PHP Nuke <= 8.0.0.3.3b SQL Injections and Bypass SQL Injection Protection vulnerabilities ________________________ PROGRAM: PHP-Nuke HOMEPAGE: http://phpnuke.org/ VERSION: All version BUG: PHP Nuke <= 8.0.0.3.3b Bypass SQL Injection Protection and SQL Injections vulnerabilities AUTHOR: Aleksandar ________________________ Let's look at source code from mainfile.php line 435 __________________________________________ //Union Tap //Copyright Zhen-Xjell 2004 http://nukecops.com //Beta 3 Code to prevent UNION SQL Injections unset($matches); unset($loc); if(isset($_SERVER['QUERY_STRING'])) { if (preg_match("/([OdWo5NIbpuU4V2iJT0n]{5}) /", rawurldecode($loc=$_SERVER['QUERY_STRING']), $matches)) { die('Illegal Operation 1'); } } if(!isset($admin) OR (isset($admin) AND !is_admin($admin))) { $queryString = $_SERVER['QUERY_STRING']; if (($_SERVER['PHP_SELF'] != "/index.php") OR !isset($url)) { if (stristr($queryString,'http://')) die('Illegal Operation 2'); } if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) { die('Illegal Operation 3'); } }__________________________________________ So we can se different filters. :) Let’s start whit a testing: TEST 1 http://localhost/nuke/?/* So we will se this message: Illegal Operation 3 TEST 2 http://localhost/nuke/?%2f* Yeah - we got through :) TEST 3 http://localhost/?%20UNION%20SELECT Illegal Operation 1 TEST 4 http://localhost:8080/html80/?%2f**/UNION%2f**/SELECT .. Yeah - we got through :) PATCH: __________________________________________ if ((stristr($queryString,'%20union%20')) OR (stristr($queryString,'*%2f*')) OR (stristr($queryString,'/*')) OR (stristr($queryString,'*/union/*')) OR (stristr($queryString,'c2nyaxb0')) OR (stristr($queryString,'+union+')) OR ((stristr($queryString,'cmd=')) AND (!stristr($queryString,'&cmd'))) OR ((stristr($queryString,'exec')) AND (!stristr($queryString,'execu'))) OR (stristr($queryString,'concat'))) { die('Illegal Operation'); } __________________________________________ Multiple SQL Injection vulnerability in Web_Links, News and Download module +++++++++++++++++++++++++++ PHP.ini Magic Quotes = OFF Register Global = ON +++++++++++++++++++++++++++ Now Let's look at source code from Web_Links/index.php: Vulnerability function function viewlinkcomments($lid) { global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file; include("header.php"); include("modules/$module_name/l_config.php"); menu(1); $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); // BUG ---> $lid $ttitle = filter($row['title'], "nohtml"); $lid = intval(trim($lid)); //WTF?<===== lol ??????????????? :):):):):) echo "
"; ... How to fix: Add $lid = intval(trim($lid)); before $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); ___________________________________________ function viewlinkcomments($lid) { global $prefix, $db, $admin, $bgcolor2, $module_name, $admin_file; include("header.php"); include("modules/$module_name/l_config.php"); menu(1); $lid = intval(trim($lid)); // FIX $row = $db->sql_fetchrow($db->sql_query("SELECT title FROM ".$prefix."_links_links WHERE lid='$lid'")); $ttitle = filter($row['title'], "nohtml"); //$lid = intval(trim($lid)); // REMOVE THIS LINE !!!!!!! echo "
"; ... __________________________________________________ Vulnerability Functions: function viewlinkcomments($lid) { function viewlinkeditorial($lid){ function viewlinkcomments($lid){ function ratelink($lid, $user) { The "$lid" variable isn't filtered, so if we bypass the sql injection protection we can execute arbitrary sql commands. SQL Injection vulnerability in Downloads Vulnerability Functions: function viewdownloadeditorial($lid) { function viewdownloadcomments($lid) { function ratedownload($lid, $user) { The "$lid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands. SQL Injection vulnerability in News Vulnerability Function: function rate_complete($sid, $rated=0, $score) { The "$sid" variable isn't filtered , so if we bypass the sql injection protection we can execute arbitrary sql commands. Best Regards Aleksandar Programmer and Web Developer