity [T]eam [NST] - Advisory 28 - 2006-10-25: PHP-Nuke 7.9 and prior Search module "author" SQL Injection vulnerability.

tags | advisory, php, sql injection
SHA-256 | 257e6728bdd3845e4cd214b25c644fc4e45e2d08c387fb6f72f930709e50d1ba

nst-28.txt

Change Mirror Download
------=_Part_31978_12541773.1161788907861
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST] - Advisory 28 - 2006-10-25
--------------------------------------------------------
Program: PHP-Nuke
Homepage: http://www.php.net
Vulnerable Versions: PHP-Nuke <= 7.9
Risk: Medium
Impact: Medium Risk

-==PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability==-
---------------------------------------------------------

- Description
---------------------------------------------------------
PHP-Nuke is a news automated system specially designed to be used in
Intranets and Internet. The Administrator has total control of his web site,
registered users, and he will have in the hand a powerful assembly of tools
to maintain an active and 100% interactive web site using databases.

- Tested
---------------------------------------------------------
localhost & many sites

- Vulnerability Description
---------------------------------------------------------

In /modules/Search/index.php the "author" variable is not sanitized
correctly. Here is the vulnerable code:

==[ /modules/Search/index.php 196-198 ]==========================
[...]
if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='$topic' ";
if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <=
'$days' ";
[...]
==[ end /modules/Search/index.php ]==============================

Register_globals php directive must be turned Off so the simple quotes (')
are not filtered. Also we have to know the prefix
used for the database tables ("nuke_" by default).

In this way, bypassing the SQL Injection Protection, like using someone like
'/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin
md5 hash without any problems.

==Pseudo-Code Proof of Concept exploit==
<?
/*

Neo Security Team - Pseudo-Code Proof of Concept Exploit
http://www.neosecurityteam.net
Paisterist

*/
set_time_limit(0);
$host="localhost";
$path="/phpnuke/";
$port="80";
$fp = fsockopen($host, $port, $errno, $errstr, 30);
$data=""; /* Here the variables, like "query", "topic" and "author" with the
SQL Injection */

if ($fp) {
/* we put the POST request on $p variable, sending the data saved on
$data. */

fwrite($fp, $p);

while (!feof($fp)) {
$content .= fread($fp, 4096);
}

preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);

if ($matches[0])
print "<b>Hash: </b>".$matches[0];
}
?>
==Pseudo-Code Proof of Concept exploit==

Whit this PoC code i get the md5 hash of the first admin (God) of the
nuke_authors table.

- How to fix it? More information?
--------------------------------------------------------

You can found a patch on http://www.neosecurityteam.net/foro/

Also, you can modify the line 197 of /modules/Search/index.php, adding
slashes before the simple quotes with the addslashes() function:

==[ /modules/Search/index.php 196-198 ]==========================
[...]
if (!empty($author)) $q .= "AND s.aid='$author' ";
if (!empty($topic)) $q .= "AND s.topic='" . addslashes($topic) . "' ";
if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <=
'$days' ";
[...]
==[ end /modules/Search/index.php ]==============================

That's a momentary solution to the problem. I recommend to download the
PHP-Nuke 8.0 version in the next days... it is not
free at the moment.

- References
--------------------------------------------------------
http://www.neosecurityteam.net/index.php?action=advisories&id=28

- Credits
--------------------------------------------------------
Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst
[at] gmail[dot]com

[N]eo [S]ecurity [T]eam [NST] - http://www.neosecurityteam.net/


- Greets
--------------------------------------------------------
HaCkZaTaN
K4P0
Daemon21
Link
0m3gA_x
LINUX
nitrous
m0rpheus
nikyt0x
KingMetal
Knightmare

Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@ @@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@

/* EOF */

--
Paisterist

Neo Security Team http://neosecurityteam.net

------=_Part_31978_12541773.1161788907861
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

/*<br>--------------------------------------------------------<br>[N]eo [S]ecurity [T]eam [NST] - Advisory 28 - 2006-10-25<br>--------------------------------------------------------<br>Program: PHP-Nuke<br>Homepage: <a href="http://www.php.net">
http://www.php.net</a><br>Vulnerable Versions: PHP-Nuke <= 7.9<br>Risk: Medium<br>Impact: Medium Risk<br><br>-==PHP-Nuke <= 7.9 Search module "author" SQL Injection vulnerability==-<br>---------------------------------------------------------
<br><br>- Description<br>---------------------------------------------------------<br>PHP-Nuke is a news automated system specially designed to be used in Intranets and Internet. The Administrator has total control of his web site, registered users, and he will have in the hand a powerful assembly of tools to maintain an active and 100% interactive web site using databases.
<br><br>- Tested<br>---------------------------------------------------------<br>localhost & many sites<br><br>- Vulnerability Description<br>---------------------------------------------------------<br><br>In /modules/Search/index.php the "author" variable is not sanitized correctly. Here is the vulnerable code:
<br><br>==[ /modules/Search/index.php 196-198 ]==========================<br>[...]<br>if (!empty($author)) $q .= "AND s.aid='$author' ";<br>if (!empty($topic)) $q .= "AND s.topic='$topic' ";<br>if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";
<br>[...]<br>==[ end /modules/Search/index.php ]==============================<br><br>Register_globals php directive must be turned Off so the simple quotes (') are not filtered. Also we have to know the prefix<br>&nbsp;used for the database tables ("nuke_" by default).
<br><br>In this way, bypassing the SQL Injection Protection, like using someone like '/**/UNION ' and not ' UNION ' in our sql injections, we can get the admin md5 hash without any problems.<br><br>==Pseudo-Code Proof of Concept exploit==
<br><?<br>/*<br><br>Neo Security Team - Pseudo-Code Proof of Concept Exploit<br><a href="http://www.neosecurityteam.net">http://www.neosecurityteam.net</a><br>Paisterist<br><br>*/<br>set_time_limit(0);<br>$host="localhost";
<br>$path="/phpnuke/";<br>$port="80";<br>$fp = fsockopen($host, $port, $errno, $errstr, 30);<br>$data=""; /* Here the variables, like "query", "topic" and "author" with the SQL Injection */
<br><br>if ($fp) {<br>&nbsp;&nbsp;&nbsp; /* we put the POST request on $p variable, sending the data saved on $data. */<br><br>&nbsp;&nbsp;&nbsp; fwrite($fp, $p);<br><br>&nbsp;&nbsp;&nbsp; while (!feof($fp)) {<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $content .= fread($fp, 4096);<br>&nbsp;&nbsp;&nbsp; }<br><br>
&nbsp;&nbsp;&nbsp; preg_match("/([a-zA-Z0-9]{32})/", $content, $matches);<br><br>&nbsp;&nbsp;&nbsp; if ($matches[0])<br>&nbsp;&nbsp;&nbsp; print "<b>Hash: </b>".$matches[0];<br>}<br>?><br>==Pseudo-Code Proof of Concept exploit==<br>
<br>Whit this PoC code i get the md5 hash of the first admin (God) of the nuke_authors table.<br><br>- How to fix it? More information?<br>--------------------------------------------------------<br><br>You can found a patch on
<a href="http://www.neosecurityteam.net/foro/">http://www.neosecurityteam.net/foro/</a><br><br>Also, you can modify the line 197 of /modules/Search/index.php, adding slashes before the simple quotes with the addslashes() function:
<br><br>==[ /modules/Search/index.php 196-198 ]==========================<br>[...]<br>if (!empty($author)) $q .= "AND s.aid='$author' ";<br>if (!empty($topic)) $q .= "AND s.topic='" . addslashes($topic) . "' ";
<br>if (!empty($days) && $days!=0) $q .= "AND TO_DAYS(NOW()) - TO_DAYS(time) <= '$days' ";<br>[...]<br>==[ end /modules/Search/index.php ]==============================<br><br>That's a momentary solution to the problem. I recommend to download the PHP-Nuke
8.0 version in the next days... it is not <br>free at the moment.<br><br>- References<br>--------------------------------------------------------<br><a href="http://www.neosecurityteam.net/index.php?action=advisories&id=28">
http://www.neosecurityteam.net/index.php?action=advisories&id=28</a><br><br>- Credits<br>--------------------------------------------------------<br>Search module SQL Injection discovered by Paisterist -> paisterist[dot]nst [at] gmail[dot]com
<br><br>[N]eo [S]ecurity [T]eam [NST] - <a href="http://www.neosecurityteam.net/">http://www.neosecurityteam.net/</a><br><br><br>- Greets<br>--------------------------------------------------------<br>HaCkZaTaN<br>K4P0<br>
Daemon21<br>Link<br>0m3gA_x<br>LINUX<br>nitrous<br>m0rpheus<br>nikyt0x<br>KingMetal<br>Knightmare<br><br>Argentina, Colombia, Chile, Bolivia, Uruguay EXISTS!!<br><br>@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@<br>'@@@@@''@@'@@@''''''''@@''@@@''@@
<br>'@@'@@@@@@''@@@@@@ @@@'''''@@@<br>'@@'''@@@@'''''''''@@@''''@@@<br>@@@@''''@@'@@@@@@@@@@''''@@@@@<br><br>/* EOF */<br clear="all"><br>-- <br>Paisterist<br><br>Neo Security Team <a href="http://neosecurityteam.net">http://neosecurityteam.net
</a>

------=_Part_31978_12541773.1161788907861--
Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close